Authentication
Most endpoints in the Universal Account API require authentication using JSON Web Tokens (JWT).
Authentication Flow
-
Authenticate using one of the available methods:
- Web3 wallet signature
- Telegram
- Email OTP
- OAuth providers (Google, Facebook, Twitter)
-
Receive a response containing:
accessToken- For immediate API accessrefreshToken- For obtaining new access tokens- Expiration information for both tokens
-
Include the access token in subsequent API requests:
Authorization: Bearer your_access_token_here
Token Refresh
When your access token expires, use the refresh token to obtain a new one:
POST /auth/refresh
Content-Type: application/json
{
"refreshToken": "your_refresh_token_here"
}
Authentication Headers
Many endpoints require the following common headers:
| Header | Description | Example |
|---|---|---|
x-signature | Request signature | 0x7ecd083ed2dde6a207d54e1cd61d24212a212e3f071a06b6e21c21a4ab0047f928ceda7ff2cee0571bd303a14adb7da6e8a26110cca65c52465b9f646857a5f31c |
x-timestamp | Timestamp | 1738835261567 |
origin | Domain origin | http://localhost:3003/ |
x-api-key | API Key | pk_1234567890abcdef |
Security Considerations
- Always transmit tokens over HTTPS
- Store tokens securely in your application
- Implement proper token expiration handling
- Never share tokens or include them in client-side code