You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
To safely share stored signatures with third parties, we can implement a private endpoint to retrieve signatures. This new endpoint should be a POST request with the following json body:
The /getSignatures endpoint filters and returns all signatures that are newer than the specified number of hours old and belong to validators with the given network and tag.
Authentication
The /getSignatures endpoint should not be accessible by anyone. It is protected by an authentication middleware that uses JWT tokens.
How authentication works
A JWT token, such as eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6IkpvaG5Eb2UiLCJleHAiOjE3MTY5OTk5OTksImlzcyI6InRlc3QtYXBwIn0.VB7fHy0c0YXwG0V9hHBK0Hrft0hCVxZ70hBRGMbXodg, is signed with a private key.
The API service reads from a /jwt directory where 256-bit secret keys for the allowed JWT tokens are stored. Each key is in a file named according to the tag it is allowed to access. For example, the secret key for stader's JWT is stored in /jwt/stader.
The caller must include an "Authorization" header with the value Bearer <jwtToken> when asking for /getSignatures
When /getSignatures is called by stader, the API checks if stader's private key is inside /jwt directory, and if stader is asking for signature with tag = stader. If any of these are not true, return unauthorized. We should not share signatures from one 3rd party to another. For example, signatures with tag "rocketpool" to stader.
The text was updated successfully, but these errors were encountered:
To safely share stored signatures with third parties, we can implement a private endpoint to retrieve signatures. This new endpoint should be a POST request with the following json body:
The
/getSignatures
endpoint filters and returns all signatures that are newer than the specified number of hours old and belong to validators with the given network and tag.Authentication
The
/getSignatures
endpoint should not be accessible by anyone. It is protected by an authentication middleware that uses JWT tokens.How authentication works
A JWT token, such as
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6IkpvaG5Eb2UiLCJleHAiOjE3MTY5OTk5OTksImlzcyI6InRlc3QtYXBwIn0.VB7fHy0c0YXwG0V9hHBK0Hrft0hCVxZ70hBRGMbXodg
, is signed with a private key.The API service reads from a
/jwt
directory where 256-bit secret keys for the allowed JWT tokens are stored. Each key is in a file named according to the tag it is allowed to access. For example, the secret key for stader's JWT is stored in/jwt/stader
.The caller must include an "Authorization" header with the value
Bearer <jwtToken>
when asking for/getSignatures
When
/getSignatures
is called by stader, the API checks if stader's private key is inside/jwt
directory, and if stader is asking for signature with tag =stader
. If any of these are not true, return unauthorized. We should not share signatures from one 3rd party to another. For example, signatures with tag "rocketpool" to stader.The text was updated successfully, but these errors were encountered: