VeChain Docs
  • Welcome to VeChain
  • Blockchain Basics
    • Introduction to blockchain
    • Introduction to digital property
    • The evolution of the internet
  • Introduction to VeChain
    • About the VeChain blockchain
      • Consensus Deep Dive
      • Governance
    • Dual-Token Economic Model
      • VeChain (VET)
      • VeThor (VTHO)
    • Acquire VeChain Assets
    • Sustainability
  • Core Concepts
    • Networks
      • Thor Solo Node
      • Testnet
      • Mainnet
    • Nodes
      • Node Rewards Programme
    • Blocks
      • Block Model
    • Transactions
      • Transaction Model
      • Transaction Fees
      • Transaction Calculation
      • Meta Transaction Features
        • Transaction Uniqueness
        • Controllable Transaction Lifecycle
        • Clauses (Multi-Task Transaction)
        • Fee Delegation
          • Multi-Party Payment (MPP)
          • Designated Gas Payer (VIP-191)
        • Transaction Dependency
    • Block Explorers
    • Wallets
      • VeWorld
        • User Guide
          • Setup
          • Wallet
          • Signing
          • Activities
          • Settings
        • FAQ
      • Sync2
        • User Guide
          • Setup
          • Wallet
          • Signing
          • Activities
          • Settings
        • FAQ
      • Sync
        • User Guide
          • Wallet
          • Ledger Device
          • Browser dApps and web
          • Interact with dApps
          • Activities
          • Settings
          • Report an Issue
          • Contributing
        • FAQ
    • EVM Compatibility
      • VeChain Modifications
      • Methodology
      • Test Coverage
        • Gas model
        • Raw transaction
        • hardhat specific
          • Ganache failures
          • evm_increaseTime
        • Failures in constructor
        • eth_sign
        • Contract address prediction
        • BadBeacon proxy address at 0x1
      • How to Recreate
      • Additional Information
        • Using Governance Contracts
        • ERC1820/ERC777 Testnet
        • Delegate Options
    • Account Abstraction
      • UserOperation
      • Bundler
      • EntryPoint Contract
      • Account Factory Contract
      • Paymaster Contract
    • Token Bound Accounts
  • How to run a node
    • Nodes
    • How to run a Thor Solo Node
    • Custom Network
    • Connect Sync2 to a Thor Solo Node
  • Developer Resources
    • Getting Started
    • How to build on VeChain
      • Connect to the Network
      • Read Data
        • Read Blocks
        • Read Transactions
        • Read Accounts
        • States & Views
        • Events & Logs
        • VET Transfers
      • Write Data
        • Transactions
        • Fee Delegation
      • Listen to Changes
        • Events
        • VET Transfers
        • Transactions
        • Blocks
        • Beats
      • Build with Hardhat
      • Utilities
        • BigInt and Unit-Handling
        • Name Service Lookups
    • Example dApps
      • Buy me a Coffee
      • Token Bound Accounts
      • PWA with Privy and Account Abstraction
    • EVM Compatibility for Developers
      • Key Architectural Differences and Optimizations
      • Practical Implications for Developers: Key Considerations
      • RPC Methods (Detailed Breakdown)
      • Frequently Asked Questions (FAQs)
      • VeChain Blockchain Specifications
      • Key Differences Between VeChain and Ethereum (Summary)
      • Best Practices for Developing on VeChainThor
    • How to verify Address-Ownership
      • Next.js Session Verification
    • Debug Reverted Transactions
    • Account Abstraction
    • VIP-191: Designated Gas Payer
      • How to Integrate VIP-191 (I)
      • How to Integrate VIP-191 (II)
      • How to Integrate VIP-191 (III)
    • Index with Graph Node
      • Setup with Docker
      • Index with OpenZeppelin
        • Create Subgraph Project
        • Configure Contracts
        • Deploy Subgraph and start Indexing
        • Track Subgraph Indexing
        • Access Subgraph
        • Update Subgraph
    • SDKs & Providers
      • SDK
        • Architecture
        • Accounts
        • Bloom Filter
        • Certificates
        • Contracts
        • Cryptography
        • Debug
        • Encoding
        • Polls
        • Subscriptions
        • Thor Client
        • Transactions
      • Thor DevKit
        • Installation
        • Usage
          • Cryptography
          • Accounts
          • Encoding
          • Transactions
          • Certificates
          • Bloom Filter
      • DApp Kit
        • v2
          • Installation
          • React
            • Installation
            • Usage
          • Vanilla JS
            • Installation
            • Usage
          • Core
            • Installation
            • Usage
          • Theme Variables
          • i18n
        • v1
          • Installation
          • React
            • Installation
            • Usage
          • Vanilla JS
            • Installation
            • Usage
          • Core
            • Installation
            • Usage
          • Theme Variables
          • i18n
          • Node Polyfills
          • V0 to V1
        • v0
          • Installation
          • Usage
          • React
            • Installation
            • Usage
          • Vanilla (UI)
            • Installation
            • Usage
          • Styles (UI)
          • i18n
      • VeChain Kit
      • DevPal
      • Web3-Providers-Connex
        • Installation
        • Usage
      • Connex
        • Installation
        • API Specification
    • Frameworks & IDEs
      • Hardhat
      • Remix
    • Built-in Contracts
    • VORJ
    • Useful Links
  • How to contribute
Powered by GitBook
On this page
  • Browser Sign In with VeWorld
  • Enable Certificate Sharing with dApp-Kit
  • Harden With Server-side Challenges
  • Access Certificate
  • Backend Verification
  • Send to Backend
  • Verify Certificate
  • Example Project

