Sep45Challenge
Response from a SEP-45 challenge request.
The server returns this response when a client requests a challenge for contract account authentication. The response contains a base64-encoded XDR array of SorobanAuthorizationEntry objects that the client must validate and sign.
Unlike SEP-10 which uses transaction XDR, SEP-45 uses authorization entries that contain invocations of the web_auth_verify function on the server's web auth contract.
Workflow:
Client requests challenge via GET to WEB_AUTH_FOR_CONTRACTS_ENDPOINT
Server returns Sep45ChallengeResponse with authorization entries XDR
Client validates the challenge (critical security step)
Client signs the validated authorization entries
Client submits signed entries back to server
Server returns JWT token
Example response JSON:
{
"authorization_entries": "AAAAAQAAAA...base64...==",
"network_passphrase": "Test SDF Network ; September 2015"
}Note: Some servers may return camelCase field names (authorizationEntries, networkPassphrase). Use fromJson for robust parsing that handles both formats.
Security considerations:
Always validate the challenge before signing (use WebAuthForContracts.validateChallenge())
Verify the server signature matches the stellar.toml SIGNING_KEY
Ensure contract address matches WEB_AUTH_CONTRACT_ID from stellar.toml
Verify function name is
web_auth_verify
See also: