About four months ago SIGNUP released an early version of its universal login platform which Bitcoin Cash developers can use to write decentralized applications. The main benefit of SIGNUP compared to other solutions was that users don't require to install a browser extension for it. So the process of user on boarding is easier and faster than before.
That version was a good prototype but wasn't very much well designed and had some fundamental issues like not working well with privacy preserving browser like Brave or Safari. Since then we did a full re-write of our platform and the new version is going through tests these days to be shipped soon!
There are many fundamental changes in the way we carry out transactions now. In this article we like to describe how Spend Tokens work.
Spend Tokens are cryptographically signed tokens that Signup wallet generates and send it to the web application. The application can use the Spend Token to perform arbitrary transactions on the user's wallet within the defined boundaries allowed by the user. Those boundaries are maximum amount allowed, and an expiration which token would be useless afterwards. Here is how it looks like when a web application request your wallet for a token:
So as you can see, a website can request you for a budget of $1.0 to be spent within 1 hour of the moment you give the permission. Even though there is $12 worth of BCH in your wallet, the app is not able to spend more than the allowed budget within the limited time. You can revert back the permission at any time you wish!
The practice of sharing the private key with every application that user is using is very risky and not sustainable. Not that your money can be stolen, many times in apps like social networks, your wallet is considered your identity as well. Sharing the same identity with different apps is similar to using the same password on every website your register!
Other solutions to tackle this issue, require users to approve every transaction manually through a separate application or browser extension. It is slow and provides a bad user experience. Developers like to control the whole flow of user interactions on their website. Imagine a Facebook timeline that for every "Like" you have to wait for a window to open and approve it. It's not innovative!
Spend Tokens allow you to trust applications with a very small amount of your money, while keeping full custody of your private keys. At the same time you can observer the transactions the application is making and take back the permission anytime at will.
Spend Tokens are made from a derivation of user's private key that contains three sections of header, payload and signature (all encoded in base64 and concatenated). In order to protect the wallet's entropy from possible vulnerability in the token itself, 32 bytes of the wallet's entropy is removed before using a HS256 algorithm (HMAC + SHA256). This algorithm generates the hash that will serve as the signature. This way, there is no access to the original wallet's entropy even if a future vulnerability in the token exposes the secret section of the signature.
The payload contains the expiration date and the budget allocated, so is not possible to be replayed in a future date by the application. SIGNUP's non-custodial wallet uses the payload to make sure the transaction request from the application is within the budget or not.
It is also using the internet standard of JWT which is a battle tested internet standard. This token structure is quite common for web developers unfamiliar with crypto as well. Web developers use this token to establish a temporary authorized session with a server. In SIGNUP, JWTs are generated in your browser and are not signed by a centralized server. We believe this technology is used in a non-custodial wallet for the first time!