Step 1: Connect with Rollup Passport

Step 2: Register Your Application

• In your personal or group dashboard click on the "Create Application" button.

• Provide a name for your application. After this, you'll be redirected to the application's configuration screen.

Step 3: Configure your Application

On the application dashboard, you can obtain your Galaxy API key and application keys.

• Application Name: The name of your application. This will be displayed to users during the auth flow.

• Redirect URL: Where Rollup redirects users post-authentication to exchange tokens (more details on this on next page).

• App Icon: Your application's logo, which will be displayed to users during the auth flow.

• Terms of Service URL: A link to your application's TOS

• Privacy Policy URL: A link to your application's Privacy Policy

• Website URL: A link to your application's website

Once all details are filled in, activate the "Published" toggle and hit the "Save" button. With your application fully configured, you're now ready to complete integrate the auth flow into your app.

Understanding OIDC

OpenID Connect (OIDC) is a straightforward identity layer built on top of the OAuth 2.0 protocol. It enables clients to verify an end-user's identity based on the authentication performed by an authorization server. Additionally, OIDC provides basic profile information about the end-user in an interoperable and REST-like manner.

OIDC plays a crucial role in standardizing user authentication, simplifying the process for various online services to share this responsibility securely.

The Application of OIDC in Rollup ID

Rollup ID not only embraces the OIDC and OAuth 2.0 standards but also introduces a layer of decentralized control. This approach effectively returns the control of privacy and data security to the users. Here's how it works:

• Decentralized Control: Unlike traditional OIDC setups where authorization tokens are issued by the IDP, in the Rollup ID ecosystem, users issue these tokens themselves. This user-centric approach provides full control and transparency to the users over their authorizations.

• Consent-based Authorizations: Rollup ID operates on consent-based authorizations to services and data, giving users complete control over which applications can access their data and the extent of this access.

• Flexible and Extensible Claims: Authorization claims can include access to profile data, linked accounts, email addresses, Personally Identifiable Information (PII) / Know Your Customer (KYC) data, smart contract wallets, and more. The platform is also designed to allow third-parties to publish custom claims in the future.

• Easy Onboarding and Offboarding: Rollup ID enables businesses to create simple, user-friendly onboarding and offboarding experiences that meet regulatory and compliance requirements while aligning with user needs and expectations.

• Security and Fraud Prevention: Rollup ID safeguards users and developers from "fake accounts" through its robust identity verification features, including passkeys and other multifactor authentication (MFA) methods.

By incorporating these features, Rollup ID achieves "logical" or "sufficient" decentralization. It provides a secure, private, and user-controlled identity platform that adheres to the standards set by OIDC, ensuring a seamless and secure online experience for all users.

Registering Applications with Rollup ID

Authentication Flow

Rollup ID supports the authorization code from the OIDC spec. Although applications without backend servers (that may be running purely client-side) are more suited to implicit authentication flows, they are no longer recommended as they are not secure.

Authentication begins with a request to the /authorize endpoint. When using the native Sign In with Rollup ID page, most of the OIDC process is handled for you. You can begin the authentication cycle by redirecting your users to the /authorize endpoint with the appropriate parameters.

https://passport.rollup.id/authorize?client_id={client_id}&response_type={code}&redirect_uri={encoded_redirect_url}&state={state_value}&scope=oidc+profile+email

Redirect Responses

Once successfully authorized, the user is redirected back to your application. The redirect URL will contain a number of values, depending on the flow you are using.

The authorization code flow, the redirect URL will contain the code (an authorization code that can be exchanged for an ID token) and the state (the optional state value passed to the /authorize endpoint).

ID Token Verification

import * as jose from 'jose'

const verifyJwt = (token: string) => {
	const JWKS = jose.createRemoteJWKSet(new URL('https://passport.rollup.id/jwks'))

	const { payload, header } = await jose.jwtVerify(token, JWKS, {
		issuer: 'https://rollup.id',
		aud: '<your client id>',
	})

	return payload
}

verifyJwt('eyJhbGciOiJSUzI1NiIsInR5cCI6Ikp.eyAs.XVCJ9...')

