SEP-10¶
Configuration¶
Add SEP-10 to your list of active SEPs in settings.py:
POLARIS_ACTIVE_SEPS = ["sep-1", "sep-10", ...]
Add the following variables environment variables file:
- SIGNING_SEED
- The secret key of the keypair used to sign challenge transactions. If SEP-1 is also active, its public key will be added to your SEP-1 TOML file under
SIGNING_KEY
. Do not check this into version control. - SERVER_JWT_KEY
- The secret string for encoding authentication tokens. Do not check this into version control.
- SEP10_HOME_DOMAINS (optional)
- The home domains of the services accepting authentication tokens issued by Polaris’ SEP-10 implementation. By default it contains a single domain: the domain portion of
HOST_URL
. If services not hosted onHOST_URL
’s domain want to accept SEP-10 tokens issued by Polaris, the domains of those services must also be listed inSEP10_HOME_DOMAINS
.
SEP10_HOME_DOMAINS=polaris.anchor.com,not-polaris.anchor.com
- SEP10_CLIENT_ATTRIBUTION_REQUIRED (optional)
- If true, requires client applications to verify their identity by passing a domain in the challenge transaction request and signing the challenge with the
SIGNING_KEY
on that domain’s SEP-1 stellar.toml. Defaults to false. See the SEP-10 section Verifying Client Application Identity for more information. - SEP10_CLIENT_ATTRIBUTION_REQUEST_TIMEOUT (optional)
An integer for the number of seconds to wait before canceling a server-side request to the
client_domain
parameter specified in the request, if present. This request is made from the API server and therefore an unresponsiveclient_domain
can slow down request processing.Defaults to 3 seconds.
Ex.
SEP10_CLIENT_ATTRIBUTION_REQUEST_TIMEOUT=10
- SEP10_CLIENT_ATTRIBUTION_ALLOWLIST (optional)
- A list of domains that the server will issue challenge transactions containing
client_domain
Manage Data operations for. IfSEP10_CLIENT_ATTRIBUTION_REQUIRED
is true, client applications must pass aclient_domain
parameter whose value matches one of the elements in this list, otherwise the request will be rejected. IfSEP10_CLIENT_ATTRIBUTION_REQUIRED
is false, Polaris will return a challenge transaction without the requestedclient_domain
Manage Data operation. - SEP10_CLIENT_ATTRIBUTION_DENYLIST (optional)
- A list of domains that the server will not issue challenge transactions containing
client_domain
Manage Data operations for. IfSEP10_CLIENT_ATTRIBUTION_REQUIRED
is true, client applications that pass aclient_domain
parameter value that matches one of the elements in this list will be rejected. IfSEP10_CLIENT_ATTRIBUTION_REQUIRED
is false, Polaris will return a challenge transaction without the requestedclient_domain
Manage Data operation.
The ALLOWLIST
and DENYLIST
variables are mutually exclusive.
The client_domain
of client applications who successfully verify their identity during SEP-10 will be saved to Transaction.client_domain
for all transactions created by such clients.
Integrations¶
There are no integrations for SEP-10. It just works.
API Reference¶
-
class
polaris.sep10.token.
SEP10Token
(jwt: Union[str, Dict[KT, VT]])[source]¶ An object representing the authenticated session of the client.
This object will be passed to every integration function that is called within the a request containing the JWT in the Authorization header.
-
account
¶ The G-address specified in the payload’s
sub
value
-
client_domain
¶ A nonstandard JWT claim containing the client’s home domain, included if the challenge transaction contained a
client_domain
ManageData operation
-
expires_at
¶ The expiration time on or after which the JWT will not accepted for processing, RFC7519, Section 4.1.4 — represented as a UTC datetime object
-
issued_at
¶ The time at which the JWT was issued RFC7519, Section 4.1.6 - represented as a UTC datetime object
-
issuer
¶ The principal that issued a token, RFC7519, Section 4.1.1 — a Uniform Resource Identifier (URI) for the issuer (https://example.com or https://example.com/G…)
-
payload
¶ The decoded contents of the JWT string
-