Skip to main content

Password Management

Passwords are less-secure than private keys, however they may be the best option for your infrastructure. If you have passwords enabled, users only have to manage those passwords, rather than private keys. Once a user signs in and retrieves a token, they can send permissioned queries and transactions without having to worry about signatures.

Password Settings

There are several settings that are used to handle passwords and tokens. Two of the main settings are:

fdb-pw-auth-enable: by default this is true. fdb-pw-auth-secret: this can be any string.

Once we ensure these settings are how we like them, we can start our Fluree instance.

Passwords API

There are three API endpoints associated with passwords - generate, renew, and login.

When you generate a password, a new auth record is created in your given ledger. For example:

[{
"_id": 105553116267496,
"_auth/id": "Tf9Sn7cR3dRpdVJYXiRYY2TeNhJLpb2eLDS",
"_auth/salt": "371299876ee3328b4cd72dc3e25f3b0d",
"_auth/type": "password-secp256k1"
}]

The salt, the normalized password, and the fdb-pw-auth-secret are all used to regenerate the private key, and sign a request on behalf of the user.

When you generate, renew, or login, the response is a token, which then can be used in any subsequent request as authorization by placing the token the Authorization header: Headers: { Authorization: "Bearer TOKEN-HERE" }. For an implemention example refer to the Comic Store repo located in the Fluree Developer Hub.