🔒 Authlocal

👉 https://authlocal.org/ 👈

Authlocal is a free login system for the web.
Any website you visit can request your login by opening an Authlocal popup, but your identity seed files stay safely local on your device. You can go to the authlocal.org website any time to manage your identities.

• 🗽 User-sovereign – you hold your own seed files
• 🔑 Cryptographic – no emails, no passwords
• 🥷 Privacy-focused – pseudonymous, device-local, no databases
• 💖 Free and open-source – zero-cost at global scale

Own your identity.
When you create an identity, download the seed and keep it safe. The seed is the identity. Don't lose it. Don't share it. Never give your seed to another person or website. It's yours, forever.

🍋‍🟩 Integration Manual for Web Developers

Install Authlocal logins into your web app

1. Install authlocal and friends via npm

   npm install @e280/authlocal @e280/stz

2. Javascript to install Authlocal on your page

   import {install} from "@e280/authlocal"
   const auth = await install()
   auth.on(login => {
     if (login) console.log("logged in", login)
     else console.log("logged out")
   })

3. Put this stylesheet into your html <head>
   (check the path is valid)

   <link href="/node_modules/@e280/authlocal/x/themes.css" rel="stylesheet"/>

4. Put these new elements in your html <body>

   <auth-user></auth-user>
   <auth-button></auth-button>

5. Take it for a spin!
   You should be able to login and logout via Authlocal.

Logins

• Never send the login info anywhere. Send claims instead!
• Logins are auto persisted in localStorage for 7 days
• Anatomy of a login object:
  • login.sessionId — id of the login session hex string
  • login.nametag.id — user identity public key hex string
  • login.nametag.label — user's chosen nickname
  • login.expiresAt — js timestamp of when this login expires
  • login.isExpired() — returns true if the login is expired now
  • login.signClaim(options) — sign a claim

Claims

The purpose of a login, is that it can sign claims on the user's behalf. You can then send those claims to your server and verify them there. A claim contains a cryptographic proof that it stems from a genuine login session signed by the user's seed.

Spritually, a claim is trying to say something like "This user gave permission to this frontend to now say on their behalf:"

• "we want to post this message..."
• "we want to change their avatar..."
• "we want to buy this microtransaction..."

Sign a claim with a login, on the frontend

import {Time} from "@e280/stz"

const claimToken = await login.signClaim({

  // any json-friendly data you want
  claim: {message: "i love ice cream"},

  // when should this claim expire?
  expiresAt: Time.future.hours(24),
})

Verify a claim, on the server

import {verifyClaim} from "@e280/authlocal/core"

const {claim, proof} = await verifyClaim({
  claimToken,
  appOrigins: ["https://e280.org"],
    //                   |
    //    your website origin goes here
})

proof.sessionId
  // id for this login session, looks like:
  // "ff730fe2d725aa5210152975212d1068d7fe28ae22b5e62337a4cde42215187a"

proof.nametag.id
  // user identity id, looks like:
  // "a08263e70a0a48a07e988a7c0931ada6b0a38fa84bf367087b810c614a4c2070"

proof.nametag.label
  // user identity nickname, looks like:
  // "Michael Scott"

Thumbprint

• Thumbprint is an @e280/stz tool for visualizing 64-char ids

  import {Thumbprint} from "@e280/stz"

• id to full thumbprint

  Thumbprint.fromHex("005636bab2c73223ccf56f8112432212f57f01ef61452762cd142acd61ed44ed")
    // "dozmut.winpex.linner.forsep.KgisJ8Pdgey1HC4o8cG59NaLYSoRTiHfA"

• id to short sigil

  Thumbprint.sigil.fromHex("005636bab2c73223ccf56f8112432212f57f01ef61452762cd142acd61ed44ed")
    // "dozmut.winpex"

• thumbprint to id

  Thumbprint.toHex("dozmut.winpex.linner.forsep.KgisJ8Pdgey1HC4o8cG59NaLYSoRTiHfA")
    // "005636bab2c73223ccf56f8112432212f57f01ef61452762cd142acd61ed44ed"

Authlocal dev glossary

• Authority — the website that provides login sessions (authlocal.org)
  • authorityOrigin is the provider's origin, eg https://authlocal.org
• App — the third party website receiving login sessions (your website)
  • appOrigin is your app origin, eg https://e280.org
• Keypair — an ed25519 keypair
  • .id is the public key (64 character hex string)
  • .secret is the private key (64 character hex string)
• Identity — a keypair with a label string
• Seed — text snippet or .seed file that stores an identity
• Nametag — the public data associated with a user's identity
  • .id is the public key (64 character hex string)
  • .label is a nickname (max 32 character string)
• Thumbprint — easier-to-read version of an id
  • thumbprint => dozmut.winpex.linner.forsep.KgisJ8Pdgey1HC4o8cG59NaLYSoRTiHfA
  • sigil (first two words) => dozmut.winpex
  • preview (first four words) => dozmut.winpex.linner.forsep
  • bulk (last part) => KgisJ8Pdgey1HC4o8cG59NaLYSoRTiHfA
• Login — a login session
  • is private, should never leave the user's device
  • .nametag contains the identity's id and label
  • .expiresAt js time of the moment this login expires
  • .isExpired() returns true if the login is now expired
  • .signClaim(options) sign a claim
• Proof — provenance for login
  • is a token signed by an identity
  • is public, can be shared around
  • .nametag contains the identity's id and label
  • .sessionId proves a login session is blessed by an identity
• Claim — arbitrary claim your frontend can make
  • is a token signed by the login session, verifiable on your server
  • is public, can be shared around
  • includes the proof token (thus nametag and sessionId)
  • includes any arbitrary claim data you want
  • verified by verifyClaim(options)

🧑‍💻 Authlocal is an e280 project

Open github issues or discussions if you have any questions.
Star us on github, it's the only way we're paid.
Free and open source.