Radically open. Radically useful.
PolkaPass is a next‑generation authentication server that speaks OAuth 2.1 and OpenID Connect (OIDC) while replacing passwords and centralized identity providers with Polkadot wallets.
Any Web2 or Web3 app can offer “Sign in with Polkadot” — the same convenience as “Sign in with Google,” but with self‑sovereign keys, on‑chain verifiability, and zero data silos.
Users prove who they are by signing a short challenge with their sr25519 / ed25519 wallet key.
The server verifies the signature and issues standard JWT tokens (ID Token + Access Token), so existing OAuth/OIDC libraries work seamlessly — no custom SDKs and no blockchain RPCs required.
- OAuth 2.1 — the global standard for delegated authorization, letting apps access resources securely without handling user passwords.
- OpenID Connect (OIDC) — adds identity on top of OAuth, issuing signed ID Tokens (JWTs) that assert who the user is.
Every Web2 app using “Sign in with Google” or “Sign in with GitHub” already speaks OIDC.
With PolkaPass, that same familiar flow now works — only this time, the user’s wallet is the identity provider, not a centralized platform.
-
Resilient Identity
- Decentralize login using verifiable wallet signatures.
- Support multiple issuers with JWKS anchored on‑chain, preventing single points of failure.
-
Web2 Compatibility
- Fully standards‑compliant OAuth 2.1 / OIDC endpoints (
/authorize,/token,/.well-known/openid-configuration). - Works out of the box with existing OAuth client libraries — no custom integration layer needed.
- Fully standards‑compliant OAuth 2.1 / OIDC endpoints (
-
User‑Centric Authentication
- Passwordless sign‑in via sr25519 / ed25519 Polkadot wallets.
- Future roadmap: DID‑based identity, social recovery, and key rotation.
-
Hackathon‑Ready Demo
- Includes a full Node/Express demo app showing the end‑to‑end flow:
→ Click Log in with Polkadot → sign challenge → receive JWT → access protected route.
- Includes a full Node/Express demo app showing the end‑to‑end flow:
The PolkaPass demo app homepage. Users start by choosing “Login with Polkadot.”
Wallet prompt asking the user to sign a challenge to verify ownership.
Successful login! User’s wallet address and verified ID token are displayed.
- Express — robust Node.js HTTP server
- jose — JWT + JWKS handling
- @polkadot/util-crypto — signature verification (sr25519/ed25519)
- nanoid — secure nonce generation
- TypeScript, browser‑ready build
- Integrates directly with polkadot{.js} extension
- Node + Express relying party (RP) implementation
- Uses openid-client for OIDC
- Session‑based user login & JWT verification
/auth-server # OAuth2/OIDC Authorization Server
/sdk # Browser SDK for wallet interaction
/demo-app # Example Web2 relying party (login demo)
/shared # Shared config (.env.example)
/README.md # Project overview
- Node.js 18+
- npm or yarn
- Polkadot{.js} browser extension
cd auth-server
cp .env.example .env
npm install
npm run dev
# → http://localhost:4000cd demo-app
cp .env.example .env
npm install
npm run dev
# → http://localhost:3000- Open http://localhost:3000
- Click Log in with Polkadot
- Sign the challenge via your wallet
- The app receives an OAuth
code, exchanges it for ID Token + Access Token - The app verifies the JWT via the Authorization Server’s JWKS endpoint
⚠️ This is an early‑stage hackathon prototype. For production deployment:
- Persist tokens & authorization codes (currently in‑memory)
- Consider DPoP / proof‑of‑possession tokens to mitigate replay
- Anchor issuer JWKS / DID keys on‑chain for full decentralization
- Add guardian‑based recovery for key loss
- Harden security: strict CORS, CSRF protection, secure cookies, and CSP
Built with ❤️ to bring open identity to the Polkadot ecosystem.