Sign in / register by submitting a signed challenge.
Verifies the passkey assertion against the most recent unconsumed challenge for the address, creates or refreshes the account row, and sets an HttpOnly session cookie bound to the verified wallet. The CSRF token is returned in the body (echo it back in the x-csrf-token header on subsequent mutating requests) and also set as a readable cookie.
Authorizations
HttpOnly session cookie set by POST /v1/auth/session. Mutating requests must also send the CSRF token (returned by that call) in the x-csrf-token header.
Body
Alephium address (base58, optional :N group suffix).
30 - 80^[123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz:]+$Public key whose hash equals address (33-byte compressed, hex).
^(0x)?[0-9a-fA-F]+$Signature produced by signMessage(challenge, "alephium"). The Alephium WebAuthn blob for passkey wallets.
^(0x)?[0-9a-fA-F]+$Wallet key type. gl-webauthn = passkey (the only type the app uses).
default, gl-webauthn Passkey credential metadata, persisted to the account row on first sign-in.
The exact challenge text the assertion signed. Send this for passkey login (where the challenge was issued without an address); the server consumes it by text. Omit it when the challenge was issued for a known address (it is then consumed by address).
Optional referrer wallet, captured once on first registration. Ignored if it equals the caller or does not exist.
30 - 80^[123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz:]+$Response
Default Response
Alephium address (base58, optional :N group suffix).
30 - 80^[123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz:]+$CSRF token — send as the x-csrf-token header on mutating requests.
true when this call created a new account row.

