SEP 10 is the authentication protocol for the Stellar. This is used to verify the user's KYC information, and owns the Stellar account. For the process, you have to set up WEB_AUTH_ENDPOINT which generates JSON web token in response and can be used further in the header or query param to make the request on /customer endpoint. It verifies the ownership of the Stellar account’s secret key.
The flow of SEP 10
The client obtains a unique challenge and endpoint must respond with a Stellar transaction signed by the server with invalid sequence number which cannot be executed on a Stellar network. The client signed the transaction using Stellar libraries and proceeded it to the token endpoint. The client also verifies that the signature is signed by SIGNING_KEY from the toml file.
The token endpoint accepts the transaction and further validates it and send the JSON web token in response. Client submits transaction as a POST HTTP request to WEB_AUTH_ENDPOINT
Following are the steps performed by the server to validate the transaction
This process confirms that the user holds the account. With successful verification, the server responds with JWT and contains the following claim-
The server needs to verify that the user has the authority to move funds and has the medium threshold. It can be checked if the weight of the signer is equal or more than the medium threshold. The server also needs support to validate bogus accounts or accounts that do not exist.
The server has to integrate the expiration time for jwt. The system has to decide the appropriate time of the expiration. Too long time increases the risk of account control and too short time increases the reoccurrence of authentication.
Signature uses both the secret key and passphrase of the network. The server uses testnet passphrase for testnet and pubnet passphrase for mainnet. The client can use the network_passphrase that includes in response from the transaction endpoint. (/customer).
In this blog, we learned about the Stellar protocol SEP 10. It is an authentication protocol and helps us to understand the flow of authentication of the transactions.
For official document - https://github.com/stellar/stellar-protocol/blob/master/ecosystem/sep-0010.md