thirdwebDocs
Wallets

Custom Authentication

You can attach wallets to your existing users using the jwt and auth_endpoint strategies.

  • The jwt strategy is based on the OIDC (Open ID Connect) standard
  • The auth_endpoint strategy is a generic option that lets you bring your own auth server.

Strategy jwt - OIDC compatible auth

The OIDC auth set-up is a good option if you use an external auth provider like Auth0, firebase, cognito etc. that publishes the JWK for checking the authenticity of the token.

An OIDC auth system has a public-private keypair, where the private key is used to sign auth tokens.

  • The public key is uploaded to a public URL in JWKS format. The standard location is https://{domain}.com/.well-known/jwks.json
  • When a user logs in, a JWT token called the idToken is generated and signed by the private key. The OIDC spec provides an interface for fields that are used in this token.
  • This JWT is then passed to the in-app wallet to generate a wallet for the user.
  • We will verify the JWT against the public key to verify that the JWT was signed correctly. Upon successful verification, we will proceed to generate a wallet based on the sub (user identifier) value of the idToken.

To setup an OIDC compatible auth, enable the first option in the configuration tab of the in-app wallet dashboard

You will be asked to enter the following values

  • The URL of the JWKS file (public key): This is used to verify the token was signed by you.
  • The aud value of the idToken: This is used to verify that thirdweb is the intended user of the token

Usage example

Request

POST
/v1/auth/complete
fetch("https://api.thirdweb.com/v1/auth/complete", {
method: "POST",
headers: {
"x-client-id": "<your-project-client-id>",
},
body: {
type: "jwt",
payload: "<your-jwt>",
},
});

Response

{
"isNewUser": true,
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"type": "email",
"walletAddress": "0x742d35Cc6634C0532925a3b8D43C67B8c8B3E9C6"
}