Rollup ID is a cutting-edge user management platform, meticulously crafted to prioritize privacy, security, and user-friendliness. Our primary goal is to empower users by providing a digital identity solution that places them at the center, allowing them to take control of their online data and identities.

At the same time, we understand the needs of applications. That's why Rollup ID is designed to offer enhanced security, control, and lifecycle management for your application. With Rollup ID, you can ensure a secure and seamless user experience while maintaining the highest standards of data privacy and protection.

Join us on this journey towards a more secure and privacy-focused digital world. Welcome to Rollup ID.

Get Started

Learn More

Overview

Rollup ID is designed to act as a "logically" or "sufficiently" decentralized user management platform that allows users to engage with online applications securely and privately. It aims to create simple on-boarding and off-boarding user experiences meeting not only regulatory and compliance requirements but also the needs and expectations of your users.

Core: Open Source Profile Graph

• Decentralized: End users should be the issuers

• Persistent: Identifiers should be inherently persistent (and deterministic)

• Cryptographically Verifiable: It should be possible to prove control of the identifier

• Resolvable: It should be possible to discover metadata about the identifier

Main Features

• Based on the OAuth 2 and OpenID standards, enabling consent-based authorizations to services and data.

• Authorization tokens are issued by the user, providing full control and transparency into the authorizations.

• Authorization claims can allow access profile data such as, linked accounts, email addresses, PII/KYC data, smart contract wallets, and more.

• Protection from "fake accounts" with its identity verification features like passkeys and other MFA features.

• Designed to support custom claims to third-party services on the platform in the future.

Edge-Deployed Profile Graph

Rollup ID is an open-source platform deployed at the edge, designed as a decentralized user graph consisting of nodes and edges. The nodes represent different types of objects, such as profiles, accounts, linked addresses, storage, smart contract wallets, applications, and authorizations. The edges represent the relationships between these nodes, enabling traversal and interaction within the graph.

Key Components

• Nodes: Nodes represent different types of objects in the graph, including profiles, accounts, linked addresses, storage, smart contract wallets, applications, and authorizations.

• Edges: Edges represent the relationships between nodes and are used to traverse and interact with the graph.

• Access Tokens: Users issue access tokens through claims and scopes to protect traversal of the graph.

• Entry Node: To traverse the graph, an entry node (e.g., subject) is typically required.

Accessing the Graph

1. Proof of Identity: To log in to Rollup, a user needs to present proof of identity, such as an email address or social account. This proof enables the deterministic discovery of the Address Node on the graph, representing the unique identity factor.

2. Address Node and Account Node: If the Address Node has a linked unique identity (Account Node), the graph can be traversed to this identity. If no identity exsists, one will be created.

3. Authorization Claims: The user's identity can now be asked to issue authorization claims to traverse other edges to nodes on the graph (e.g., profiles, storage namespaces, etc.). Once authorization is accepted, the authorization itself becomes an Access Node, linking the identity on one side to the application that requested the authorization on the other using edges.

User Passports

With Rollup, users have "passports" they can log in to and manage their identities, issued tokens, and other aspects of their Rollup experience. Passports provide users with full control and transparency over their data and authorizations.

ID Token

You can create a user in your database using the ID token. The ID token contains the user's unique identifier in the subject (sub) field, which can serve as a reference for the user in your database. The ID token also includes the user's profile information, allowing you to populate user details in your database accordingly.

Access Token

Make sure to store the access token securely in your database or another safe storage mechanism accessible to your application.

Refresh Token

In addition to storing ID tokens, you may also need to store refresh tokens in your database. Refresh tokens are used to obtain new access tokens without requiring the user to re-authenticate. This can be particularly useful for providing a seamless user experience, especially for applications that require long-lived sessions.

