WebAuthenticator

public final class WebAuthenticator : Sendable

Implements SEP-0010 - Stellar Web Authentication.

This class provides functionality for authenticating users through the Stellar Web Authentication protocol, which allows clients to prove they possess the signing key for a Stellar account. The authentication flow returns a JWT token that can be used for subsequent requests to SEP-compliant services (SEP-6, SEP-12, SEP-24, SEP-31).

SEP-0010 defines a standard protocol for proving account ownership without transmitting secret keys. The server generates a challenge transaction that the client signs with their account’s signing key, proving ownership without revealing the secret key itself.

Typical Workflow

Initialize from Domain: Create a WebAuthenticator instance using the anchor’s stellar.toml
Get JWT Token: Request and obtain a JWT token for authentication
Use Token: Include the JWT token in subsequent SEP service requests

Example Usage

// Step 1: Create WebAuthenticator from anchor domain
let result = await WebAuthenticator.from(
    domain: "https://testanchor.stellar.org",
    network: .testnet
)

switch result {
case .success(let webAuth):
    // Step 2: Get JWT token for user account
    let userKeyPair = try KeyPair(secretSeed: "S...")
    let jwtResult = await webAuth.jwtToken(
        forUserAccount: userKeyPair.accountId,
        signers: [userKeyPair],
        homeDomain: "testanchor.stellar.org"
    )

    switch jwtResult {
    case .success(let jwtToken):
        // Step 3: Use JWT token for SEP-24, SEP-6, SEP-12, etc.
        print("JWT Token: \(jwtToken)")
    case .failure(let error):
        print("JWT token error: \(error)")
    }
case .failure(let error):
    print("WebAuth initialization error: \(error)")
}

Advanced Features

Multi-Signature Accounts:

// Provide multiple signers for accounts requiring multiple signatures
let signers = [keyPair1, keyPair2, keyPair3]
let result = await webAuth.jwtToken(
    forUserAccount: accountId,
    signers: signers
)

Muxed Accounts:

// For muxed accounts starting with M, provide memo
let result = await webAuth.jwtToken(
    forUserAccount: "M...",
    memo: 12345,
    signers: [keyPair]
)

Client Domain Signing:

// For client domain verification (mutual authentication)
let clientDomainKeyPair = try KeyPair(accountId: "G...")
let result = await webAuth.jwtToken(
    forUserAccount: userAccountId,
    signers: [userKeyPair],
    clientDomain: "wallet.example.com",
    clientDomainAccountKeyPair: clientDomainKeyPair,
    clientDomainSigningFunction: { txXdr in
        // Sign on server and return signed transaction
        return try await signOnServer(txXdr)
    }
)

Authentication Flow Details

The SEP-0010 authentication process involves:

Client requests a challenge transaction from the server
Server returns a transaction with specific operations and time bounds
Client validates the challenge transaction
Client signs the transaction with their account key(s)
Client submits the signed transaction to the server
Server validates signatures and returns a JWT token

The JWT token typically expires after 24 hours and must be refreshed.

Error Handling

let result = await webAuth.jwtToken(forUserAccount: accountId, signers: signers)
switch result {
case .success(let token):
    // Use token
case .failure(let error):
    switch error {
    case .requestError(let horizonError):
        // Network or server error
    case .validationErrorError(let validationError):
        // Challenge validation failed
    case .signingError:
        // Transaction signing failed
    case .parsingError(let parseError):
        // Response parsing failed
    }
}

Security Considerations

Never transmit secret keys to the server
Validate the challenge transaction before signing
Check time bounds to prevent replay attacks
Store JWT tokens securely
Refresh tokens before expiration

Declaration

Swift

public static func from(domain: String, network: Network, secure: Bool = true) async -> WebAuthenticatorForDomainEnum

Parameters

`domain`	The anchor’s domain (e.g., “testanchor.stellar.org”)
`network`	The Stellar network to use (.public, .testnet, or .futurenet)
`secure`	Whether to use HTTPS (true) or HTTP (false). Default is true.

Return Value

WebAuthenticatorForDomainEnum indicating success with WebAuthenticator instance or failure with error

Show on GitHub


                    
                    
                    init(authEndpoint:network:serverSigningKey:serverHomeDomain:)

Initializes a WebAuthenticator instance with explicit configuration parameters.

Declaration

Swift

public init(authEndpoint: String, network: Network, serverSigningKey: String, serverHomeDomain: String)

Parameters

`authEndpoint`	Endpoint to be used for the authentication procedure. Usually taken from stellar.toml.
`network`	The network used.
`serverSigningKey`	The server public key, taken from stellar.toml.
`serverHomeDomain`	The server home domain of the server where the stellar.toml was loaded from

Show on GitHub


                    
                    
                    jwtToken(forUserAccount:memo:signers:homeDomain:clientDomain:clientDomainAccountKeyPair:clientDomainSigningFunction:)

Asynchronous

Obtains a JWT token through the SEP-0010 authentication flow.

