Eragon Authorization
Create authorization credentials
Login to Eragon developer portal to get access token and use this API to create authorization credentials.
Method: POST
URL:
/oidc/regHeader:
{
"Authorization": "Bearer {accessToken}"
}Body:
{
"redirect_uris": string[],
"client_name": string
}Response:
{
"application_type": "web",
"response_types": [
"code",
"id_token"
],
"client_id_issued_at": number,
"client_id": string,
"client_name": string,
"client_secret_expires_at": number,
"client_secret": string,
"redirect_uris": string[],
"developer": string
}Construct the Authorization Request
To authenticate a user, redirect them to Google’s authorization endpoint with the appropriate parameters.
URL:
oidc/authRequired Parameters:
response_type=id_token: Requests an ID token in the response.
client_id: Your app’s Client ID from above API
redirect_uri: The URI where Eragon will redirect the user after authentication (must match the one registered).
scope: The permissions your app needs (e.g., openid email aptosAddress referrer).
nonce: A unique, random string to prevent replay attacks (e.g., a UUID or timestamp).
Example Authorization URL:
https://api.eragon.gg/oidc/auth?
client_id=YOUR_CLIENT_ID&
response_type=id_token&
redirect_uri=https%3A%2F%2Fredirect.url&
scope=openid%20email%20name%20picture&
nonce=UNIQUE_NONCE_VALUEReplace YOUR_CLIENT_ID with your actual Client ID.
Ensure the redirect_uri matches the one you registered.
Use URL-encoded spaces (%20) between scopes.
When the user visits this URL (e.g., by clicking a "Sign in with Eragon" button), Eragon will prompt them to log in and authorize your app.
Handle the Redirect and Extract the ID Token
After the user authenticates, Eragon redirects them to your redirect_uri with the ID token in the URL fragment.
Example Redirect URL
https://yourapp.com/callback#id_token=eyJhbGciOiJSUzI1NiIsImtpZCI6Ij...The ID token is the value of the id_token parameter in the fragment (after the #).
Verify the ID Token
Before using the ID token, you must verify it to ensure it’s valid and issued by Eragon. The token is a JWT with three parts (header, payload, signature), and verification involves checking its authenticity. You can verify token by decoding the token, fetching Eragon’s public keys, and validating the signature and claims yourself
API Fetch Eragon’s Public Keys:
Method: GET
URL:
/oidc/jwksResponse:
{
"keys": [
{
"kty": "OKP",
"use": "sig",
"kid": "c66Fal5FhlGgvOjWx43X8L6Ce8EbdKC0U4b9Va_zKeY",
"alg": "EdDSA",
"crv": "Ed25519",
"x": "6ppvx7BpKu7Yq1hynCHSi_XHX8sb2bGu9NqN5l8STEo"
},
{
"kty": "EC",
"use": "sig",
"kid": "mb4zhCGVjCoZjai-O7imqFj15HYDyzLru9UkBo7wR3Y",
"alg": "ES256",
"crv": "P-256",
"x": "wtD9ezQtd2cCXY-bdWrGjmU8zyh51RXQ1YmeNSYa7qs",
"y": "gsql6JArBGvU9m4mzpwwSWVkBv2LgAdaJCM7IyKc87U"
},
{
"kty": "RSA",
"use": "sig",
"kid": "nINLgJHvQfUA5IIbqGhMm2FX9R6cLlbVK_6sQoArj30",
"e": "AQAB",
"n": "8r8r2p31J3ivB7jc5NXy8xrnV0myFIy9KTWkMdyD-uFBwLe2NaqY4VA6B0hjbEMvoy46plTFNqjbRBefKteg2Kf28AASs0LjxGeip8dlBds1L7-lA-p3wf7DaMjGR0YCbJxqQUNAQGaip0KQ7gkpVarqjx9Dr-PbbFSgkLMV2P1Vx_Dq46lzT5-EHTlzVfUWQ8oHEnAwTYgXUbFBkjKHePULyf9jxGHc4P-7K9ZhXwLbwfsifYBq51L82tOe0vZ4dY8TCgA5O15_85kVIIC_GheuLpvR9w0lYYXZqKxiZrsYjicT8DeTRNAv2IoWTAXqnFXPlNvKm2LB4vrJi1kTYw"
}
]
}Each key has a kid (key ID) that matches the kid in the token’s header
Using a Eragon's API (Optional):
Method: GET
URL:
/:id_token/verifyResponse:
{
"envelope": {
"alg": "RS256",
"typ": "JWT",
"kid": "nINLgJHvQfUA5IIbqGhMm2FX9R6cLlbVK_6sQoArj30"
},
"payload": {
"sub": string,
"aptosAddress": string,
"_id": string,
"email": string,
"name": string,
"picture": string,
"nonce": string,
"aud": string,
"exp": 1742379973,
"iat": 1742376373,
"iss": "https://eragon.gg"
},
"verified": boolean,
"now": number
}Check the following claims in the decoded payload:
iss (issuer): Must be "https://eragon.gg".
aud (audience): Must match your client_id.
exp (expiration): Must be greater than the current timestamp (in seconds).
nonce (if included): Must match the nonce you sent in the authorization request.
Last updated