A Developer Guide to Knowing Stellar protocol SEP 10

Posted By : Harshit

May 27, 2020

SEP 10 is the authentication protocol for the Stellar. This is used to verify the user's KYC information, and owns the Stellar account. For the process, you have to set up WEB_AUTH_ENDPOINT which generates JSON web token in response and can be used further in the header or query param to make the request on /customer endpoint. It verifies the ownership of the Stellar account’s secret key. 


The flow of SEP 10

  • Wallet requests for user session from WEB_AUTH_ENDPOINT
  • It responds with transaction signed by your Stellar account but has an invalid sequence number, a wallet uses Stellar libraries to check that your signature is valid or not.
  • Wallet signed the transactions and return to WEB_AUTH_ENDPOINT
  • User check the signature provided is valid or not, if valid then WEB_AuTH_ENDPOINT provide JWT


The client obtains a unique challenge and endpoint must respond with a Stellar transaction signed by the server with invalid sequence number which cannot be executed on a Stellar network. The client signed the transaction using Stellar libraries and proceeded it to the token endpoint. The client also verifies that the signature is signed by SIGNING_KEY from the toml file.


The token endpoint accepts the transaction and further validates it and send the JSON web token in response. Client submits transaction as a POST HTTP request to WEB_AUTH_ENDPOINT


Following are the steps performed by the server to validate the transaction


  • Decode the received input as base64 XDR format.
  • Verify the source account with the signing key.
  • Verify the timebound of transaction
  • Verify that the source account is not null.
  • If Source account exists then
    • Verify the count of client’s signature
    • Verify the signature
    • Verify the signature’s required thresholds.
  • Verify the sequence of the transaction is zero.


This process confirms that the user holds the account. With successful verification, the server responds with JWT and contains the following claim-


  • Iss - URI of the issuer
  • Sub - the public key of authenticating account
  • Iat - timestamp
  • Exp - expiration time


The server needs to verify that the user has the authority to move funds and has the medium threshold. It can be checked if the weight of the signer is equal or more than the medium threshold. The server also needs support to validate bogus accounts or accounts that do not exist.

JWT expiration

The server has to integrate the expiration time for jwt. The system has to decide the appropriate time of the expiration. Too long time increases the risk of account control and too short time increases the reoccurrence of authentication. 


Signature convention

Signature uses both the secret key and passphrase of the network. The server uses testnet passphrase for testnet and pubnet passphrase for mainnet. The client can use the network_passphrase that includes in response from the transaction endpoint. (/customer).




In this blog, we learned about the Stellar protocol SEP 10. It is an authentication protocol and helps us to understand the flow of authentication of the transactions.




For official document - https://github.com/stellar/stellar-protocol/blob/master/ecosystem/sep-0010.md


Leave a


Name is required

Invalid Name

Comment is required

Recaptcha is required.


June 11, 2024 at 06:54 am

Your comment is awaiting moderation.

By using this site, you allow our use of cookies. For more information on the cookies we use and how to delete or block them, please read our cookie notice.

Chat with Us
Contact Us

Oodles | Blockchain Development Company

Name is required

Please enter a valid Name

Please enter a valid Phone Number

Please remove URL from text