The Developer SDKs have functions related to authentication that can expedite the process. You can likely skip this step if you are using the SDKs.
Authentication for DIMO works in 3 steps:
Generate Challenge: Generates a challenge and a state for a specific address.
Sign Challenge: To sign in to obtain a JSON Web Token to the API, the signer signs a cryptographic message, proving that they are the owner of the associated public key. This process is known as signing in with a digital signature.
Submit Challenge: The public key is then used to verify the user's digital signature and grant or deny access to the resources with the permissions set.
DIMO's implementation of the web3 signature mechanism for a backend application can be completed with the 3 steps below:
Space-separated list of scopes, this needs to be openid email
response_type*
String
This needs to be code.
address*
String
A hex-encoded, 0x-prefixed, 20-byte Ethereum address (case insensitive). This is the contract address of your Developer License as you are assuming the role of signer of the license. The value is essentially the same as the client_id.
{"state":"jot5csziknrzscg2wcbtgaofu", "challenge":"auth.dimo.zone wants you to sign in with your Ethereum account:\n<YOUR_ADDRESS>\n\n<host> is asking you sign in.\n\nURI: https://auth.dimo.zone\nVersion: 1\nChain ID: 1\nNonce: 4P8AfZTqj9QwDM8tKc2vfIqQogxpXK\nIssued At: 2024-01-08T15:31:15Z"
}
Step 2: Sign Challenge
You will need to format the challenge string from Step 1 to hex and prefix it with 0x, combine that with the enabled signer's private_key , in order to sign the Ethereum transaction and obtain a 65-byte signature.
To sign the challenge, you will need to use a library in your preferred programming language to sign Ethereum transactions and messages with local private keys. We have provided a few language examples as a starter:
import siwefrom siwe import SiweMessagefrom eth_account import Accountfrom eth_account.messages import encode_defunctfrom eth_utils.curried import to_bytesmsg ="<challenge>"private_key ="<private_key>"# No need to hexify when using siwe-py as the purpose of it is to help with formatting & verifying# This is the pure Python way: hex_msg = '0x' + msg.encode().hex()try:# Format the message message: SiweMessage =SiweMessage(message=msg) sn =encode_defunct(to_bytes(text=msg)) acct = Account.from_key(private_key)# Actual signing of the message sm = acct.sign_message(sn)print(sm)exceptValueErroras e:# Invalid messageprint("Authentication attempt rejected - invalid message.")except siwe.ExpiredMessage:print("Authentication attempt rejected - expired message.")except siwe.DomainMismatch:print("Authentication attempt rejected - domain mismatch.")except siwe.NonceMismatch:print("Authentication attempt rejected - nonce mismatch.")except siwe.MalformedSession as e:# e.missing_fields contains the missing information needed for validationprint("Authentication attempt rejected - malformed session.")except siwe.InvalidSignature:print("Authentication attempt rejected - invalid signature.")
{ message: 'auth.dimo.zone wants you to sign in with your Ethereum account:\n' + '0xf9D26323Ab49179A6d57C26515B01De018553666\n' + '\n' + 'app.dimo.zone is asking you sign in.\n' + '\n' + 'URI: https://auth.dimo.zone\n' + 'Version: 1\n' + 'Chain ID: 1\n' + 'Nonce: EXVgxuxMiNfdWzwIcQU4XZ79zzwX6L\n' + 'Issued At: 2024-01-22T15:34:47Z', messageHash: '0x293013bcae66e507384b791b35bd3701284b613887fc11d3a6debcde394c66db', v: '0x1c', r: '0xccd996ee0f2d18944034f29e5a9565158202d8d66194adcbe0c13eba96feb18e', s: '0x1783254ec656186cd1461693969c10aff0014f4690ee2f83781dbf8c4c657ef3', signature: '0xcbd996ee0f2d18944034f29e5a9565158202d8d66194adcbe0c13eba96feb18e1783254ec656186cd1461693969c10aff0014f4690ee2f83781dbf8c4a657ef31c'
}
{"status":400,"message":"Requested resource does not exist."}
Developer Notes
If you made it this far, you should have an access_token that you can use to access some DIMO API endpoints. For protected API endpoints such as Telemetry API, a 2nd permissions JWT described in Token Exchange API is required.
To use the access_token you received, please follow the Bearer Authentication Scheme to format your HTTP request headers. A typical format would look like { "Authorization": "Bearer <access_token>"}