Skip to main content

Advanced Usage

For more advanced and specific use-cases, we provide a complete Auth SDK available within the ThirdwebSDK. The Auth SDK has functions that enable you to:

  • Prompt users to sign the necessary Sign-in with Ethereum message used for auth
  • Verify a user's wallet address on the server
  • Generate a JWT authentication token for the verified user
  • Check the validity of a previously generated JWT token

Making a Login Request

This function allows the connected user to sign a Sign-in with Ethereum compliant message and generate a payload that can be sent to the server.

tip

In most cases, you'll want to use the React SDK or JavaScript SDK for this if you want to allow users to login from a frontend application. However, for scripting or backend-to-backend use cases, you can also use the Python or Go SDKs.

const sdk = useSDK();

// Add the domain of the application users will login to, this will be used throughout the login process
const domain = "example.com";
// Generate a signed login payload for the connected wallet to authenticate with
const loginPayload = await sdk.auth.login(domain);
View in React SDK Documentation

Verifying the User Address

This function lets you securely extract the wallet address of the client-side user from a payload generated by the login function.


Generating a JWT

Alternatively, the backend can use the payload from the login function to generated a JWT authentication token for the user with the following method:


This token contains data around how long the login request is valid, the address of the user that logged in, and the domain that the token is inteded for - all of which you can configure through the SDK with optional configuration (view the SDK documentation for more information on this).

danger

It's important that the generated JWT token is sent back to the client-side as a secure http-only cookie to prevent it from being used in XSS attacks. You can see an example of how to do this in our Basic Authentication Example.

Authenticating Requests

Once a user has a JWT, they can make requests to the backend without needing to login again. You can then use the authenticate method to verify the user is authenticated and to get their connected wallet address: