wallet flow of a createAuthClient client. signIn runs the whole flow in one call; getNonce, createMessage, and verify are the underlying primitives for custom message construction.
The signer can be a human user (signing in their own wallet UI) or the agent itself signing programmatically with an agent signing token — only a valid signature from the wallet address is required, so SIWE supports fully autonomous agents with no human in the loop. See Sign In with a Private Key for both patterns.
signIn
Function Signature
signMessage callback, and verifies it. Key custody stays behind the callback — the wallet key never enters the client.
Parameters
address(string) - The signing wallet’s public address. Must be a 0x-prefixed 20-byte hex address.signMessage((message: string) => Promise<string>) - Your signer callback. Receives the sign-in message; returns the signature.sessionPublicKey(string, optional) - Compressed P-256 public key hex from generateSessionKeyPair. Binds the session key into the minted JWT — required if you will use a session signer with authenticateJwt forbackUpToDynamicflows.domain/uri(string, optional) - The origin the sign-in presents as. Default: derived from theappOriginset oncreateAuthClient(domain= its host,uri= the origin). Passing both per call overridesappOrigin.chainId(number, optional) - EVM-specific. Defaults to1.statement(string, optional) - Human-readable statement included in the message.walletName(string, optional) /walletProvider(WalletProviderEnum, optional) - Forwarded toverify; see its defaults below.
Returns
Promise<AuthResult>-{ jwt, expiresAt, userId }. PassjwttoauthenticateJwt; never log it.
Errors
addressnot a 0x-prefixed 20-byte hex address →"wallet.signIn requires a 0x-prefixed 20-byte hex address"(thrown before any network call).domain,uri, orstatementcontaining line breaks →"wallet.signIn: <name> must not contain line breaks"(line breaks would corrupt the EIP-4361 message structure).- Neither
appOriginnor per-calldomain/uriprovided →"wallet.signIn requires domain/uri — pass them or set appOrigin on createAuthClient". - Plus the
verifyerrors below once the flow reaches the server.
getNonce
Function Signature
Parameters
None.Returns
nonce(string) - Include it in the sign-in message viacreateMessage. Nonces are single-use.
createMessage
Function Signature
Parameters
domain(string) - The domain requesting the sign-in (for example,yourapp.example.com).address(string) - The signing wallet’s public address.uri(string) - The URI of the sign-in origin (for example,https://yourapp.example.com).chainId(number) - The EVM chain ID (for example,1for Ethereum mainnet).nonce(string) - The nonce fromgetNonce.statement(string, optional) - Human-readable statement shown to the user in their wallet.issuedAt(string, optional) - ISO 8601 timestamp. Defaults to now.
Returns
string- The sign-in message. Have the wallet key holder sign it, then pass both toverify.
verify
Function Signature
Parameters
message(string) - The exact message fromcreateMessage.signature(string) - The signature over the message.walletAddress(string) - The signing wallet’s public address (must match the message).sessionPublicKey(string, optional) - Compressed P-256 public key hex from generateSessionKeyPair. Binds the session key into the minted JWT.walletName(string, optional) - Defaults to'unknown'.walletProvider(WalletProviderEnum, optional) - Defaults tocustodialService.chain(ChainEnum, optional) - Defaults toEVM.
Returns
Promise<AuthResult>-{ jwt, expiresAt, userId }. PassjwttoauthenticateJwt; never log it.
Example
Error Handling
Related Functions
createAuthClient()- Create the auth client (includingappOrigin)- Email OTP sign-in - Email-based alternative
authenticateJwt()- Use the minted JWT