iome logo
IOMe offers a robust authentication mechanism that combines the power of Web3 technology with the familiar syntax and semantics of JSON Web Tokens (JWT). This approach ensures secure and decentralized authentication while providing developers with a seamless integration experience.
The existing authentication schemes lacks
  • Encryption, making them susceptible to interception during communication.
  • Secure Token Management, If a token is stolen or leaked, an attacker could gain unauthorized access until the token is invalidated.
  • Decentralization, gaining access to token credentials stored at server leads to unauthorized access to entire system
Apart from above considerations, existing HTTP authentication scheme also have other disadvantages such as
  • Token Juggling Attacks, attackers might attempt to manipulate or manipulate JWTs, especially if they have access to the token content and know the signing algorithm.
  • Token Size, JWTs can become quite large if they carry a lot of information. This can increase the size of requests and responses, which can impact network performance.
  • Limited Context, JWTs lack some context that sessions can provide. For example, session IDs can be tied to specific IP addresses or user agents, helping to prevent session hijacking.
  • Sensitive Data, Although JWTs are often signed to ensure their integrity, they can still be decoded by anyone with access to the token.
IOMe uses DAT, a DOT Authentication Token, which is a new HTTP Authentication scheme framework introduced by SarvaLabs Inc.
What is DAT?
DAT, which stands for DOT Authentication Token, draws an analogy from the mathematical concept of the dot product.
In mathematics, the dot product is a fundamental operation that takes two vectors and produces a scalar by calculating the sum of the products of their corresponding components. Similarly, the term "DOT" reflects its role in connecting various services like Storage, Trust, Compute and Identity etc within the context of API interactions.
Moreover, just as the dot product doesn't rely on a centralized storage or extensive computational steps to determine the relationship between vectors, DAT utilizes PublicKey Cryptography to generate its signature, avoiding the need for centralized storage of token secrets. This aligns with the efficiency and simplicity of the dot product operation.
Yet, DAT goes beyond by incorporating advanced cryptographic techniques like PublicKey Cryptography, Multi-party Compute to ensure decentralization, and Blockchain for maintaining statefulness. It adopts the JWT syntax, featuring a three-component structure for enhanced interpretability. This perspective allows us to perceive DAT as a Web3 JWT.
DAT Components
    Type is used to determine the context of the token as well as request. Type takes values such as AUTH, SESSION, CHALLENGE and MPC.
  • AUTH, can be used in the context if the request is just intended for authentication and GET method.
  • SESSION, can be used in the context to maintain the session between client and server.
  • CHALLENGE, can be used in the context to do state changes about the user in the system, Ideally POST, PUT and DELETE methods uses this type.
  • MPC, can be used in the context where token is the part of multi-party compute which further needs aggregations and derivations with other MPC type tokens to access specific resource.
  • Signature is a web3 digest, which is generated by signing the message using the privateKey, which can be verified aganist the publicKey in a decentralized manner.
    Payload is a JSON object, which changes according to the type. Type=AUTH, needs message to be under payload, Type=SESSION, needs `expiresAt` to be under the payload, where the Type=CHALLENGE does not need any payload to be send along with token since request body acts as payload during authentication.
Authorization Headers
While passing DAT token along with Authorization headers, it needs the `signature` and `encoding` algorithms to be passed separated by "-". IOMe uses EC_S256-B58 DAT Authentication scheme, which means ECDSA algorithm with SECP256k1 curve along with Base58 encoding.
Sample API request using curl:
curl --location '<userID>/digitalme?dimension=personal&attributes=email' -- header 'Authorization: EC_S256-B58 <auth-token>'