You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
<p>This NUT defines a blind authentication scheme that allows mint operators to limit the use of their mint to a set of authorized users while still providing privacy within that anonymity set.</p>
1119
-
<p>We use two authentication schemes in conjunction: <em>clear authentication</em> using an external OpenID Connect / OAuth 2.0 service (described in <ahref="../21/">NUT-21</a>), and <em>blind authentication</em> with the mint to access its resources. A user's wallet first needs to obtain a clear authentication token (CAT) from an OpenID Connect authority that the mint selected, which is not subject of this specification. Once the user has obtained the CAT from the OpenID Connect service, they can use it to obtain multiple blind authentication tokens (BAT) from the mint. We describe this process in this document.</p>
1119
+
<p>We use two authentication schemes in conjunction: <em>clear authentication</em> using an external OpenID Connect / OAuth 2.0 service (described in <ahref="../21/">NUT-21</a>), and <em>blind authentication</em> with the mint to access its resources. A user's wallet first needs to obtain a clear authentication token (CAT) from an OpenID Connect authority that the mint selected, which is not the subject of this specification. Once the user has obtained the CAT from the OpenID Connect service, they can use it to obtain multiple blind authentication tokens (BAT) from the mint. We describe this process in this document.</p>
1120
1120
<p>Blind authentication tokens (BATs) are used to access the protected endpoints of the mint and make sure that only users that previously presented a valid CAT can access the mint's features such as minting, melting, or swapping ecash. Wallets provide a BAT in the request header when making a request to one of the mint's protected endpoints. The mint parses the header for a BAT, verifies the signature (like with normal ecash as described in <ahref="../00/">NUT-00</a>), checks if the token has previously been spent, and if not, adds it to its spent BAT token database.</p>
1121
1121
<h2id="blind-authentication-tokens-are-ecash">Blind authentication tokens are ecash<aclass="headerlink" href="#blind-authentication-tokens-are-ecash" title="Permanent link">¶</a></h2>
1122
1122
<p>Blind authentication tokens (BATs) are essentially the same as normal ecash tokens and are minted in the same way. They are signed with a special keyset of the mint that has the unit <code>auth</code> and a single amount <code>1</code>.</p>
1123
-
<p>BATs can only be used a single time for each request that the wallet makes to the mint's protected endpoints. After each for each successful request, the BAT is added to the mint's spent token list after which they are regarded as spent. The BAT is not marked as spent if the request results in an error.</p>
1123
+
<p>BATs can only be used a single time for each request that the wallet makes to the mint's protected endpoints. For each successful request, the BAT is added to the mint's spent token list after which they are regarded as spent. The BAT is not marked as spent if the request results in an error.</p>
1124
1124
<p>To summarize:</p>
1125
1125
<ul>
1126
1126
<li>Wallet connects to mint and user is prompted to register or log in with an OAuth 2.0 service</li>
0 commit comments