Web3 Authentication

Implement wallet-based authentication in your dApps. Learn Sign-In with Ethereum (SIWE) and session management.

What is Web3 Authentication?

Web3 authentication uses cryptocurrency wallets (like MetaMask) instead of passwords. Users sign a message to prove they own a wallet address, which becomes their identity.

Sign-In with Ethereum (SIWE)

SIWE is a standard for logging in with Ethereum wallets. It uses message signing to verify wallet ownership without exposing private keys.

Frontend: Request Signature

async function signInWithEthereum() {
  const message = `Welcome to MyApp!
  
Sign this message to log in.

This request will not trigger a blockchain transaction or cost any gas fees.

Wallet address:
${window.ethereum.selectedAddress}

Nonce: ${generateNonce()}
Expiration time: ${new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString()}`;

  const signature = await window.ethereum.request({
    method: 'personal_sign',
    params: [message, window.ethereum.selectedAddress]
  });
  
  // Send signature to backend
  await fetch('/api/auth/login', {
    method: 'POST',
    body: JSON.stringify({ address: window.ethereum.selectedAddress, signature })
  });
}

Backend Verification

Verify Signature

import { recoverAddress } from 'ethers/lib/utils';
import { verifyMessage } from '@ethersproject/hash';

function verifySIWEMessage(message: string, signature: string): string {
  // Method 1: Using ethers.js
  const recovered = verifyMessage(message, signature);
  
  // Method 2: Using eth-sig-util
  const sigUtil = require('eth-sig-util');
  const recovered = sigUtil.recoverPersonalSignature({
    data: message,
    sig: signature
  });
  
  return recovered;
}

Popular Auth Solutions

RainbowKit + Wagmi

React hooks for wallet connection. Most popular for React apps.

  • Free
  • Easy Setup
  • Best For: React/Next.js apps

Privy

Embedded wallet and auth solution. Supports email + wallet.

  • Free Tier: 1000 MAU
  • Best For: Consumer apps

Particle Network

Wallet-as-a-service with built-in auth.

  • Free Tier: 1000 MAU
  • Best For: Mobile apps

Magic Links

Web3 auth via email magic links.

  • Free Tier: Limited
  • Best For: Traditional users

Session Management

After Successful Login

// Server creates session token
const sessionToken = createSession(userAddress, {
  expiresIn: '7d',
  permissions: ['read', 'write']
});

// Send session cookie
res.setHeader('Set-Cookie', `session=${sessionToken}; HttpOnly; Secure`);

// Client stores session
localStorage.setItem('session', sessionToken);

Security Best Practices

  • Use nonces: Prevent replay attacks
  • Set expiration: Limit session validity
  • Verify domain: Prevent cross-site signing
  • Use EIP-4361: Follow SIWE standard
  • Secure storage: HttpOnly cookies for sessions
  • Rate limiting: Prevent brute force

Why Web3 Auth?

  • No passwords: Users don't need to manage credentials
  • Self-custody: Users keep control of their identity
  • Single sign-on: One wallet for many apps
  • Verified identity: Wallet age can indicate trust
  • No KYC: Pseudonymous by default