Web Proofs over OAuth for delegated access
This guide is for application developers developing a client-side application with the need to generate Web Proofs for API calls secured by OAuth Bearer Tokens.
Suitable client-side applications may include:
- Single-page applications (SPA)
- Progressive Web Apps (PWA)
- Native iOS and Android apps
Web Proofs, a term coined by Pluto, are mathematical proofs that preserve user anonymity, security, and privacy over internet data. User can privately and verifiably demonstrate certain characteristics, such as their balance on a fintech application like Venmo, without exposing personal information.
The Web Proofs described on this documentation page specifically for proofs API calls protected by OAuth Bearer Tokens. It's important to note, that this authentication flow is tailored for client-side implementation, allowing applications to function independently without server-side support.
OAuth Background
OAuth 2.0 introduced various authorization methods, including the Implicit Flow, designed initially for client-side applications. However, these applications often cannot securely store secrets, making them susceptible to attacks.
To address security concerns for public clients, such as Single-page applications (SPAs), the Proof Key for Code Exchange (PKCE) extension was developed. PKCE is specifically designed for environments where it is impractical to maintain the confidentiality of credentials. It has become the preferred method for securely obtaining access tokens in client-side applications, offering a more robust solution compared to previous strategies.
Try it out ...
Try out a live demo: Authorize our sample OAuth client to allow access to your Reddit user profile. Then create a trustless Web Proof for the account data returned by the API.
RedditLogin with Amazon
First, you will be redirected to Amazon to log in.
Prove Amazon User Profile
Login with Reddit
First, you will be redirected to Reddit to log in.