Authentication
Wave Casino uses Sign-In-With-Solana (SIWS) β wallet-based authentication without passwords.
How it works
- The client generates a message and timestamp
- The user signs it with their Solana wallet
- The API verifies the signature (Ed25519) and issues a Bearer token
- Subsequent requests include the token in the
Authorizationheader
Login request
POST /casino/auth/login
Content-Type: application/json{
"wallet": "ABC123...",
"timestamp": 1716038400000,
"signature": "base64encodedSignature=="
}The message signed must be exactly:
casino-auth:{wallet}:{timestamp}Example in JavaScript:
import { useWallet } from '@solana/wallet-adapter-react'
const { publicKey, signMessage } = useWallet()
const wallet = publicKey.toBase58()
const timestamp = Date.now()
const message = `casino-auth:${wallet}:${timestamp}`
const encoded = new TextEncoder().encode(message)
const signature = await signMessage(encoded)
const signatureB64 = btoa(String.fromCharCode(...signature))
const res = await fetch('/casino/auth/login', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ wallet, timestamp, signature: signatureB64 }),
})
const { token } = await res.json()Login response
{
"token": "eyJ...",
"wallet": "ABC123...",
"expiresAt": 1716040200000
}The token is valid for 30 minutes. After expiry, repeat the login flow.
Using the token
Include the token in all authenticated requests:
Authorization: Bearer eyJ...Rate limiting
The login endpoint is rate-limited to prevent abuse:
- Max 10 requests per minute per IP address
- Exceeding the limit returns
429 Too Many Requests
Admin authentication
Admin routes (/casino/admin/*) require the same Bearer token. The API checks the walletβs role against the RBAC rules. See Access Levels for details.