When you receive a refresh token, it should be stored securely in your database, associated with the user. Here's an example of how you might store a refresh token:

{
  "userId": "{userId}",
  "refreshToken": "{refreshToken}"
}

When the access token expires, your application can use the stored refresh token to request a new access token from the Rollup ID authorization server. This request would include the refresh token along with your application's client ID and secret.

It's important to handle refresh tokens securely because they can be used to obtain new access tokens. If a refresh token is leaked, it could potentially allow unauthorized access to the user's resources. Therefore, refresh tokens should be stored securely and treated with the same level of care as the user's credentials.

Browser Applications

Session Cookies

The most common method to authenticate a user's session in a browser application is by using session cookies. A session cookie can store simple user information, such as the ID token received through the authentication flow or a basic user ID. You can use this session cookie to validate the user's session for every subsequent server request.

As a developer, you can set and reset expiry times on the session cookie to control the duration of the user's login. Most web frameworks have built-in support for session cookies.

TODO: example code

Session Storage

For single-page applications (SPAs) without a backend, you can use browser session storage to store tokens.

TODO: example code

Native Applications

The most common way to authenticate users in a native application is by using on-device secure storage to store tokens and maintain user sessions after the authentication flow. The primary difference with native apps is that you will need to use a WebView or browser to complete the authentication flow. This is achieved by setting the redirect URL to a custom URL scheme you register for your app.

When Rollup redirects to this URL, your app can pick up the exchange code, complete the authentication flow, and receive the ID and access tokens.

TODO: example code

Logging Out

To enable users to log out, clear the session cookie or session storage and redirect them to your login page. Your login page should then redirect users to the authentication flow if they are not logged in. The authentication flow will prompt users to continue using their last known identity.

Step 1

In your application OAuth configuration make sure that the "email" scope is selected in the "allowed scopes" dropdown. Make sure to save this configuration before moving to step 2.

Step 2

Step 3

After authenticating into your custom Rollup application, your users will we be presented with an authorization screen containing the email scope authorization request.

If the user already as a connected email, this email will be automatically selected. If no email address is connected to their identity they can connect an new email address and continue.

Step 4

Step 1

In your application OAuth configuration make sure that the "connected accounts" scope is selected in the "allowed scopes" dropdown. Make sure to save this configuration before moving to step 2.

Step 2

Step 3

After authenticating into your custom Rollup application, your users will we be presented with an authorization screen containing the connected accounts scope authorization request.

By default "All Connected Accounts" will be selected. Users will have the option to filter down connected accounts.

Step 4

Step 1: Initiate the Auth Request

To log in or register to a user your application the first step is to send an authorization request to your Rollup ID application. This is typically handled by a redirect route (e.g./auth) in your application.

This request contains essential parameters, including the client_id (your application's ID), response_type, scope, state and redirect_url.

The state parameter is a CSRF token used to protect against potential attacks and to maintain any state that might be useful after the authentication process (more on this later). Before redirecting users to the Rollup ID auth flow, it is important that the state parameter is persisted in a cookie or other storage method for reference in a later step.

For example, your authorization URL should look like this: https://passport.rollup.id/authorize?client_id=<your_app_id>&state=<generated_state>&scope=email.

Step 2: User Authentication & Authorization

Rollup ID will use the provided client_id to look up your application details, displaying your application name and branding information.

If the user is not signed in they will be displayed the authentication page where they can choose from various authentication methods. After successful authentication, the user will be shown the authorization screen to provide consent for the requested scopes, allowing your application to access specific data.

Upon completion, users will be redirected back to your app using the redirect_url set in the previous step.

Step 3: Authorization Code Exchange

Your redirect_url should be ready to accept an exchange token and state parameters in the following format:

// https://<redirect_url>?code=<exchange code>&state=<state>

• Code: the exchange code needed request an access token

• State: this state should match the state you created for the user/client in Step 1. Typically your chosen OAuth library will manage this for you.

