Overview

PoK overview

The Proof-of-key (short PoK) process can be used to grant and check access rights. It is very flexible and can be integrated into any physical, digital or hybrid business process. It comes with two steps.

  • asking a user to sign a challenge -> this will unambiguously prove whether he has the private key to the address he’s using or not
  • checking on-chain/off-chain conditions whether or not this address is granted the requested services

Example

There are documents in an online archive. And the PoK process is put in place to guard the access to these documents. The challenge replaces the login/pwd process. Instead of providing a login, the user provides his blockchain address. Instead of a password he provides his response to the challenge. Only the holder of the secret private key can pass this challenge. So the server knows with certainly, that the one who asks for access is the one who holds the private key for the address.
There’s no difference to a login/pwd process, except for the fact that we’re using very strong cryptographic methods here and that the user doesn’t have to memorize login and password. A server who works with the login/password concept would now check its database whether the provided login has been granted access rights. And act accordingly.

The PoK method does something similar. But it doesn’t check some internal database. It checks data on blockchain. And it has a couple of options here. It can for example check whether the address has sufficient Tokens of a certain type. Or whether there is a cryptographic link between the address and another artifact, and so forth. Again - the whole process is secured by strongest cryptographic methods. Granting access (e.g. by transferring a token to the target address) is a process that can take place anywhere on the planet. It’s a lot more secure, because the same technology protects trillions of assets. And it’s decentralized. You can easily implement a multisign process or build really complex conditions by combining the existing building blocks.

Keep in mind that the process is asynchronous and involves two or more devices.

There’s the following sequence of actions:

  • CreatePoK: Initiates a new PoK instance on the server and returns a challenge and the ID with which you can retrieve the status. The Challenge is usually rendered into a QR code for a smartphone to scan and sign
  • Subscribe to Event: The server would otherwise not know when a client device has completed the challenge and would be forced to poll
  • Sign the challenge, see below
  • RespondPoK: Submit the signed challenge to the server
  • RetrievePoK: Normally the Event will have triggered. You can use the method to retrieve all data, including the signed challenge to verify it yourself, so there is no trust issue with the Notardec API.
  • Proprietary Actions: Such as: checking token balance, linkages, etc. Granting or denying access…

How to sign PoK

  const apiKey = NOTARDEC_KEY;
  const response = await axios.post(`${NOTARDEC_URL}/pok/respond`, body, {
    headers: {
      'X-API-KEY': apiKey,
      Authorization: `Bearer ${token}`,
    },
  });
  return response.data;

To sign a PoK, you need to send a POST request to the url /pok/response. The request has the following body

  address: string;
  signature: string;
  challengeId: string;
Signature

Signature is a signed string. You can sign a message using next code

const wallet = new Wallet(privateKey);
const signature = await wallet.signMessage(challange);