Signing Messages
A web app can also request the user to sign a message, by using Petra API: wallet.signMessage(payload: SignMessagePayload)
Web apps can write their own message and then send it to Petra. The user will be prompted to sign that message, and then the signed message will be returned to the web app.
The following is provided for additional security.
signMessage(payload: SignMessagePayload)prompts the user with thepayload.messageto be signed- returns
Promise<SignMessageResponse>
- returns
Types:
export interface SignMessagePayload {
address?: boolean; // Should we include the address of the account in the message
application?: boolean; // Should we include the domain of the dapp
chainId?: boolean; // Should we include the current chain id the wallet is connected to
message: string; // The message to be signed and displayed to the user
nonce: string; // A nonce the dapp should generate
}
export interface SignMessageResponse {
address: string;
application: string;
chainId: number;
fullMessage: string; // The message that was generated to sign
message: string; // The message passed in by the user
nonce: string;
prefix: string; // Should always be APTOS
signature: string; // The signed full message
}Example message and response
signMessage({nonce: 1234034, message: "Welcome to dapp!" })
This would generate the fullMessage to be signed and returned as the signature:
APTOS
nonce: 1234034
message: Welcome to dapp!Verifying a signature
The most common use case for signing a message is to verify ownership of a private resource.
import nacl from 'tweetnacl';
const message = 'hello';
const nonce = 'random_string';
try {
const response = await window.aptos.signMessage({
message,
nonce,
});
const { publicKey } = await window.aptos.account();
// Remove the 0x prefix
const key = publicKey!.slice(2, 66);
const verified = nacl.sign.detached.verify(
Buffer.from(response.fullMessage),
Buffer.from(response.signature, 'hex'),
Buffer.from(key, 'hex'),
);
console.log(verified);
} catch (error) {
console.error(error);
}