To exchange the code for an access token use this information to call the exchange token endpoint using the "authorization_code" value for "grant_type"

Step 4: Access Token & ID Token

Ensure you handle this data with care, respecting user privacy and adhering to data protection regulations.

Step 5: Refresh Tokens (optional)

Refresh tokens allow your application to obtain new access tokens, ensuring uninterrupted access to user data.

If you ever find yourself with an expired refresh token you can consider this as the user being "logged out" and redirect them to repeat the auth flow.

Accessing You User's Smart Contract Wallets

Prerequisites

Setup

3. Go to the Blockchain setting tab

4. In the paymaster section, enter your paymaster credential and save.

5. Go to the OAuth settings tab

6. In the scopes dropdown select erc_4337 scope

Registering Session Keys

{
  "sub": "<unique did urn>",
  "aud": "<your app urn>",
  "erc_4337": [{
    "nickname": "game wallet",
    "address": "0x123abc...."
  }],
  ...
}

import { Wallet } from 'ethers'

// if using more than once we recommend that you store the private key somewhere safe.
// you will need the privateSigner to submit transactions using your session key.
const privateSigner = Wallet.createRandom()
const address = await privateSigner.address()

const sessionDataRes = await fetch("https://galaxy.rollup.id/rest/register-session-key", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
    Authorization: `Bearer ${accessToken}`,
    "X-GALAXY-KEY": process.env.ROLLUP_GALAXY_API_KEY!, // available in console app
  },
  body: JSON.stringify({
      smartContractWalletAddress: session.erc_4337[0].address, //users' smart contract wallet address
      sessionPublicKey: address, //ethereum address for which to issue session key
    },
  }),
})

