Authentication Models

The Consumer portal uses two authentication models depending on the chain.

WEB Chain: JWT + Secure Channel

Browser and mobile app flows use:

1. Secure Channel v2 — encrypts sensitive payloads (login, registration, password operations) using RSA-OAEP key exchange and AES-256-GCM encryption
2. JWT — accessToken (short-lived) and refreshToken for session management, passed as Authorization: Bearer <jwt>
3. X-Client-Hash — client device fingerprint bound to the session

Typical WEB flow:

1. establish Secure Channel session
2. initiate login or registration (encrypted through SC)
3. complete MFA if required
4. receive JWT access token
5. call authenticated endpoints with JWT + portal context

API Chain: API Key + HMAC

Server-to-server flows use:

1. X-Api-Key — identifies the API key
2. X-Signature — HMAC signature of the request
3. X-Timestamp — request timestamp (60s validity window)
4. X-Nonce — unique request identifier (replay protection)

Consumer API keys are scoped to a workspace. Available scopes include wallet:read, transfer:read, transfer:create, and sandbox:reset.

Self-Registration (Consumer-Only)

Unlike other portals, Consumer allows users to register their own accounts:

1. POST /web/v1/consumer/auth/register/initiate — create account
2. POST /web/v1/consumer/auth/register/code/send — send verification code
3. POST /web/v1/consumer/auth/register/complete — verify and activate

This flow requires Secure Channel for payload encryption.

Do Not Mix Auth Models

1. JWT does not work on /api/v1/** endpoints
2. API key + HMAC does not work on /web/v1/** endpoints
3. Secure Channel is not a replacement for API signing

Read Next

1. Secure Channel