This is the canonical authentication flow used throughout PTERI.
Every login, approval, or authorization is a variation of this sequence.
The application requests authentication
The backend generates a challenge
Random nonce
Short expiry
The wallet receives the challenge
The user approves via biometrics
The wallet signs the challenge
The signature is sent to the backend
The backend verifies the signature
The backend issues its own session or JWT
At no point does the backend:
Receive a secret
Store reusable credentials
Gain signing authority
Challenges are single-use
Signatures are non-replayable
Authority is proven, not assumed
Compromised servers cannot impersonate users
Authentication becomes a cryptographic event, not a credential exchange.
Last updated 4 days ago
Was this helpful?