const sessionData = await sessionDataRes.json()

```

Once a session key has been registered you should receive session key data that can be used directly with your ethers library or account abstraction / paymaster provider SDK directly.

Revocation of Session Key

Once user authorized app to create a session key for provided wallet, user easily can revoke this session key at any time.

Here's how to do that:

2. Navigate to Applications tab in side-menu

3. Select app for which to revoke session key and hit Edit Access button

4. Then push Revoke Access button

This action will revoke all scopes user authorized app to use, including the revocation of session keys for all authorized smart contract wallets.

Accessing Your App's Smart Contract Wallet

Overview

This involves multiple redirects:

In order to implement these hops, configure Rollup, Supabase, and your app as follows:

Console Configuration

Request authorization for the Email scope and set the Redirect URL to the Supabase Keycloak provider's redirect URL. You can get the redirect URL from the Keycloak provider configuration (see below).

Required scope values are:

• Email

• Profile

OpenID is an optional scope suggested for standards-compliant OIDC connections.

Save and publish your application.

Supabase Configuration

Within Supabase, select "Authentication" a nd then under "Configuration" select "Providers" and under the "Email" settings disable "Confirm Email" and save.

Next go to the Keycloak settings and enable Keycloak.

Update your Keycloak configuration's Client ID and secret with the values from your Rollup Console Application.

Set your Keycloak Realm to https://passport.rollup.id (the screenshot below shows our development environment).

Copy your callback URL here and use it in your Rollup Console Application configuration (see above).

Save your settings.

App Configuration

Within your application, use the Supabase library to sign the user in with the configured Keycloak provider:

Step 1

Follow the getting started guide for initial setup instructions.

Step 2

The dashboard is where you will be presented with an overview of your application keys, connected smart contracts, and user sessions.

The users tab is where you can list and explore users in your application.

Console is your control centre where you register and manage all your applications. Below is an incomplete tour of the Console app.

Navigation

The navigation consists of two main sections.

At the top right you have your profile menu. Here is where you can sign out and visit your Profile.

On the left is your application context menu. Here is where you can toggle between your applications and also create new ones.

Application List

The very first screen you will see in Console is the list of all your applications in one place. You can also create apps from this screen using the "Create Application" button.

Application Management

Within an application context you will be presented with a few tabs.

Overview

Configuration

CRM

Management

Settings Panel

The settings panel is a read only configuration for your application's Client ID (aka App ID) and Client Secret (aka App Secret).

Details Panel

The name and picture you choose will be displayed to users when logging in.

The authorization scopes, "privacy policy" and "terms of services" will be displayed to the user during the authorization step.

Links Panel

The links panel is where you can add additional links about your apps that can be displayed to users in the Rollup apps directory.

Danger Zone Panel

This is where you can delete your application.

Onboard users to blockchain

Ethereum account abstraction and user deposit vault accounts provide secure and flexible management of funds on the Ethereum blockchain. With this feature, apps can sponsor gas fees can interact with a smart contract wallet using the Galaxy API, while each user's funds are kept in a separate deposit vault account, reducing the risk of unauthorized access or loss of funds.

Preferred Account Abstraction Providers

To configure ZeroDev with your Rollup ID app you will need to create a project and copy the project id into the applications.

Interested in becoming an Account Abstraction Provider

Please answer the following questions to see if you qualify:

• Do you have an SDK or API?

  • Does your SDK use fetcher? (We do not support XMLHttpRequest and therefore cannot integrate your SDK) OR

  • Can your service be used with API calls?

• Are your smart contracts 4337 compatible?

  • Do you have a smart contract factory to generate the same smart contract wallet address across all chains?

  • Does your smart contract wallet support session key registration?

  • Does your smart contract wallet support session key revocation?

  • Does your service help customers sponsor gas fees?

Configure Custom Domain

A custom domain feature in an authentication tool allows an organization to use its own domain name instead of the tool's default domain. This provides a more seamless user experience, improves brand consistency, and enhances the security of the authentication process by reducing the risk of phishing scams.