Was this helpful?

  1. Developer Resources
  2. How to verify Address-Ownership

Next.js Session Verification

By using certificate signing, you can implement stateless session management in applications like Next.js.

Browser Sign In with VeWorld

With useWallet() and the WalletButton, users can be prompted to sign into an application.

When signing in, users are asked to sign a message. The signed message and signature can then be used to verify ownership of a specific address.

Enable Certificate Sharing with dApp-Kit

The DAppKitProvider needs to have requireCertificate enabled to share it with the application:

<DAppKitProvider
  nodeUrl="https://mainnet.vechain.org/"
  requireCertificate
  usePersistence
>
  {children}
</DAppKitProvider>

Harden With Server-side Challenges

To make sign-in more secure, you can use custom challenges. These challenges are shown to the user during sign-in. You can set a custom certificate in the DAppKitProvider. This certificate can come from a server-side generated message:

<DAppKitProvider
  nodeUrl="https://mainnet.vechain.org/"
  requireCertificate
  usePersistence
  connectionCertificate={{
    message: {
      purpose: "identification",
      payload: {
        type: "text",
        content: sessionChallenge,
      },
    },
  }}
>
  {children}
</DAppKitProvider>

Access Certificate

When requireCertificate is enabled, you can get the connectionCertificate from the useWallet() hook. After the user connects their wallet with the WalletButton, you can use the certificate for verification.

"use client"; // This is a client component
import { type ReactElement, useEffect, useState } from "react";
import { WalletButton, useWallet } from "@vechain/dapp-kit-react";

const Button = (): ReactElement => {
  const { connectionCertificate } = useWallet();

  useEffect(() => {
    // handle certificate
  }, [connectionCertificate]);

  return (
    <div className="container">
      <WalletButton />
    </div>
  );
};

const HomePage = (): ReactElement => {
  return <Button />;
};

// eslint-disable-next-line import/no-default-export
export default HomePage;

Backend Verification

Send to Backend

A common way to pass authentication to backends is by using the authorization header.

You can Base64 encode the received certificate to easily send it to an API:

const encodedCertificate = btoa(JSON.stringify(connectionCertificate));
fetch("/api/verify", {
  method: "GET",
  headers: {
    authorization: encodedCertificate,
  },
})

Verify Certificate

To verify the certificate, you need to decode it from base64 and parse it back to a JSON object.

You can use certificate.verify() to check if the certificate is valid. If the certificate has been tampered with, it will throw an error.

The certificate contains important information for access control in the application. Key attributes include:

  • signer: the address that signed the message (in lower case)

  • payload: the message signed by the user

  • domain: the domain where the wallet signed the message

  • timestamp: the unix timestamp when the message was signed

Here is an example API function that verifies a received certificate:

import type { NextApiRequest, NextApiResponse } from "next";
import { certificate } from "@vechain/sdk-core";
export default function handler(
  req: NextApiRequest,
  res: NextApiResponse<object>
) {
  const authHeader = req.headers.authorization;
  const decodedAuthHeader = atob(authHeader ?? "");
  const decodedCertificate = JSON.parse(decodedAuthHeader);

  if (!decodedCertificate) {
    return res.json({
      status: "missing",
      authHeader,
      decodedAuthHeader,
      decodedCertificate,
    });
  }

  try {
    // verify it
    certificate.verify(decodedCertificate);

    // further verify attributes like signer, domain or payload of the decodedCertificate
    // verify timestamp/max. validity

    return res.json({
      status: "verified",
      authHeader,
      certificate,
      user: decodedCertificate.signer,
    });
  } catch (err: any) {
    return res.json({
      status: "failed",
      authHeader,
      decodedAuthHeader,
      decodedCertificate,
      errorMessage: err.message,
    });
  }
}

Example Project

A Next.js example is available on StackBlitz:

PreviousHow to verify Address-OwnershipNextDebug Reverted Transactions

Last updated 9 months ago

Was this helpful?

https://stackblitz.com/github/vechain-energy/example-snippets/tree/v1.0.0/sdk/nextjs-dappkit-certificate?file=pages%2Fapi%2Fverify.ts