SEP-10
Configuration
Add SEP-10 to your list of active SEPs in settings.py:
POLARIS_ACTIVE_SEPS = ["sep-1", "sep-10", ...]
Add the following variables environment variables file:
- SIGNING_SEED
The secret key of the keypair used to sign challenge transactions. If SEP-1 is also active, its public key will be added to your SEP-1 TOML file under
SIGNING_KEY
. Do not check this into version control.- SERVER_JWT_KEY
The secret string for encoding authentication tokens. Do not check this into version control.
- SEP10_HOME_DOMAINS (optional)
The home domains of the services accepting authentication tokens issued by Polaris’ SEP-10 implementation. By default it contains a single domain: the domain portion of
HOST_URL
. If services not hosted onHOST_URL
’s domain want to accept SEP-10 tokens issued by Polaris, the domains of those services must also be listed inSEP10_HOME_DOMAINS
.
SEP10_HOME_DOMAINS=polaris.anchor.com,not-polaris.anchor.com
- SEP10_CLIENT_ATTRIBUTION_REQUIRED (optional)
If true, requires client applications to verify their identity by passing a domain in the challenge transaction request and signing the challenge with the
SIGNING_KEY
on that domain’s SEP-1 stellar.toml. Defaults to false. See the SEP-10 section Verifying Client Application Identity for more information.- SEP10_CLIENT_ATTRIBUTION_REQUEST_TIMEOUT (optional)
An integer for the number of seconds to wait before canceling a server-side request to the
client_domain
parameter specified in the request, if present. This request is made from the API server and therefore an unresponsiveclient_domain
can slow down request processing.Defaults to 3 seconds.
Ex.
SEP10_CLIENT_ATTRIBUTION_REQUEST_TIMEOUT=10
- SEP10_CLIENT_ATTRIBUTION_ALLOWLIST (optional)
A list of domains that the server will issue challenge transactions containing
client_domain
Manage Data operations for. IfSEP10_CLIENT_ATTRIBUTION_REQUIRED
is true, client applications must pass aclient_domain
parameter whose value matches one of the elements in this list, otherwise the request will be rejected. IfSEP10_CLIENT_ATTRIBUTION_REQUIRED
is false, Polaris will return a challenge transaction without the requestedclient_domain
Manage Data operation.- SEP10_CLIENT_ATTRIBUTION_DENYLIST (optional)
A list of domains that the server will not issue challenge transactions containing
client_domain
Manage Data operations for. IfSEP10_CLIENT_ATTRIBUTION_REQUIRED
is true, client applications that pass aclient_domain
parameter value that matches one of the elements in this list will be rejected. IfSEP10_CLIENT_ATTRIBUTION_REQUIRED
is false, Polaris will return a challenge transaction without the requestedclient_domain
Manage Data operation.
The ALLOWLIST
and DENYLIST
variables are mutually exclusive.
The client_domain
of client applications who successfully verify their identity during SEP-10 will be saved to Transaction.client_domain
for all transactions created by such clients.
Integrations
There are no integrations for SEP-10. It just works.
API Reference
- class polaris.sep10.token.SEP10Token(jwt: Union[str, Dict])[source]
An object representing the authenticated session of the client.
This object will be passed to every integration function that is called within the a request containing the JWT in the Authorization header.
- property account: str
The Stellar account (G…) authenticated. Note that a muxed account could have been authenticated, in which case Token.muxed_account should be used.
- property client_domain: Optional[str]
A nonstandard JWT claim containing the client’s home domain, included if the challenge transaction contained a
client_domain
ManageData operation
- property expires_at: datetime.datetime
The expiration time on or after which the JWT will not accepted for processing, RFC7519, Section 4.1.4 — represented as a UTC datetime object
- property issued_at: datetime.datetime
The time at which the JWT was issued RFC7519, Section 4.1.6 - represented as a UTC datetime object
- property issuer: str
The principal that issued a token, RFC7519, Section 4.1.1 — a Uniform Resource Identifier (URI) for the issuer (https://example.com or https://example.com/G…)
- property memo: Optional[int]
The memo included with the payload’s
sub
value, if present
- property muxed_account: Optional[str]
The M-address specified in the payload’s
sub
value, if present
- property payload: dict
The decoded contents of the JWT string