Authentication API
The authentication system uses wallet signatures to verify identity and issues JWT tokens for subsequent requests.
Client Server │ │ │ GET /auth/challenge │ │ ?wallet=0x... │ ├──────────────────────────────>│ │ { message, timestamp } │ │<──────────────────────────────┤ │ │ │ Sign message with wallet │ │ │ │ POST /auth/verify │ │ { walletAddress, signature, │ │ timestamp } │ ├──────────────────────────────>│ │ { token, expiresIn: "24h" } │ │<──────────────────────────────┤ │ │ │ Authorization: Bearer <token>│ ├──────────────────────────────>│Endpoints
Section titled “Endpoints”Get Challenge
Section titled “Get Challenge”GET /auth/challenge?wallet=0x...Response:
{ "message": "Sign this message to authenticate...", "timestamp": 1770886481000, "wallet": "0x..."}Verify Signature
Section titled “Verify Signature”POST /auth/verify{ "walletAddress": "0x...", "signature": "0x...", "timestamp": 1770886481000}Response:
{ "success": true, "token": "eyJhbGci...", "walletAddress": "0x...", "expiresIn": "24h"}Check Token
Section titled “Check Token”GET /auth/verify-tokenAuthorization: Bearer <token>Refresh Token
Section titled “Refresh Token”POST /auth/refreshAuthorization: Bearer <old_token>Public Endpoints (No Auth)
Section titled “Public Endpoints (No Auth)”GET /healthGET /stateGET /zones/:zoneIdGET /auth/challengePOST /auth/verify
Agent Example
Section titled “Agent Example”import { authenticateWithWallet, createAuthenticatedAPI } from "./authHelper.js";
const token = await authenticateWithWallet(process.env.AGENT_PRIVATE_KEY!);const api = createAuthenticatedAPI(token);
// All requests now include Authorization headerawait api("POST", "/spawn", { zoneId: "human-meadow", walletAddress: "0x...",});Security
Section titled “Security”- Timestamps must be within 5 minutes (prevents replay attacks)
- Tokens expire after 24 hours
- Entity ownership is verified (agents can only control their own entities)