Authentication Process

Pear Protocol uses a combination of EIP-712 wallet signature-based authentication and JWT to verify user identity without requiring passwords. This guide outlines the high-level integration process for any client application.

1. Get EIP-712 Message to Sign – The client application should request an EIP-712 message from the Pear Protocol server using the GET EIP-712 Message API.

2. Sign the EIP-712 Message – The user signs the EIP-712 message using their wallet. This signature proves ownership of the wallet.

3. Send Signature to Pear Protocol – The client application sends the signed EIP-712 message to the Pear Protocol server using the POST Authenticate API.

4. Receive JWT Tokens – If the signature is valid, the Pear Protocol server responds with a set of JWT tokens, including an access token and a refresh token. The access token is used for authenticated requests, while the refresh token is used to obtain a new access token when the current one expires. By default, the access token is valid for 15 minutes, and the refresh token is valid for 30 days.

5. Store Tokens Securely – The client application should securely store the JWT tokens, typically in memory or a secure storage solution, to use for subsequent authenticated requests.

6. Use Access Token for Authenticated Requests – For all subsequent requests, the client application should include the access token in the Authorization header as a Bearer token to authenticate with the Pear Protocol server.

Example Authorization header:

Authorization: Bearer <access_token>

Client ID

When calling the Get EIP-712 Message and Authenticate APIs, you must include the Client ID in the request body.

If you are an individual trader, please use APITRADER as your Client ID. If you are building a product on top of our API, please contact us to obtain your own Client ID. This identifier allows us to associate requests with your application, track usage volume and partner-specific data, and provide tailored features.

Refresh Token

If the access token expires, the client application can use the refresh token to obtain a new access token by calling the POST Refresh Token API. This allows the user to stay authenticated without signing in again.

Logout

When the user logs out, the client application should clear the stored JWT tokens and call the POST Logout API, providing the refresh token to invalidate the session on the server side. This ensures that the tokens cannot be used after logout.