A Developer Guide to Knowing Stellar protocol SEP 10

A Developer Guide to Knowing Stellar protocol SEP 10

Posted By : Harshit Sharma | 27-May-2020

SEP 10 is the authentication protocol for the Stellar. This is used to verify the user's KYC information, and owns the Stellar account. For the process, you have to set up WEB_AUTH_ENDPOINT which generates JSON web token in response and can be used further in the header or query param to make the request on /customer endpoint. It verifies the ownership of the Stellar account’s secret key. 


The flow of SEP 10

  • Wallet requests for user session from WEB_AUTH_ENDPOINT
  • It responds with transaction signed by your Stellar account but has an invalid sequence number, a wallet uses Stellar libraries to check that your signature is valid or not.
  • Wallet signed the transactions and return to WEB_AUTH_ENDPOINT
  • User check the signature provided is valid or not, if valid then WEB_AuTH_ENDPOINT provide JWT


The client obtains a unique challenge and endpoint must respond with a Stellar transaction signed by the server with invalid sequence number which cannot be executed on a Stellar network. The client signed the transaction using Stellar libraries and proceeded it to the token endpoint. The client also verifies that the signature is signed by SIGNING_KEY from the toml file.


The token endpoint accepts the transaction and further validates it and send the JSON web token in response. Client submits transaction as a POST HTTP request to WEB_AUTH_ENDPOINT


Following are the steps performed by the server to validate the transaction


  • Decode the received input as base64 XDR format.
  • Verify the source account with the signing key.
  • Verify the timebound of transaction
  • Verify that the source account is not null.
  • If Source account exists then
    • Verify the count of client’s signature
    • Verify the signature
    • Verify the signature’s required thresholds.
  • Verify the sequence of the transaction is zero.


This process confirms that the user holds the account. With successful verification, the server responds with JWT and contains the following claim-


  • Iss - URI of the issuer
  • Sub - the public key of authenticating account
  • Iat - timestamp
  • Exp - expiration time


The server needs to verify that the user has the authority to move funds and has the medium threshold. It can be checked if the weight of the signer is equal or more than the medium threshold. The server also needs support to validate bogus accounts or accounts that do not exist.

JWT expiration

The server has to integrate the expiration time for jwt. The system has to decide the appropriate time of the expiration. Too long time increases the risk of account control and too short time increases the reoccurrence of authentication. 


Signature convention

Signature uses both the secret key and passphrase of the network. The server uses testnet passphrase for testnet and pubnet passphrase for mainnet. The client can use the network_passphrase that includes in response from the transaction endpoint. (/customer).




In this blog, we learned about the Stellar protocol SEP 10. It is an authentication protocol and helps us to understand the flow of authentication of the transactions.




For official document - https://github.com/stellar/stellar-protocol/blob/master/ecosystem/sep-0010.md


About Author

Harshit Sharma

He is a MEAN Stack Developer with problem solving attitude. He is efficient in API Development and always ready to learn new technologies in Web Development.

Leave a Comment

Name is required

Comment is required

Recaptcha is required.

Leave a Comment

    Request For Proposal

    Cookies are important to the proper functioning of a site. To improve your experience, we use cookies to remember log-in details and provide secure log-in, collect statistics to optimize site functionality, and deliver content tailored to your interests. Click Agree and Proceed to accept cookies and go directly to the site or click on View Cookie Settings to see detailed descriptions of the types of cookies and choose whether to accept certain cookies while on the site.

    We would love to hear from you!

    Oodles | Blockchain Development Company

    Please enter a valid Phone Number

    Please remove URL from text

    Recaptcha is required.