4.2 Authentication Flow
This is the canonical authentication flow used throughout PTERI.
Every login, approval, or authorization is a variation of this sequence.
Step-by-step flow
- The application requests authentication
- The backend generates a challenge
- Random nonce
- Short expiry
- The wallet receives the challenge
- The user approves via biometrics
- The wallet signs the challenge
- The signature is sent to the backend
- The backend verifies the signature
- The backend issues its own session or JWT
At no point does the backend:
- Receive a secret
- Store reusable credentials
- Gain signing authority
Why this works
- Challenges are single-use
- Signatures are non-replayable
- Authority is proven, not assumed
- Compromised servers cannot impersonate users
Authentication becomes a cryptographic event, not a credential exchange.
