View on GitHub


Algorand message standards

Algorand Message Standard for authentication


This document introduces the standard for authentication using the algorand accounts.


The goal of this standard is to define authorization process and authentication procedures for communication between web application and backend services or between two backend services.


The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in RFC-2119.

Base64 is the standard described in RFC-4648.

Request for comments

Please comment or suggest pull request for this document here:


Authentication is process in which person generates the authorization token for communication with backend service.

Token MUST be generated from Algorand public and private key - from algorand address.

In the first step of the authentication, the message to be signed is generated. The message MUST contain note field with configurable Realm. Realm is identifier of the service. It MAY be the web address of the service for intended purpose.

The message MUST be self signed - the receiver is the same as the sender.

The message MUST have network parameters filled in. The network genesis hash SHOULD be configured for validation pursposes. The latest block is the time of expiration of the token. The latest block MUST be provided.

In the second step, the message MUST be signed by the account private key.

The message MUST not be submitted to network nor should be published in any way.


Authentication is the process of validating authorized message by the backend application and allowing the account permissions to the backend services.

Authorization token SHOULD be send to backend service using the authorization header.

Header data MUST start with prefix “SigTx “

Authorization message must follow prefix in Base64 encoding.

Example of the header:

Authorization: SigTx gqNzaWfEQJ4FWNWiXuRz5DKu1RYL5qHlR+iP/3qW4BF+pPD/ok20tJSqBICQn2jWysFD88W3a0ojEBM+IWvh5tyfvZyZ+AKjdHhuiaNmZWXNA+iiZnbOAQx8LaNnZW6sdGVzdG5ldC12MS4womdoxCBIY7UYpLPITsgQ8i1PEIHLD3HwWaesIN7GL39w5Qk6IqJsds4BDIAVpG5vdGXEEURSRU0tQXV0aGVudGljYXRlo3JjdsQgG1z5khU3SjAofF/H7uWij05Nzy1ZVn2sYVEzIHauIAWjc25kxCAbXPmSFTdKMCh8X8fu5aKPTk3PLVlWfaxhUTMgdq4gBaR0eXBlo3BheQ==

Service MUST return 401 response if the service is configured to check for validity of the expiration of the token and the current block at the specified network is higher. Service SHOULD be configured to check for validity of the expiration of the token.

Service MUST return 401 response if the token data is not Base64 valid data.

Service MUST return 401 response if the token data cannot be parsed to Algorand signed transaction.

Service MUST return 401 response if the signed transaction has invalid signature.