📘

Info:

The whole Frictionless Sign-in flow (together with the Buy and Sell crypto flows) is graphically depicted here for both Individual and Corporate type of customers. Check the diagram sections with Frictionless Flow in the title for the frictionless flow diagrams.

In summary, you will first generate the Private/Public key pair on your device and share the Public key with Coinify. This will enable Coinify's system to make sure the Sign-up request is coming from a trusted source. You will then create the JWT token with the specific header and payload, and sign it with your Private key. Lastly, you will pass the generated JWT with the trustedEmailValidationToken parameter in the Sign-up API Request.

Please find the steps for setting up the Frictionless Sign-up flow below:

1. Generate Private/Public key pair

The following code samples contain file names which you can adjust according to your needs. Of course, you are welcome to use your own code for the same use case.

• To generate a PEM Private key and save it to a file named key.pem, input the following line in your terminal:

openssl genrsa -out key.pem 2048

• To extract the Public key from the generated Private key and save it to a file named public.pem, input the following command:

openssl rsa -in key.pem -outform PEM -pubout -out public.pem

• Get the Public key and deliver it to Conify via your dedicated channel of communication. Once the Public key is set on the Coinify side, you can start the Frictionless Sign-up process by following the next steps.

❗️

Never share your Private Key!

2. Generate the JWT token

The JWT token is passed in the trustedEmailValidation field on the customer Sign-up API request. It confirms that the request is coming from your trusted system and that customer with the correct email is being signed up.

Below, you can find a couple of code examples on how to generate the JWT token. In this example, the only thing you need to make sure is that you are passing the correct email of the customer you want to sign up and that you are using the correct path to the file with the Private key.

const base64 = require('base64url'); // Import the 'base64url' library to handle Base64Url encoding
const crypto = require('crypto'); // Import the 'crypto' module to perform cryptographic operations
const signatureFunction = crypto.createSign('RSA-SHA256'); // Create a cryptographic signature object using the RSA-SHA256 algorithm
const fs = require('fs'); // Import the 'fs' module to read the private key from a file

// Define the header object for the JWT, specifying the algorithm and token type
const headerObj = {
    alg: 'RS256',
    typ: 'JWT'
};

// Define the payload object with the email of the customer that's being signed-up
const payloadObj = {
    email: '[email protected]'
  //exp: 1467331200  // Optional: Use the "exp" parameter IF you want the JWT token to expire at a specific time. UNIX Timestamp format. 
};

const headerObjString = JSON.stringify(headerObj); // Convert the header object to a JSON string
const payloadObjString = JSON.stringify(payloadObj); // Convert the payload object to a JSON string

// Encode the header JSON as Base64Url
const base64UrlHeader = base64(headerObjString);
// Encode the payload JSON as Base64Url
const base64UrlPayload = base64(payloadObjString);

// Concatenate the Base64Url-encoded header and payload
signatureFunction.write(base64UrlHeader + '.' + base64UrlPayload);
signatureFunction.end();

const PRIV_KEY = fs.readFileSync(__dirname + '/id_rsa_priv.pem', 'utf8');// Read the Private key from a file (in this example file name is 'id_rsa_priv.pem')


const signatureBase64 = signatureFunction.sign(PRIV_KEY, 'base64');// Sign the concatenated data using the private key and get a Base64 signature
const signatureBase64Url = base64.fromBase64(signatureBase64); // Convert the Base64 signature to Base64Url encoding

console.log(base64UrlHeader + '.' + base64UrlPayload + '.' + signatureBase64Url);// Combine the Base64Url-encoded header, payload, and signature to form the JWT

import jwt # Import the 'jwt' library for JSON Web Token operations
import json # Import the 'json' library for JSON data handling

# Define the header with the token type (JWT) and the signing algorithm (RS256 in this case)
header = {
    "typ": "JWT",
    "alg": "RS256"
}

# Define the payload with the email of the customer that's being signed up
payload = {
    "email": "[email protected]"
#   "exp": 1467331200  #Optional: Use the "exp" parameter IF you want the JWT token to expire at a specific time. UNIX Timestamp format. 
}

# Load your RSA private key
# Replace 'your_private_key.pem' with your actual private key file
with open('id_rsa_priv.pem', 'rb') as key_file:
    private_key = key_file.read()

# Generate the JWT token by encoding the payload with the private key and algorithm
token = jwt.encode(payload, private_key, algorithm='RS256', headers=header)

# Print the JWT token after decoding it from bytes to a UTF-8 string
print(token.decode('utf-8'))

As visible in the code examples above, the payload for generating the JWT token is the email address of the customer signing-up:

//Example JWT payload for email address [email protected]
{
  "email": "[email protected]"
}

📘

The output of this code is passed to the trustedEmailValidationToken in the Sign-up request.

👍

Alternatively, if you want to reset or create a new offline_token for an existing end-user, the output of the above code is used in the Authorization header of the Reset Offline Token request.

You can use the Online JWT tool for testing and comparing the result signature. Make sure that the header and the payload values are the same ones you use in the code.

3. Frictionless Sign-up API request

Now that you have generated the JWT token for the specific customer, you need to pass it in the trustedEmailValidationToken parameter in the Sign-up API request.

If the request is successful, a new Trader account will be created in Coinify's system for your customer and they will not have to create new credentials for it nor validate their email address.

You can test the Sign-up API endpoint here in the documentation, but here's also a cURL example of the corporate trader accountType Sign-up request:

curl --location 'https://app-api.sandbox.coinify.com/signup/trader' \
--header 'Content-Type: application/json' \
--data-raw '{
  "email": "[email protected]",
  "partnerId":"your-partner-id-here",
  "accountType":"corporate"
  "profile": {
    "address": {
      "country": "US"
      "state": "IL"
    }
  },
  "trustedEmailValidationToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6InNuaStqd3RAY29pbmlmeS5jb20ifQ.ZfYbgLSs14h9rQ4VVRPe2LdQmFMp3JdcqrSUPZvxPpf9tQSQtolGHxrzbchWi6ZQGsDf1oCKFqf8paFjf21mdPkCKp8yZbQguEdPuf3QL_JfBj1ui8zacl_MEi_i46KfOiPCKPR3a7EjfqhpeyM9KyyszBLQIZspItGw2AAAREkwyop0Ix2GHbXvCIpQZ9B8NTK3HFZqBwvu73WNspjMX9d31zfOOwEoUZAs_mPCHgskHpB2WX17b4xbOk6Ru7SBVFlnGzui1DhiTLyunl6FplTeu7gKiTtmH8kbUcOHB6vxE_NCwORAIBYBm-29o2298GhrliDqstzMvlWIS4mwWA"
  "generateOfflineToken": true
}'

In the above request example, notice the "generateOfflineToken": "true". This tells our system to return an offline token which you can use for authenticating the user to Coinify's Trade service. In the response of the Sign-in API request a refreshToken is provided each time. You can pass this value to the Trade Widget URL in order to automatically log in your customer to Coinify's Trade Widget without them needing to create/provide any credentials. More on the Authentication (Sign-in) options can be found here.

The next step is to use the offline token Sign-in method for a frictionless authentication of your customer to Coinify's Trade service. Check out our Frictionless Sign-in page for further instructions.