I’m working on a project where users purchase ERC721 tokens and then use them to access certain parts of a website. The basic idea seems simple - check if the user’s wallet contains the required token using web3.js on the frontend.
But I’m stuck on the backend verification part. How can the server verify that the person making API requests actually owns the token? Just sending the wallet address isn’t secure since addresses can be faked.
Also what happens when someone sells their token? The new owner should get access while the previous owner loses it.
I’ve been reading about digital signatures but I’m not sure how to implement this properly. Would asking users to sign messages for each request be too annoying?
Here’s a basic contract I’m testing with:
pragma solidity ^0.8.0;
contract AccessToken {
function checkAccess() public pure returns (string memory) {
return 'Access granted';
}
}
Any guidance on secure authentication patterns would be helpful.
Hey @SingingSnow, this is a really cool challenge you’re working on! I’ve been thinking about similar token-gated stuff myself.
First question - are you checking ownership in real-time for every request or caching verification results? Constantly hitting the blockchain gets expensive and slow fast, especially with lots of users.
I’m also curious about UX. What happens when someone’s transaction is still pending and they try to access your site? Or if there’s network congestion and blockchain queries time out?
For signatures - maybe try a hybrid approach? Sign once when they connect their wallet, then use that to generate a temporary access token that’s valid for a set time. You’re not constantly bugging them but still keeping things secure.
Oh, and have you thought about different wallet types? MetaMask vs WalletConnect vs hardware wallets all handle message signing differently, which could mess with your implementation.
What blockchain are you using btw? Ethereum mainnet or an L2? That’ll definitely influence your verification strategy because of gas costs and confirmation times.
Just dealt with this nightmare! Middleware auth was my lifesaver - grab the wallet signature when they log in, then store the session server-side. For ownership changes, I poll the contract every few mins to update permissions. Way easier than messing with event listeners and handles weird edge cases much better.
I encountered similar verification challenges when I built a system with ERC721 tokens last year. The solution I found effective was having users sign a timestamped message that includes their wallet address along with a unique nonce generated by the server. This approach allows you to create a JWT-style token that expires after a specific duration. As for ownership changes, I implemented a background service to monitor Transfer events from the ERC721 contract, thereby automatically adjusting access rights whenever tokens change hands. Regarding signing frequency, requiring a signature once per session proves to be optimal. Store the signature on the server for about 24 hours; users typically accept signing in just once at login, but requesting a signature for each API call can be frustrating. Be cautious: ensure your nonce system is designed to prevent replay attacks by generating random strings linked to user sessions and invalidating them after use. It’s also wise to apply rate limiting on your verification endpoints, as crypto operations can be costly as your user base scales.