How Spend Tokens work in SIGNUP DApp wallet

20 393
Avatar for SIGNUP
Written by
3 years ago

About four months ago SIGNUP released an early version of its universal login platform which Bitcoin Cash developers can use to write decentralized applications. The main benefit of SIGNUP compared to other solutions was that users don't require to install a browser extension for it. So the process of user on boarding is easier and faster than before.

That version was a good prototype but wasn't very much well designed and had some fundamental issues like not working well with privacy preserving browser like Brave or Safari. Since then we did a full re-write of our platform and the new version is going through tests these days to be shipped soon!

There are many fundamental changes in the way we carry out transactions now. In this article we like to describe how Spend Tokens work.

What are Spend Tokens?

Spend Tokens are cryptographically signed tokens that Signup wallet generates and send it to the web application. The application can use the Spend Token to perform arbitrary transactions on the user's wallet within the defined boundaries allowed by the user. Those boundaries are maximum amount allowed, and an expiration which token would be useless afterwards. Here is how it looks like when a web application request your wallet for a token:

This wallet is just a popup inside your browser!

So as you can see, a website can request you for a budget of $1.0 to be spent within 1 hour of the moment you give the permission. Even though there is $12 worth of BCH in your wallet, the app is not able to spend more than the allowed budget within the limited time. You can revert back the permission at any time you wish!

Why we need it?

The practice of sharing the private key with every application that user is using is very risky and not sustainable. Not that your money can be stolen, many times in apps like social networks, your wallet is considered your identity as well. Sharing the same identity with different apps is similar to using the same password on every website your register!
Other solutions to tackle this issue, require users to approve every transaction manually through a separate application or browser extension. It is slow and provides a bad user experience. Developers like to control the whole flow of user interactions on their website. Imagine a Facebook timeline that for every "Like" you have to wait for a window to open and approve it. It's not innovative!

Spend Tokens allow you to trust applications with a very small amount of your money, while keeping full custody of your private keys. At the same time you can observer the transactions the application is making and take back the permission anytime at will.

How tokens are technically made?

Spend Tokens are made from a derivation of user's private key that contains three sections of header, payload and signature (all encoded in base64 and concatenated). In order to protect the wallet's entropy from possible vulnerability in the token itself, 32 bytes of the wallet's entropy is removed before using a HS256 algorithm (HMAC + SHA256). This algorithm generates the hash that will serve as the signature. This way, there is no access to the original wallet's entropy even if a future vulnerability in the token exposes the secret section of the signature.

The payload contains the expiration date and the budget allocated, so is not possible to be replayed in a future date by the application. SIGNUP's non-custodial wallet uses the payload to make sure the transaction request from the application is within the budget or not.

It is also using the internet standard of JWT which is a battle tested internet standard. This token structure is quite common for web developers unfamiliar with crypto as well. Web developers use this token to establish a temporary authorized session with a server. In SIGNUP, JWTs are generated in your browser and are not signed by a centralized server. We believe this technology is used in a non-custodial wallet for the first time!

Is it ready?

We are excited to be able to release the version 1.0.0 in this month. Join our Telegram group or follow @signupwallet in Twitter to stay in touch!

71
$ 2.03
$ 1.00 from @im_uname
$ 0.50 from @tula_s
$ 0.25 from @Devalbo
+ 5
Avatar for SIGNUP
Written by
3 years ago

Comments

This sounds a little difficult because of too much directive to pass through.

$ 0.05
3 years ago

Thanks for reading. May you elaborate what is exactly difficult please?

$ 0.00
3 years ago

According to you the tokens in the web have a virility period and it has boundaries for maximum amount to be allowed ?

$ 0.00
3 years ago

Subcribe my profile please

$ 0.00
3 years ago

subscribed. please help me too🌹

$ 0.00
3 years ago

Subscribed done

$ 0.00
3 years ago

I hope you will make more like this because i love reading art

$ 0.00
3 years ago

Nice

$ 0.00
3 years ago

Great articles

$ 0.00
3 years ago

Thanks

$ 0.00
3 years ago

Very Usefull Articles thanks

$ 0.00
3 years ago

Thank you for your information

$ 0.00
3 years ago

Nice

$ 0.00
3 years ago

Great informative article. Thanks for sharing.😍

$ 0.00
3 years ago

subscribe me. I'll subsribe back. let's help to grow each other

$ 0.00
3 years ago

This article is very important, keep sharing more of this

$ 0.00
3 years ago

Wow that it work.post more bro

$ 0.00
3 years ago

Nice information. You can check this out if you want. Click here πŸ‘‡πŸ‘‡πŸ‘‡

https://read.cash/@Cold3ndice/lets-talk-about-bank-of-tron-investment-plan-9fff060d

$ 0.00
3 years ago

Thanks for this very usefull article, i hope you will make more like this because i love reading article

$ 0.00
3 years ago

useful article

$ 0.00
3 years ago