Sign in to Boost
How to sign in to Boost using Sign-In with Ethereum
An authorization token from the Boost API is required for certain protected routes, such as the create boost endpoint. This can be acquired with an ERC-4361 SIWE message and signature from the end user, posted to the /auth/login endpoint.
Generating a SIWE message
While any properly formatted SIWE message with the statement 'Sign in with Ethereum.'
and a nonce value from the /auth/nonce endpoint should suffice, we recommend the siwe library for JavaScript applications, to ensure all required fields are present.
Here is an example of SIWE message generation using the siwe library:
import { SiweMessage } from 'siwe';
const boostNonce = await fetch('https://boost.xyz/auth/nonce').then(response => {
return response.text();
});
const siweMessage = new SiweMessage({
version: '1',
domain: window.location.host, // can also be 'boost.xyz'
uri: window.location.origin,
statement: 'Sign in with Ethereum.',
nonce: boostNonce,
address: '0xe44588f9b431ae714Ff16BB3310a2Ed6D9FE3104',
chainId: 8453,
});
const formattedSiweMessage = siweMessage.prepareMessage();
Getting an access token
After generating the SIWE message and requesting a signature of the message from the end user’s wallet client, send the message and signature in a POST request to the /auth/login endpoint.
Note that the origin
and user-agent
headers are mandatory, though they are usually included automatically by the browser.
const loginResult = await fetch('https://api.boost.xyz/auth/login', {
method: 'POST',
headers: {
'Content-type': 'application/json',
'Origin': 'https://boost.xyz',
'User-agent': '...user agent string...'
},
body: JSON.stringify({
message: formattedSiweMessage,
signature: '...signature of SIWE message from wallet client...',
}),
});
const { accessToken, refreshToken } = await loginResult.json();
A successful response will return a body with an accessToken
and a refreshToken
:
- The
accessToken
should be passed as the authorization header value for protected routes. - The
refreshToken
can be stored to allow for re-authentication without another message signature when theaccessToken
expires using the /auth/refresh endpoint, which returns a new access token for the given refresh token.
Getting a refreshed access token
When the end user’s access token expires (currently every 24 hours), the stored refreshToken
can be used to get a new access token without requiring a new SIWE signature from the end user. Refresh tokens expire in 30 days, after which a full login with a new SIWE signature from the end user is required.
const refreshResult = await fetch('https://api.boost.xyz/auth/refresh', {
method: 'POST',
headers: {
'Content-type': 'application/json',
},
body: JSON.stringify({
refreshToken
}),
});
const { accessToken } = await refreshResult.json();