This method handles the complete authentication workflow: requesting a challenge from the server, validating it, signing it with the provided keypairs, and submitting it to receive a JWT token. The returned token can be used for authenticating with SEP-6, SEP-12, SEP-24, SEP-31, and other services.

Example:

let userKeyPair = try KeyPair(secretSeed: "S...")
let result = await webAuth.jwtToken(
    forUserAccount: userKeyPair.accountId,
    signers: [userKeyPair],
    homeDomain: "testanchor.stellar.org"
)

Declaration

Swift

public func jwtToken(forUserAccount accountId: String, memo: UInt64? = nil, signers: [KeyPair], homeDomain: String? = nil, clientDomain: String? = nil, clientDomainAccountKeyPair: KeyPair? = nil, clientDomainSigningFunction: ((String) async throws -> String)? = nil) async -> GetJWTTokenResponseEnum

Parameters

`forUserAccount`	The Stellar account ID (starting with G or M) to authenticate
`memo`	ID memo for the account. Required if the account is muxed (starts with M) and accountId starts with G
`signers`	Array of KeyPair objects with secret keys for signing the challenge. For multi-sig accounts, include all required signers
`homeDomain`	The anchor’s domain hosting the stellar.toml file. Optional but recommended
`clientDomain`	Domain of the client application for mutual authentication. Used to prove the client’s identity to the server
`clientDomainAccountKeyPair`	KeyPair for client domain signing. If it includes a private key, it will be used directly. If only public key, use clientDomainSigningFunction
`clientDomainSigningFunction`	Function for remote client domain signing. Accepts base64 XDR transaction, returns signed transaction. Use when client domain signing occurs on a server

Return Value

GetJWTTokenResponseEnum with JWT token on success or error details on failure

Show on GitHub


                    
                    
                    getChallenge(forAccount:memo:homeDomain:clientDomain:)

Asynchronous

Requests a SEP-10 challenge transaction from the authentication server.

Declaration

Swift

public func getChallenge(forAccount accountId: String, memo: UInt64? = nil, homeDomain: String? = nil, clientDomain: String? = nil) async -> ChallengeResponseEnum

Parameters

`forAccount`	The Stellar account ID to authenticate
`memo`	Optional ID memo. Required for muxed accounts starting with G, prohibited for accounts starting with M
`homeDomain`	Optional anchor domain for verification
`clientDomain`	Optional client domain for mutual authentication

Return Value

ChallengeResponseEnum with base64-encoded challenge transaction or error

Show on GitHub


                    
                    
                    isValidChallenge(transactionEnvelopeXDR:userAccountId:memo:serverSigningKey:clientDomainAccount:timeBoundsGracePeriod:)

Validates a SEP-10 challenge transaction according to protocol specifications.

Declaration

Swift

public func isValidChallenge(transactionEnvelopeXDR: TransactionEnvelopeXDR, userAccountId: String, memo: UInt64? = nil, serverSigningKey: String, clientDomainAccount: String? = nil, timeBoundsGracePeriod: UInt64? = nil) -> ChallengeValidationResponseEnum

Parameters

`transactionEnvelopeXDR`	The challenge transaction envelope to validate
`userAccountId`	The expected user account ID
`memo`	Expected memo value for non-muxed accounts
`serverSigningKey`	The server’s public signing key
`clientDomainAccount`	Expected client domain account for mutual authentication
`timeBoundsGracePeriod`	Grace period in seconds for time bounds validation

Return Value

ChallengeValidationResponseEnum indicating success or specific validation error

Show on GitHub


                    
                    
                    signTransaction(transactionEnvelopeXDR:keyPairs:)

Signs a challenge transaction with the provided keypairs.

Declaration

Swift

public func signTransaction(transactionEnvelopeXDR: TransactionEnvelopeXDR, keyPairs: [KeyPair]) -> String?

Parameters

`transactionEnvelopeXDR`	The transaction envelope to sign
`keyPairs`	Array of keypairs to sign the transaction with

Return Value

Base64-encoded signed transaction XDR, or nil if signing fails

Show on GitHub


                    
                    
                    sendCompletedChallenge(base64EnvelopeXDR:)

Asynchronous

Submits a signed challenge transaction to the authentication server to obtain a JWT token.

Declaration

Swift

public func sendCompletedChallenge(base64EnvelopeXDR: String) async -> SendChallengeResponseEnum

Parameters


                                base64EnvelopeXDR

Base64-encoded signed transaction envelope

Return Value

SendChallengeResponseEnum with JWT token on success or error details on failure

Show on GitHub