Customize your Login Experience

With a white label feature in your authentication tool, you can customize the user interface to match your brand, giving a seamless experience to your users. This not only enhances brand consistency but also establishes trust with users, making it an essential security measure for protecting sensitive data.

Fast KYC

The KYC feature enables fast and secure user onboarding by streamlining the identity verification process. It helps businesses comply with regulations related to fraud prevention and anti-money laundering, ensuring a safer environment for both the organization and its customers. KYC is an essential feature for businesses looking to onboard users quickly and efficiently while maintaining compliance with regulations.

Communicate directly to users

A messaging tool inside a CRM allows businesses to communicate with their users and prospects from a single platform, providing a more efficient and streamlined process. It enables automation, personalized communication, and improved user engagement, resulting in stronger relationships and increased productivity.

Direct User Acquisition

With the zero-knowledge audience builder tool, businesses can identify and target specific groups of potential users, creating personalized marketing messages that optimize user acquisition efforts. This feature enables businesses to launch their application and acquire their first and next users efficiently and effectively, ensuring a successful launch.

Manage Permissions

The team management, roles, and permissions feature allows yo to control access and enhance security by defining roles and permissions for team members.

Passport is an OAuth-based authentication and authorization gateway for your app that is hosted and customizable with your domain. It requires minimal integration and can be accessed on any device (desktop, web, mobile) and has the following flow and features.

Auth Flow

Authentication

Once authenticated the user will be redirected to the authorization screen.

• Connect with Wallet

• Connect with Email

• Connect with Passkeys (aka. WebAuthn)

• Connect with Google

• Connect with Apple

• Connect with Twitter

• Connect with Github

• Connect with Microsoft

• Connect with Discord

Authorization

Tokens & Sessions

Authenticated users will also maintain their session with passport for 90 days and that session will be extended long as the user user visits the passport app within the 90 day period. This also means that if your application session expires and the user is redirected to passport you will automatically get another access token and refresh token.

Two types of tokens are related to user authentication and authorization: ID tokens and access tokens.

ID tokens

The decoded contents of an ID token looks like the following:

{
  "iss": "https://passport.rollup.id/",
  "sub": "{identityUrn}",
  "aud": ["{yourClientId}"],
  "exp": 1311281970,
  "iat": 1311280970,
  "name": "Jane Doe",
  "picture": "http://example.com/janedoe/me.jpg",
  "email": "janedoe@example.com"
}

ID tokens can be treated as authentication tokens for your application. You can store this token with the user's profile in your database using the subject as the unique user identifier and use it to personalize the user's experience. However, sending an ID token to the Galaxy API will not work.

Access tokens

Access tokens are JWTs used to inform the Galaxy API that the bearer of the token has been authorized to access the API and perform a predetermined set of actions (specified by the granted scopes). An app can request scopes through the Console OAuth settings page, and the user can grant or deny access to the scopes during the authentication flow.

Access tokens must never be used for authentication. They do not confirm if the user has authenticated. Access tokens only possess the user ID, located in the sub claim. Treat access tokens as opaque strings since they are meant for APIs. Your application should not attempt to decode them or expect to receive tokens in a particular format.

Here is an example of an access token:

{
  "iss": "https://passport.rollup.id/",
  "sub": "{identityUrn}",
  "aud": ["{yourClientId}"],
  "azp": "{yourClientId}",
  "exp": 1489179954,
  "iat": 1489143954,
  "scope": "openid profile email read:connected_accounts"
}

Access tokens do not contain any user information other than their ID (sub claim) and authorization information about the actions the application is allowed to perform via the API (scope claim). This makes them useful for securing an API but not for authenticating a user.

Refresh Tokens

In addition to ID tokens and access tokens, OAuth 2.0 also introduces the concept of refresh tokens. A refresh token is a special kind of token that can be used to obtain a renewed access token. This is useful in situations where the access token has expired or has been invalidated, and the application needs to gain access to the user's resources without having to re-authenticate the user.

