I’m working on a website where I need to confirm that someone who connects their crypto wallet actually owns a particular NFT. Once verified, they should get access to special features that only the real NFT owner can use.
The problem is my NFT gets traded on marketplaces like OpenSea. If I just use a simple password system, both the old owner and new owner would know the same password after a sale. I need something that works only for whoever currently owns the NFT.
Right now when users connect their wallet, I can see their public address through JavaScript. I also use an API to check who owns the NFT. I can compare these addresses, but sending the wallet address from frontend to backend using AJAX isn’t secure since anyone could fake this data.
What’s the proper way to safely verify that the connected wallet actually belongs to the current NFT owner? I need to make sure my PHP backend can trust this information without being tricked by fake requests.
Message signing is your best bet. Generate a unique challenge string on your backend for each attempt, including a timestamp and session ID to prevent replay attacks. Send this to the frontend, have the user sign it with their wallet, and then verify the signature against your NFT ownership results.
However, be mindful that users may be hesitant to sign random strings they don’t understand. Make your challenge clear, such as “Verify NFT ownership for [your site] at [timestamp]”. This fosters trust and reduces support inquiries.
To address marketplace timing issues, consider implementing a grace period. Allow the previous owner 10-15 minutes to finish their activities after ownership changes before revoking their access. This can help prevent frustrating mid-session disconnections.
Interesting problem! So you’re building a dynamic access system that updates when NFTs change hands? Pretty cool concept.
I’m curious about the transfer timing though - when someone buys the NFT on OpenSea, there’s a brief window where the blockchain updates but your API might lag behind. How are you handling that?
Also, what features are you gating? One-time actions or ongoing access? If it’s ongoing, how often do you check ownership? What happens if someone sells their NFT while actively using your platform?
Ethan’s message signing idea is solid, but have you considered gas fees? Users might get annoyed paying gas just to prove ownership every time. Maybe cache the verification for a set period?
Which blockchain are you using? And what wallet library - MetaMask or something more universal?
try having them sign a message with their wallet. after they connect, ask them to sign smth with their private key. ur backend can verify the signature matches the NFT owner’s address - that’ll confirm they actually own it instead of just faking ownership.