Challenge

curl --request POST \
  --url https://api.amm.flashnet.xyz/v1/auth/challenge \
  --header 'Content-Type: application/json' \
  --data '{
  "publicKey": "021eec911553028dded1ec644144cd3afee9d9bfe7846af3cf8e6d84f4b3102389"
}'

{
  "challenge": "464c4153484e45545f415554485f4348414c4c454e47455f56313a19f51e5e9b50314318517a5e2bb19e5beb94d9c5d74b61068ff458c75a649712",
  "challengeString": "FLASHNET_AUTH_CHALLENGE_V1:19f51e5e9b50314318517a5e2bb19e5beb94d9c5d74b61068ff458c75a649712",
  "requestId": "01H8Z0HMVXJN6A8Q9GR1J6Z34E"
}

Auth

Challenge

This endpoint initiates the authentication process by generating a random challenge string that must be signed by the user’s private key. The signed challenge should then be submitted to the /v1/auth/verify endpoint to complete authentication.

The challenge-response authentication mechanism ensures that users prove ownership of their public key.

Authentication Flow

Client calls this endpoint with their public key
Server generates and returns a random challenge
Client signs the challenge with their private key
Client submits the signature to /v1/auth/verify
Server verifies the signature and issues a JWT token

Challenge Lifecycle

Challenges are valid forever and are used to identify the user
Each challenge can only be used once

Arguments

public_key - The user’s public key

Returns

200 OK with the challenge string and request ID
400 Bad Request if the request is malformed or the public key is invalid
500 Internal Server Error if the challenge generation fails

POST

auth

challenge

Challenge

curl --request POST \
  --url https://api.amm.flashnet.xyz/v1/auth/challenge \
  --header 'Content-Type: application/json' \
  --data '{
  "publicKey": "021eec911553028dded1ec644144cd3afee9d9bfe7846af3cf8e6d84f4b3102389"
}'

{
  "challenge": "464c4153484e45545f415554485f4348414c4c454e47455f56313a19f51e5e9b50314318517a5e2bb19e5beb94d9c5d74b61068ff458c75a649712",
  "challengeString": "FLASHNET_AUTH_CHALLENGE_V1:19f51e5e9b50314318517a5e2bb19e5beb94d9c5d74b61068ff458c75a649712",
  "requestId": "01H8Z0HMVXJN6A8Q9GR1J6Z34E"
}

Body

application/json

Public key for which to generate an authentication challenge

Request body for initiating authentication challenge.

This request starts the authentication flow by requesting a challenge string that must be signed with the user's private key.

publicKey

string

required

The public key of the user requesting authentication. Must be a valid Bitcoin or Spark public key.

Example:

"021eec911553028dded1ec644144cd3afee9d9bfe7846af3cf8e6d84f4b3102389"

Response

Challenge generated successfully

Response containing the challenge string to be signed.

The challenge is a hex string composed of an ASCII magic prefix followed by 32 random bytes. The entire byte sequence is what should be signed using the private key corresponding to the provided public key.

challenge

string

required

The challenge string that must be signed. Hex string of: "FLASHNET_AUTH_CHALLENGE_V1:" || 32 random bytes.

Example:

"464c4153484e45545f415554485f4348414c4c454e47455f56313a19f51e5e9b50314318517a5e2bb19e5beb94d9c5d74b61068ff458c75a649712"

challengeString

string

required

A UTF-8 string version of the challenge suitable for wallets that sign strings. Format: "FLASHNET_AUTH_CHALLENGE_V1:" + hex(random 32 bytes)

Example:

"FLASHNET_AUTH_CHALLENGE_V1:19f51e5e9b50314318517a5e2bb19e5beb94d9c5d74b61068ff458c75a649712"

requestId

string<ulid>

required

Unique request identifier for tracking and debugging.

Example:

"01H8Z0HMVXJN6A8Q9GR1J6Z34E"

Verify

⌘I

Auth

Clawback

Hosts

Integrators

Liquidity

Status

Pools

Swaps

Challenge

Authentication Flow

Challenge Lifecycle

Arguments

Returns

Body

Response