• Public
  • Public/Protected
  • All

Package auth


Construct and decode authentication requests for Stacks apps.

This package provides the auth logic used by the Stacks Connect library. If you're looking to integrate Stacks authentication into your web app, Stacks Connect provides a simple API and built-in user interface. See the authentication tutorial.


npm install @stacks/auth


Generating an authentication request

import { UserSession, makeAuthRequest, AppConfig } from '@stacks/auth'

The app domain is the URL to your website/app. This is how the Stacks authentication system identifies apps and determines what credentials to provide. Changing the app domain is equivalent to changing the app. Note that you also need to have a valid manifest.json file at the domain.

const appDomain = 'https://www.myapp.com';

Next we set the basic permissions for your app to read and store user data. If your app will allow users to share data with other users, you will need an additional publish_data permission. We will also initiate a UserSession object using the configuration.

const appConfig = new AppConfig(['store_write'], appDomain);
const userSession = new UserSession({ appConfig });

The authentication payloads are encrypted during transit, the encryption key generated below provides this

const transitKey = userSession.generateAndStoreTransitKey();

The Stacks auth process will open a compatible Stacks authenticator or browser extension to perform the authentication. So you will need to provide a redirect URL which the authenticator or extension can redirect to with the authentication payload. This page should process the authentication payload.

const redirectUri = 'https://www.myapp.com/auth';

Set the location of your app manifest file. This file contains information about your app that is shown to the user during authentication.

const manifestUri = 'https://www.myapp.com/manifest.json';

Finally generate the authentication request payload:

const authRequest = userSession.makeAuthRequest(

The resulting payload can now be passed to a compatible Stacks authenticator or browser extension. If you are using Stacks connect, this is performed automatically.

If you would like to implement a Stacks authenticator, check out the reference implementation of the Stacks browser extension, Hiro Wallet.

Handling an authentication response payload

After an authenticator has processed your app's request, and the user has granted permission, the resulting response will be passed back to your app via the URL set in your redirectUri.

Below, we use userSession.isSignInPending to determine if there is an incoming authentication response. If detected, the userSession.handlePendingSignIn method will process the response and provide a userData object containing the user's identity, BNS username and profile information.

if (userSession.isSignInPending()) {
userSession.handlePendingSignIn().then((userData) => {
// Do something with userData

Checking if the user is signed in

Use the userSession.isUserSignedIn method to check if the user is already authenticated. If so, we can retrieve the user's profile data using userSession.loadUserData.

if (userSession.isUserSignedIn()) {
const userData = userSession.loadUserData();

Sign out

To sign the user out simply call the userSession.signUserOut method.


Data encryption

Stacks authentication also provides an easy way to encrypt the user's data. If you are using the @stacks/storage package, encryption is automatically enabled. If you would like to perform encryption outside of storage you can use the userSession.encryptContent and userSession.decryptContent methods.

const message = 'My secret message';
const cipherText = await userSession.encryptContent(message);
const plainText = await userSession.decryptContent(cipherText);

Note that encryption here uses the user's private key associated with your app only. If you need to share this data with another app or other users, you should use the equivalent methods from @stacks/encryption and provide a custom private key.



DEFAULT_BLOCKSTACK_HOST: "https://browser.blockstack.org/auth" = 'https://browser.blockstack.org/auth'

This constant is used in the [[redirectToSignInWithAuthRequest]]

DEFAULT_PROFILE: { @context: string; @type: string } = ...

Default user profile object

Type declaration

  • @context: string
  • @type: string


  • Look up a user profile by blockstack ID


    Returns Promise<Record<string, any>>

    that resolves to a profile object

  • makeAuthRequest(transitPrivateKey: string, redirectURI?: string, manifestURI?: string, scopes?: string[], appDomain?: string, expiresAt?: number, extraParams?: any): string
  • Generates an authentication request that can be sent to the Blockstack browser for the user to approve sign in. This authentication request can then be used for sign in by passing it to the redirectToSignInWithAuthRequest method.

    Note: This method should only be used if you want to roll your own authentication flow. Typically you'd use redirectToSignIn which takes care of this under the hood.


    • transitPrivateKey: string

      hex encoded transit private key

    • Optional redirectURI: string

      location to redirect user to after sign in approval

    • Optional manifestURI: string

      location of this app's manifest file

    • scopes: string[] = ...

      the permissions this app is requesting

    • Optional appDomain: string

      the origin of this app

    • expiresAt: number = ...

      the time at which this request is no longer valid

    • extraParams: any = {}

      Any extra parameters you'd like to pass to the authenticator. Use this to pass options that aren't part of the Blockstack auth spec, but might be supported by special authenticators.

    Returns string

    the authentication request

Generated using TypeDoc