Pillar 01

Authentication

Multi-method identity without a central password database. Every supported auth method — wallet, passkey, social, or magic link — converges at a single Auth Edge that issues a session without storing secrets.

Design philosophy

Traditional platforms own your identity. irl.coop does not. Authentication here is a verification step, not a data collection step. The Auth Edge validates a proof (signature, OIDC token, WebAuthn assertion) and issues a session. It never stores the secret that created that proof.

Supported methods

Wallet signatures (Web3)

Members can authenticate using any of four supported blockchain ecosystems. Each uses a sign-in-with-wallet pattern: the Auth Edge presents a challenge, the wallet signs it, the signature is verified on the server.

• EVM — MetaMask, WalletConnect, Rainbow, Coinbase Wallet via Sign-In With Ethereum (SIWE)
• Cosmos — Keplr and Leap using ADR-036 amino signing
• Tezos — Temple and Beacon wallet via Tezos signed payloads
• Bitcoin — via Alby or compatible Lightning wallets using BIP-322

The wallet address becomes the member's primary identifier. Multiple wallets (across chains) can be linked to a single account. No private key ever leaves the member's device.

Passkeys (WebAuthn / Biometric)

Passkeys allow authentication via the device's biometric sensor (Face ID, Touch ID, Windows Hello). The private key is stored in the device's secure enclave. The Auth Edge never sees it — only the WebAuthn assertion is transmitted.

Passkeys are phishing-resistant by design: they are bound to the origin domain and cannot be replayed on another site.

Social login (OIDC)

Apple ID and Google ID are supported as OIDC providers. Members who prefer a familiar login experience can use these without setting up a wallet. The OIDC token is validated server-side; the social account is never used to infer or derive a wallet address.

Magic link / OTP

SMS and email one-time passwords allow members to authenticate without any app or wallet. A time-limited token is sent to the device; the Auth Edge verifies it and issues a session. This method is recommended for members who are new to the platform and want a familiar entry point.

Social QR (session handoff)

Members can scan a QR code from an already-authenticated device to transfer their session. This is useful in physical cooperative spaces where a member wants to log in on a shared terminal without entering credentials.

The Auth Edge

The Auth Edge is the single verification gateway. All auth methods above send their proof (signature, token, OTP) to the Auth Edge. It validates the proof, looks up or creates the member record, and issues a signed session token (JWT). The token is stored in an httpOnly cookie and rotated on each request.

The Auth Edge is intentionally stateless with respect to secrets. It holds no passwords, no private keys, and no seed phrases. If the Auth Edge is compromised, member wallets and passkeys remain safe.

Account linking

A member can link multiple authentication methods to a single cooperative identity. For example: a wallet address, a passkey on their phone, and a Google account can all authenticate the same member. This provides resilience — if one method becomes unavailable, others continue to work.

The platform actively prompts members who only have one authentication method linked to add a decentralized backup (wallet or passkey). This protects against deplatforming from centralized providers.

Security properties

• No central password database — the most common attack surface for credential theft is eliminated
• Wallet signatures are cryptographically unforgeable without the private key
• WebAuthn assertions are origin-bound — phishing is structurally impossible
• Sessions use httpOnly, Secure, SameSite=Lax cookies
• JWT tokens are short-lived and rotated
• SIWE messages include chain ID, nonce, and expiry to prevent replay attacks

Configuration

Authentication configuration lives in src/lib/auth.ts. The supported providers are registered in the NextAuth credentials provider. Chain-specific verification logic (SIWE, ADR-036, Tezos, BIP-322) is handled in theauthorize callback.

# Required env vars for auth
NEXTAUTH_SECRET="your-secret-here"
NEXTAUTH_URL="https://irl.coop"

# Optional: OIDC providers
GOOGLE_CLIENT_ID="..."
GOOGLE_CLIENT_SECRET="..."
APPLE_CLIENT_ID="..."
APPLE_CLIENT_SECRET="..."

See also

• Authorization — what authenticated members can do
• Compliance — data residency and member data rights