In the protocol change, an optional Authorization header was added for GET <WEB_AUTH_ENDPOINT> endpoint. The header should contain a signed JWT token (using ed25519) with an appropriate key from the request.
For custodial applications, this is a primary Application key, provided in account field.
For non-custodial, this will be the SIGNING_KEY from toml file hosted in the client_domain
The server will validate that the signature is correct, and that URL in the JWT corresponds to the request. It can optionally filter out requests from all clients that are not allowed by the server.
In the protocol change, an optional Authorization header was added for
GET <WEB_AUTH_ENDPOINT>endpoint. The header should contain a signed JWT token (using ed25519) with an appropriate key from the request. For custodial applications, this is a primary Application key, provided inaccountfield. For non-custodial, this will be theSIGNING_KEYfrom toml file hosted in theclient_domainThe server will validate that the signature is correct, and that URL in the JWT corresponds to the request. It can optionally filter out requests from all clients that are not allowed by the server.