-
Notifications
You must be signed in to change notification settings - Fork 8
Wyre
- user managed accounts vs cardstack managed accounts vs a single Cardstack account for all request?
- should they be custodial/sub accounts?
- does Cardstack need to manage the accounts?
- should we surface the secret key?
- Is Wyre only a means to exchange fiat to crypto?
- pending account status?
currently being used by the rainbow app
Based on what we can see in the Rainbow code base, they seem to pull an auth token that was pre-generated out of their env. We don’t know for sure what this auth token is since it’s from their env, but this is our assumption based on their usage. It is passed directly as the auth header (Bearer ${wyreAuthToken})
From what we understand, we would need the secret key that was used to create the account in order to properly generate this auth token. Cardstack’s current account was not created with a secret key, so we are not sure if we would need to create a new account or if there is still a way to generate this token.
What seems to be the intended functionality with the auth token method is that a cryptographically secure secret key is generated for each user. This secret key is exchanged for an auth token, and this auth token is immediately used to create an account for the user.
Based on our understanding, this would require the user maintains a secret key (or we randomly generate this and store this on the device behind the scenes, and thus user accounts are tied to device). This also would entail a review process and document upload for each user’s account, which we assume is not desired functionality.
This is the typical API Key authentication method. We use the API Key and secret key from the account, generate the signature using these values, and send the API Key and signature as headers for authorization.
We successfully implemented this method already, but backtracked after deciding it wasn’t ideal to store the secret key on device in the env.
The best route forward would be to build an API for Cardstack’s Wyre interactions so that we can manage what actions are taken on behalf of Cardstack’s account, and user’s don’t need to manage their own accounts and go through the approval process. This API would be open but could use some type of secret key we send from the mobile app. This would allow us to limit what actions are taken as well implement rate limiting if desired.
The simplest route would be either directly embedding the generated token in the env or the signature key auth with the secret embedded in the env, but these would compromise the security.