I’m using web3auth on frontend with modal. My question is if it is really correct to send the JWT (idToken) to the backend, since a centralized backend could do anything with that token. My goal is to authenticate my users through the JWT provided by web3auth, however I am wondering if my users are going to have to trust that I am not using their JWT to impersonate them against web3auth and obtain your private information or perform operations.
Thanks
@murphy Welcome Aboard!
Your request has been forwarded to our team and we will get back with further updates.
Hi @murphy,
I’m happy to hear that you’re interested in validating the JWT (idToken) by sending it to the backend. This is a great approach, and you can find more information on how to do it at Social Login Users | Documentation | Web3Auth. It’s important to note that the idToken returned by Web3Auth doesn’t contain any sensitive data, so it’s completely safe to use it for verification purposes on the backend.
Thank you for response @shahbaz.
My question is more focused towards what actions can be performed with JWT in Web3Auth. For example, is it possible to initialize a provider and send a transaction to the blockchain?
I understand that I must validate the JWT as it is in the official documentation.
When a user logs in to a site that uses Web3Auth, the frontend can obtain the idToken. What does this token provide for? What uses do you have for Web3Auth services?
Thank you so much
No, the JWT returned from web3auth can’t be used for this.
This token contains additional data for the user and can be used to validate on the server side for a protected resource.
Could you provide more context on what you mean by Web3Auth services? I am not fully clear on what you are referring to and would appreciate further explanation.
I probably don’t understand how the provider is initialized for the user to interact with the blockchain. My main question is whether this “idToken” is used by the user to initialize the provider at some point after authenticating with a certain method. For example, are the initialization of the provider through MPC and obtaining the “idToken” two separate processes?
I’m sorry for so many questions, thank you very much
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.