Authenticate with JWT | Alchemy Docs

Authenticates a user using a JSON Web Token (JWT) for secure access to their Smart Wallet functionalities. This endpoint validates the provided JWT token and can be used for authenticating an existing user or to pregenerate a wallet.

Authentication

AuthorizationBearer

Bearer token authentication. Use ‘Bearer <apiKey>’ as the value.

Request

This endpoint expects an object.

jwtstringRequired

The JSON Web Token (JWT) used for authentication. The JWT must be a valid OIDC ID Token containing the required claims for user identification and authentication. Required OIDC Claims:

iss (Issuer): The identity of the OIDC provider. Should be the same as issuer URL specified in your /.well-known/openid-configuration, for example see the Google OpenID configuration
sub (Subject): A unique identifier that identifies the user with this auth provider.
aud (Audience): A unique identifier for the project that can be found on the Alchemy Dashboard.
exp (Expiration): Token expiration time as Unix timestamp
iat (Issued At): Token issuance time as Unix timestamp
nonce (Nonce): toHex(sha256(targetPublicKey)) without the leading 0x Example JWT Payload:

1 {
2   "iss": "https://accounts.google.com",
3   "sub": "1234567890abcdef",
4   "aud": "project_id",
5   "exp": 1640995200,
6   "iat": 1640991600,
7   "nonce": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
8 }

The JSON Web Token (JWT) used for authentication. The JWT must be a valid OIDC ID Token containing the required claims for user identification and authentication. **Required OIDC Claims:** - `iss` (Issuer): The identity of the OIDC provider. Should be the same as issuer URL specified in your /.well-known/openid-configuration, for example see the [Google OpenID configuration](https://accounts.google.com/.well-known/openid-configuration) - `sub` (Subject): A unique identifier that identifies the user with this auth provider. - `aud` (Audience): A unique identifier for the project that can be found on the [Alchemy Dashboard](https://dashboard.alchemy.com/apps/latest/services/smart-wallets). - `exp` (Expiration): Token expiration time as Unix timestamp - `iat` (Issued At): Token issuance time as Unix timestamp - `nonce` (Nonce): toHex(sha256(targetPublicKey)) without the leading 0x **Example JWT Payload:** ```json { "iss": "https://accounts.google.com", "sub": "1234567890abcdef", "aud": "project_id", "exp": 1640995200, "iat": 1640991600, "nonce": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", } ```

targetPublicKeystringOptional

Required for authentication. Optional for pregeneration.

expirationSecondsstringOptional

Specifies the duration of the login session in seconds. After this period, the user has to re-login to refresh their session. The default value is 900 seconds (15 minutes).

Response

JWT authentication successful. User is now authenticated or wallet has been pregenerated.

orgIdstring

The organization ID associated with the authenticated user and the application.

isSignupboolean or nullDefaults to false

If true, indicates a new wallet was created.

credentialBundlestring or null

An encrypted API key credential bundle that shall be used for subsequent authenticated requests. This bundle contains the authentication credentials encrypted with the provided targetPublicKey and can be decrypted client-side for stamping requests. A credential bundle will be returned when this endpoint is being used for authentication and would require a targetPublicKey in the request params

userIdstring or null

A unique identifier for the authenticated user.

addressstring or null

The Ethereum address of the user's signer, available after successful authentication.

solanaAddressstring or null

The Solana address of the user's signer, available after successful authentication.

Errors

The JSON Web Token (JWT) used for authentication. The JWT must be a valid OIDC ID Token containing the required claims for user identification and authentication. Required OIDC Claims:

iss (Issuer): The identity of the OIDC provider. Should be the same as issuer URL specified in your /.well-known/openid-configuration, for example see the Google OpenID configuration
sub (Subject): A unique identifier that identifies the user with this auth provider.
aud (Audience): A unique identifier for the project that can be found on the Alchemy Dashboard.
exp (Expiration): Token expiration time as Unix timestamp
iat (Issued At): Token issuance time as Unix timestamp
nonce (Nonce): toHex(sha256(targetPublicKey)) without the leading 0x Example JWT Payload:

1 {
2   "iss": "https://accounts.google.com",
3   "sub": "1234567890abcdef",
4   "aud": "project_id",
5   "exp": 1640995200,
6   "iat": 1640991600,
7   "nonce": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
8 }

1	import requests
2
3	url = "https://api.g.alchemy.com/signer/v1/auth-jwt"
4
5	payload = { "jwt": "eyJhbGciOiJSUzI1NiIsImtpZCI6Im15LWtl..." }
6	headers = {
7	"Authorization": "Bearer <token>",
8	"Content-Type": "application/json"
9	}
10
11	response = requests.post(url, json=payload, headers=headers)
12
13	print(response.json())

1	{
2	"orgId": "string",
3	"isSignup": false,
4	"credentialBundle": "string",
5	"userId": "string",
6	"address": "string",
7	"solanaAddress": "string"
8	}

1	{
2	"iss": "https://accounts.google.com",
3	"sub": "1234567890abcdef",
4	"aud": "project_id",
5	"exp": 1640995200,
6	"iat": 1640991600,
7	"nonce": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
8	}