Skip to main content
POST
/
v1
/
auth
/
session
Error
A valid request URL is required to generate request examples
{
  "address": "<string>",
  "csrf": "<string>",
  "created": true
}

Authorizations

aura_session
string
cookie
required

HttpOnly session cookie set by POST /v1/auth/session. Mutating requests must also send the CSRF token (returned by that call) in the x-csrf-token header.

Body

application/json
address
string
required

Alephium address (base58, optional :N group suffix).

Required string length: 30 - 80
Pattern: ^[123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz:]+$
publicKey
string
required

Public key whose hash equals address (33-byte compressed, hex).

Pattern: ^(0x)?[0-9a-fA-F]+$
signature
string
required

Signature produced by signMessage(challenge, "alephium"). The Alephium WebAuthn blob for passkey wallets.

Pattern: ^(0x)?[0-9a-fA-F]+$
keyType
enum<string>
default:gl-webauthn

Wallet key type. gl-webauthn = passkey (the only type the app uses).

Available options:
default,
gl-webauthn
passkey
object

Passkey credential metadata, persisted to the account row on first sign-in.

challenge
string

The exact challenge text the assertion signed. Send this for passkey login (where the challenge was issued without an address); the server consumes it by text. Omit it when the challenge was issued for a known address (it is then consumed by address).

refererAddress
string | null

Optional referrer wallet, captured once on first registration. Ignored if it equals the caller or does not exist.

Required string length: 30 - 80
Pattern: ^[123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz:]+$

Response

Default Response

address
string
required

Alephium address (base58, optional :N group suffix).

Required string length: 30 - 80
Pattern: ^[123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz:]+$
csrf
string
required

CSRF token — send as the x-csrf-token header on mutating requests.

created
boolean
required

true when this call created a new account row.