Short-lived access tokens now supported with Engine

Phillip Ho

This feature allows your application to use any cryptographic private key to generate access tokens that Engine accepts for a limited duration. No long-lived credentials are transmitted over public internet to minimize the impact of a compromised access token.

This feature is introduced in v0.0.36.
Existing (long-lived) access tokens in Engine remain unchanged.

How it works

  1. You generate a private and public keypair.
  2. You add your public key to Engine.
  3. Your backend signs a JWT with your private key.
  4. Your backend sends the JWT as the access token to Engine.

Learn more about how to enable and use keypair authentication.

Future work

These signed JWTs unblock future work to restrict access tokens by requests (read vs write), endpoint, payload body, and even one-time use.

These improvements enable more secure usage of access tokens to grant prevent misuse of leaked access tokens.

What is Engine?

thirdweb Engine is an open-source server for your app to read, write, and deploy contracts at production scale.

Self-host for free or get a cloud-hosted Engine for $99/month.