Refresh tokens are typically long-lived and can be used to request new access tokens from the authorization server. This is done by sending a request to the token endpoint of the authorization server, including the refresh token along with the client's ID and secret.

Here is an example of a refresh token:

{
  "iss": "https://passport.rollup.id/",
  "aud": ["{yourClientId}"],
  "sub": "{userId}",
  "exp": "{expiryTimestamp}",
  "iat": "{issuedAtTimestamp}",
  "jti": "{uniqueTokenIdentifier}"
}

In the Pro version of Rollup, you can set the issuer (iss) to your own custom domain. See the custom domain feature in your Console app.

Refresh tokens provide a more seamless user experience by reducing the need for the user to re-authenticate and grant permissions, while also maintaining the security and privacy of the user's data. However, because refresh tokens can be used to obtain new access tokens, they must be stored securely and treated with the same level of care as the user's credentials.

TODO

Overview

Key Features

• GraphQL API: The Galaxy GraphQL API allows developers to make flexible and efficient queries, enabling them to request precisely the data they need, reducing the amount of over- or under-fetching.

• REST API (coming soon): The Galaxy REST API offers developers a more familiar and straightforward way to interact with the Rollup ID graph using standard HTTP methods.

• Authorization: Developers must use their application API keys paired with user-issued access tokens to access the Galaxy API, ensuring secure and authorized access to the graph.

• Graph Traversal: Galaxy API enables developers to traverse the graph, interacting with nodes and edges while adhering to the authorization constraints set by the user.

Using the Galaxy API

Authentication

To authenticate with the Galaxy API, developers must use their application API keys and user-issued access tokens. These tokens ensure that only authorized applications can access the graph, and only with the specific permissions granted by the user.

Making Requests

Developers can make requests to the Galaxy API using either the GraphQL or REST endpoints:

1. GraphQL Requests: Developers can send GraphQL queries and mutations to the GraphQL endpoint, allowing them to fetch or modify data efficiently.

2. REST Requests: Developers can use standard HTTP methods (GET, POST, PUT, DELETE) to interact with the REST API endpoints, providing a more familiar approach to working with the Rollup ID graph.

Traversing the Graph

Using the Galaxy API, developers can traverse the Rollup ID graph by making requests to access and interact with nodes and edges. These interactions are subject to the access tokens issued by the user, ensuring that developers can only access the specific data and relationships permitted by the user.

TODO

TODO

This is a listing of scope values Rollup supports and plans to support for Rollup accounts.

Scopes

Setup Guide

const query = `query getProfile() {
  profile {
    displayName
    pfp
  }
}`

const { profile } = fetch("https://galaxy.rollup.id/graphql", {
  method: "post",
  headers: {
    "Authorization": `Bearer ${jwt}`,
    "X-GALAXY-KEY": "...",
  },
  body: JSON.stringify({ query }),
})
  .then(r => r.json())
  .catch(err => {
    console.error(err) // something went wrong
    return { profile: null }
  })

const query = `query getProfile() {
  profile {
    displayName
    pfp
  }
  gallery {
    contract
    tokenId
  }
}

const { profile } = fetch("https://galaxy.rollup.id/graphql", {
  method: "post",
  headers: {
    "Authorization": "Bearer ${jwt}",
    "X-GALAXY-KEY": "...",
  },
  body: JSON.stringify({ query }),
})
  .then(r => r.json())
  .then(data => {
    return {
      ...data.profile,
      gallery
   }
  })
  .catch(err => {
    console.error(err) // something went wrong
    return { profile: null }
  })

const query = `query getProfileFromAlias($provider, $alias) {
  profile: profileFromAlias(provider: $provider, alias: $alias) {
    displayName
    pfp
  }
}

const { profile } = fetch("https://galaxy.rollup.id/graphql", {
  method: "post",
  headers: {
    "X-GALAXY-KEY": "...",
  },
  body: JSON.stringify({
    query,
    variables: {
      provider: "eth",
      alias: "vitalik.eth"
    }
  }),
})
  .then(r => r.json())
  .catch(err => {
    console.error(err) // something went wrong
    return { profile: null }
  })

const client = new GraphQLClient(endpoint, {
  headers: {
    Authorization: 'Bearer ${jwt}',
    'X-GALAXY-KEY': '...',
  },
})

const query = `query getProfile() {
  profile {
    displayName
    pfp
  }
}

const { profile } = client.request(query)

const query = `query getProfile() {
  profile {
    displayName
    pfp
  }
  gallery {
    contract
    tokenId
  }
}

const { profile } = client.request(query).then(data => {
  return {
    ...data.profile,
    gallery
  }
})

const query = `query getProfileFromAlias($provider, $alias) {
