thirdwebDocs

Bring your own auth

You can attach wallets to your existing users using the jwt and auth_endpoint strategies.

  • The jwt strategy is based on the OIDC (Open ID Connect) standard
  • The auth_endpoint strategy is a generic option that lets you bring your own auth server.

Strategy jwt - OIDC compatible auth

The OIDC auth set-up is a good option if you use an external auth provider like Auth0, firebase, cognito etc. that publishes the JWK for checking the authenticity of the token.

An OIDC auth system has a public-private keypair, where the private key is used to sign auth tokens.

  • The public key is uploaded to a public URL in JWKS format. The standard location is https://{domain}.com/.well-known/jwks.json
  • When a user logs in, a JWT token called the idToken is generated and signed by the private key. The OIDC spec provides an interface for fields that are used in this token.
  • This JWT is then passed to the in-app wallet to generate a wallet for the user.
  • We will verify the JWT against the public key to verify that the JWT was signed correctly. Upon successful verification, we will proceed to generate a wallet based on the sub (user identifier) value of the idToken.

To setup an OIDC compatible auth, enable the first option in the configuration tab of the in-app wallet dashboard

You will be asked to enter the following values

  • The URL of the JWKS file (public key): This is used to verify the token was signed by you.
  • The aud value of the idToken: This is used to verify that thirdweb is the intended user of the token

Usage example

import { inAppWallet } from "thirdweb/wallets";
 
const wallet = inAppWallet();
 
const account = await wallet.connect({
  client,
  strategy: "jwt",
  jwt: "<your-jwt-token>",
});
 
// use the account to send transactions