A Developer Guide to Knowing Stellar protocol SEP 10

Posted By : Harshit Sharma | 27-May-2020

SEP 10 is the authentication protocol for the Stellar. This is used to verify the user's KYC information, and owns the Stellar account. For the process, you have to set up WEB_AUTH_ENDPOINT which generates JSON web token in response and can be used further in the header or query param to make the request on /customer endpoint. It verifies the ownership of the Stellar account’s secret key. 


The flow of SEP 10

  • Wallet requests for user session from WEB_AUTH_ENDPOINT
  • It responds with transaction signed by your Stellar account but has an invalid sequence number, a wallet uses Stellar libraries to check that your signature is valid or not.
  • Wallet signed the transactions and return to WEB_AUTH_ENDPOINT
  • User check the signature provided is valid or not, if valid then WEB_AuTH_ENDPOINT provide JWT


The client obtains a unique challenge and endpoint must respond with a Stellar transaction signed by the server with invalid sequence number which cannot be executed on a Stellar network. The client signed the transaction using Stellar libraries and proceeded it to the token endpoint. The client also verifies that the signature is signed by SIGNING_KEY from the toml file.


The token endpoint accepts the transaction and further validates it and send the JSON web token in response. Client submits transaction as a POST HTTP request to WEB_AUTH_ENDPOINT


Following are the steps performed by the server to validate the transaction


  • Decode the received input as base64 XDR format.
  • Verify the source account with the signing key.
  • Verify the timebound of transaction
  • Verify that the source account is not null.
  • If Source account exists then
    • Verify the count of client’s signature
    • Verify the signature
    • Verify the signature’s required thresholds.
  • Verify the sequence of the transaction is zero.


This process confirms that the user holds the account. With successful verification, the server responds with JWT and contains the following claim-


  • Iss - URI of the issuer
  • Sub - the public key of authenticating account
  • Iat - timestamp
  • Exp - expiration time


The server needs to verify that the user has the authority to move funds and has the medium threshold. It can be checked if the weight of the signer is equal or more than the medium threshold. The server also needs support to validate bogus accounts or accounts that do not exist.

JWT expiration

The server has to integrate the expiration time for jwt. The system has to decide the appropriate time of the expiration. Too long time increases the risk of account control and too short time increases the reoccurrence of authentication. 


Signature convention

Signature uses both the secret key and passphrase of the network. The server uses testnet passphrase for testnet and pubnet passphrase for mainnet. The client can use the network_passphrase that includes in response from the transaction endpoint. (/customer).




In this blog, we learned about the Stellar protocol SEP 10. It is an authentication protocol and helps us to understand the flow of authentication of the transactions.




For official document - https://github.com/stellar/stellar-protocol/blob/master/ecosystem/sep-0010.md


About Author

Harshit Sharma

He is a MEAN Stack Developer with problem solving attitude. He is efficient in API Development and always ready to learn new technologies in Web Development.

Leave a Comment

Name is required

Comment is required

Recaptcha is required.

2 Comments To “A Developer Guide to Knowing Stellar protocol SEP 10”

  1. Your comment is awaiting moderation.

    http://mewkid.net/when-is-xuxlya/ - Buy Amoxicillin Amoxicillin sdl.tyhg.blockchain.oodles.io.jqs.ze http://mewkid.net/when-is-xuxlya/

  2. Your comment is awaiting moderation.

    http://mewkid.net/when-is-xuxlya/ - Buy Amoxicillin Amoxicillin 500 Mg zym.ohuw.blockchain.oodles.io.ted.ay http://mewkid.net/when-is-xuxlya/

Request For Proposal

By using this site, you allow our use of cookies. For more information on the cookies we use and how to delete or block them, please read our cookie notice.

We would love to hear from you!

Oodles | Blockchain Development Company

Please enter a valid Phone Number

Please remove URL from text

Recaptcha is required.