  profile: profileFromAlias(provider: $provider, alias: $alias) {
    displayName
    pfp
  }
}

const { profile } = client.request(query, {
  provider: "eth",
  alias: "vitalik.eth"
})

const { profile } = await myGeneratedClient.getProfileFromAddress({
  addressURN,
})

Definitions

X-Galaxy-Key Header

Authorization Header

API Playground

Exchange Token

Call this method to exchange an exchange code or refresh token for a new access token and refresh token.

Exchange Token

POST https://passport.rollup.id/token

Call this method to exchange an exchange code or refresh token for a new access token and refresh token.

Request Body

{
    access_token: string,
    refresh_token: string,
    token_type: 'Bearer',
    id_token: string
}

Example

const tokenForm = new Form()
tokenForm.append('code', exchangeCode)
tokenForm.append('grant_type', grantType)
tokenForm.append('client_id', clientId)
tokenForm.append('client_secret', clientSecret)

const { access_code, refresh_token } = await fetch(
  'https://passport.rollup.id/token',
  {
    method: 'post',
    body: tokenForm,
  }
)

curl https://passport.rollup.id/token -X POST \
  --header "Content-Type: application/x-www-form-urlencoded" \
  --data-urlencode "client_id={clientId}" \
  --data-urlencode "client_secret={clientSecret}"
  --data-urlencode "code={exchangeCode}"
  --data-urlencode "grant_type=authorization_code"

Source

User Info

Call this method to retrieve basic identity information for the user. This endpoint retrieves fresh data that would have been included in the ID token when the app was initially authorized by the user.

User Info

POST https://passport.rollup.id/userinfo

Call this method to retrieve basic identity information for the user.

Headers

{
    name: '(some name here)',
    picture: '(URL of some picture here)',
    email: '(email address connected to the account)',
    sub: '(unique identifier of the account aka. accountURN)',
    connected_accounts: [
      {
        type: 'eth',
        identifier: '(eth address)'
      },
      {
        type: 'email',
        identifier: '(email address of connected account)'
      },
      {
        type: 'github',
        identifier: '(github username)'
      }
      //other addresses
    ]
}

Example

const access_token = '(some access token value)'

const response = await fetch('https://passport.rollup.id/userinfo', {
  headers: {
    Authorization: `Bearer ${access_token}`,
  },
})
const { name, picture } = await response.json()

export token="(some token value)"
curl https://passport.rollup.id/userinfo \
  --header "Authorization: Bearer $token"

OpenID Connect Discovery

The OpenID provider metadata can be accessed in the endpoint described below.

OpenID Configuration

GET https://passport.rollup.id/.well-known/openid-configuration

{
  "issuer": "https://passport.rollup.id",
  "authorization_endpoint": "https://passport.rollup.id/authorize",
  "token_endpoint": "https://passport.rollup.id/token",
  "token_endpoint_auth_methods_supported": ["client_secret_post"],
  "token_endpoint_auth_signing_alg_values_supported": ["ES256"],
  "userinfo_endpoint": "https://passport.rollup.id/userinfo",
  "jwks_uri": "https://passport.rollup.id/.well-known/jwks.json",
  "scopes_supported": ["openid", "profile", "email"],
  "response_types_supported": ["code"],
  "subject_types_supported": ["public", "pairwise"],
  "userinfo_signing_alg_values_supported": ["ES256"],
  "id_token_signing_alg_values_supported": ["ES256"],
  "request_object_signing_alg_values_supported": ["ES256"],
  "claims_supported": ["sub", "iss"],
  "service_documentation": "https://docs.rollup.id/"
}

JSON Web Key Set

The JWKS is the list of public keys to be used to validate token signatures.

JWKS

GET https://passport.rollup.id/.well-known/jwks.json

{
  "keys": [
    {
      "alg": "ES256",
      "kid": "1682004114895",
      "kty": "EC",
      "x": "ArcyYahTQbDLptozxzlYArNCKkz50iE7uCW1FBZ4P6Y",
      "y": "Vi51b0mBI1QWALTf5vd2guoBNn72VTv473vhHt1ZgQw",
      "crv": "P-256"
    },
    {
      "alg": "ES256",
      "kid": "1682000697502",
      "kty": "EC",
      "x": "JL5ZRnjb9pp9TqKsT5-pfa0Yw-Q191J210MwpdpWlZQ",
      "y": "OOc5DhoEIUczfNNof25suDFLWKNUTTb0pDm2_4hJMk4",
      "crv": "P-256"
    }
  ]
}

Where do I get support?

When will WebAuthn/Passkeys be supported?

Passkeys/WebAuthn has now been implemented and is now one of the available authentication methods in Rollup Passport.

What is a Vault and when will it be available?

Vault is an ETH "burner wallet" linked to a user identity and can be created by developers using progressive authorizations. Access to these wallets is governed by advanced OAuth scopes and available over API and is perfect for onboarding non-technical users to blockchain powered applications.

How do I claim my promotional credits?

2. Go to the "Billing and Invoicing" section on the bottom left navigation.

3. Follow the prompt to select a billing email address.

5. Someone will reply when credits have been applied