ECDSA based authentication for Laravel/Dingo API

dev-master 2018-11-23 14:45 UTC

This package is auto-updated.

Last update: 2020-05-23 19:16:27 UTC


Passwordless authentication based on public/private key signatures.

ECDSA implementation for Laravel/Dingo API with the help of elliptic-php and keccak packages.


composer require ivanciric/ecdsa-auth

Library uses package auto-discovery feature, so you don't need to set the service provider manually.

Publish the package configuration

php artisan vendor:publish


After publishing configuration, you can edit the available options in config/ecdsaauth.php

Option Details
user_provider User class that should be used when attempting to authenticate an incoming API request. Default: \App\User::class
lookup_field Field that should be initially checked when attempting to authenticate an incoming API request. Default: email
verification If you require users to be verified (e.g. email verified) in order to access the data, set this otion to true. Default: false
verified_field If you've set the verification to true, state the field which marks the user as verified. Default: email_verified
verified_pass_condition Value of the verified_field that marks the user as verified. Default: 1
key_lookup_field Field which contains the public key of the user. This could be Ethereum address or pure Ecdsa public key. Default: crypto_key
authorization_header Name of the header which holds the authorization payload. Default: authorization
authorization_methods Methods allowed in the authorization header. They denote supported encryption algorithms. Default: ['eth', 'ecdsa']
message_property Key in the payload which contains the message. Default: message
signature_property Key in the payload which contains the signature. Default: signature
error_messages Array of various friendly error messages.


This package presumes you have Dingo API setup. Edit the config/api.php file and set the auth key as follows:

'auth' => [

You should set the lookup_key and key_lookup_field in the package config to reflect your user properties.

Protect your routes by specifying the middleware:

$api->version('v1', ['middleware' => 'api.auth'], function ($api) {

Creating the payload

Authorization header should contain the payload in the following forms:

Eth eyJlbWFpbCI6ImhhQG1hLnRvIiwibWVzc2FnZSI6IjkyNThhNjQ0Y2FmZTZ...


Ecdsa eyJlbWFpbCI6ImhhQG1hLnRvIiwibWVzc2FnZSI6IjkyNThhNjQ0Y2FmZTZ...

Payload itself is a base64 encoded json with the following properties:

    "email": "h@ma.to", // user's email or alternative lookup field
    "message": "message that you've signed", // string
    "signature": "3046022100a94c1a..." // signed message

All properties are configurable.