Authentication & Authorization

Clique Wallet implements a comprehensive authentication and authorization system that supports multiple authentication methods for users while providing secure programmatic access through API keys with fine-grained permission controls.

User Authentication

Clique Wallet supports a wide range of authentication methods, allowing users to access their wallets through their preferred method:

• Social OAuth: Users can authenticate using social media accounts including Google, X/Twitter, and Telegram. OAuth flows use PKCE (Proof Key for Code Exchange) for enhanced security, ensuring that authorization codes cannot be intercepted and reused by attackers.

• Email and Phone Verification: Users can authenticate using email addresses or phone numbers. The system sends a verification code to the provided email or phone number, which must be verified during login. This two-factor verification process ensures that only users with access to the registered contact method can access the account.

• Apple Sign-In: Native support for Apple's Sign-In service, providing seamless authentication for users on Apple devices.

• External Wallet Connections: Users can authenticate by connecting existing external wallets including MetaMask, Phantom, Okx, Rabby, Coinbase Wallet, and WalletConnect. This authentication method uses a challenge-response mechanism where users sign a challenge message with their external wallet, proving ownership without exposing private keys.

• Account Binding: Users can bind multiple authentication methods to a single Clique Wallet account. This allows flexible access—users can log in using any of their bound authentication methods while maintaining access to the same wallets and assets. Account binding is particularly useful for users who want to maintain multiple ways to access their account or who migrate from one authentication method to another.

All authentication methods are validated server-side, and upon successful authentication, Clique Wallet automatically creates wallets for all supported blockchains if they don't already exist. The authentication process ensures that users can only access accounts they own, and all authentication credentials are verified cryptographically or through trusted third-party providers.

Session Management

User-facing applications use secure HTTP-only session cookies for authentication. This approach provides several security benefits:

• HTTP-Only Cookies: Session cookies are marked as HTTP-only, preventing client-side JavaScript from accessing them. This protects against cross-site scripting (XSS) attacks where malicious scripts might attempt to steal session tokens.

• Secure Cookies: In production environments, session cookies are transmitted only over HTTPS connections, ensuring that session tokens cannot be intercepted over unencrypted networks.

• Session Expiration: Sessions automatically expire after a period of inactivity, reducing the risk of unauthorized access if a user's device is compromised. Users must re-authenticate after session expiration.

• Same-Site Protection: Session cookies use SameSite protection to prevent cross-site request forgery (CSRF) attacks, ensuring that cookies are only sent with requests originating from the same site.

Session data is stored securely and encrypted, with session keys derived from the TEE-protected master key. This ensures that even if session data is accessed, it cannot be decrypted without access to the TEE.

API Key Authentication

For programmatic access, Clique Wallet provides API key authentication. API keys enable automated operations, trading bots, and other programmatic use cases while maintaining security through multiple layers of protection:

• Bearer Token Authentication: API keys are provided as Bearer tokens in the Authorization header of HTTP requests. The format follows the standard Authorization: Bearer <api_key> pattern.

• API Key Structure: API keys are cryptographically secure and include both a unique identifier and a random component. The full key is only displayed once during creation, after which only a prefix is shown for identification purposes.

• Encrypted Storage: API keys are encrypted at rest and include integrity verification. This ensures that even if an attacker gains database access, the API keys cannot be revealed, replaced, or otherwise compromised through tampering attacks.

• Key Validation: Each API key request is validated for authenticity, active status, expiration, and IP whitelisting (if configured). Invalid, inactive, expired, or unauthorized IP requests are immediately rejected.

Together, these authentication and authorization mechanisms ensure that only authorized users and applications can access Clique Wallet accounts and perform operations, while providing flexibility for different use cases and security requirements.