# 4.2 Authentication Flow

This is the **canonical authentication flow** used throughout PTERI.

Every login, approval, or authorization is a variation of this sequence.

***

#### Step-by-step flow

1. The application requests authentication
2. The backend generates a challenge
   * Random nonce
   * Short expiry
3. The wallet receives the challenge
4. The user approves via biometrics
5. The wallet signs the challenge
6. The signature is sent to the backend
7. The backend verifies the signature
8. The backend issues its own session or JWT

At no point does the backend:

* Receive a secret
* Store reusable credentials
* Gain signing authority

***

#### Why this works

* Challenges are single-use
* Signatures are non-replayable
* Authority is proven, not assumed
* Compromised servers cannot impersonate users

> Authentication becomes a **cryptographic event**, not a credential exchange.

<figure><img src="/files/UNIpk0C7wLZWw8RVup9S" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.kakrlabs.com/4.-architecture-and-security/4.2-authentication-flow.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.