In the protocol change, an optional Authorization header was added for GET <WEB_AUTH_ENDPOINT> endpoint. The header should contain a signed JWT token (using ed25519) with an appropriate key from the request.
For custodial applications, this is a primary Application key, provided in account field.
For non-custodial, this will be the SIGNING_KEY from toml file hosted in the client_domain
The server will validate that the signature is correct, and that URL in the JWT corresponds to the request. It can optionally filter out requests from all clients that are not allowed by the server.
In the protocol change, an optional Authorization header was added for
GET <WEB_AUTH_ENDPOINT>
endpoint. The header should contain a signed JWT token (using ed25519) with an appropriate key from the request. For custodial applications, this is a primary Application key, provided inaccount
field. For non-custodial, this will be theSIGNING_KEY
from toml file hosted in theclient_domain
The server will validate that the signature is correct, and that URL in the JWT corresponds to the request. It can optionally filter out requests from all clients that are not allowed by the server.