STELLAR · SOLANA · ED25519

Wallet-Based Login

No username. No password. Just your wallet. When you log in, ZKey sends you a unique challenge that expires in minutes and can only be used once. Your wallet signs it, we verify it, and you are in. Works with both Stellar (Freighter) and Solana (Solflare) wallets. There are no credentials to steal, no passwords to phish, and no way to reuse a challenge that has already been consumed.

Ed25519Single-use nonceAtomic consumeNo passwordsFreighterSolflare
01
Request challenge
You request a login — ZKey generates a unique challenge stored for 5 minutes.
02
Sign it
Your wallet (Freighter or Solflare) signs the challenge with your private key. Your key never leaves your device.
03
Submit
The signed challenge and your wallet address are sent to ZKey for verification.
04
Verify once
ZKey verifies your Ed25519 signature and immediately deletes the challenge — it can never be reused.
05
Session issued
You receive a session token valid for your configured duration.
06
Nothing to steal
There are no stored passwords. Anyone who intercepts your request gets nothing useful.

Challenge–Response with Single-Use Nonces

The server generates a cryptographically random 256-bit nonce per login attempt and stores it in Redis with a configurable TTL (default 5 minutes). The client signs a structured message containing the nonce using Ed25519 — via Freighter for Stellar wallets or Solflare for Solana wallets. The server verifies the signature against the public key derived from the wallet address. The nonce is deleted from Redis before the response is returned — atomic consumption means the same nonce can never be reused, even under race conditions.

Stellar & Solana Support

Both Stellar (Freighter) and Solana (Solflare) wallets are supported using the same Ed25519 signature primitive. Admins configure which wallet types are enabled per application — Stellar only, Solana only, or both. When both are enabled, users see a wallet chooser at login time.

Replay Attack Prevention

Since each nonce exists exactly once and is destroyed on first verification, a captured signature is worthless to an attacker. Even if a MITM intercepts the signed message, replaying it returns an immediate rejection. There is no signature cache, no blacklist, no timestamp window — just provable single-use by Redis atomic delete.

Wallet Linking & Identity

Stellar and Solana wallets can each be linked to existing user accounts (email, phone) or used as standalone identity. Both addresses are stored independently per user — a user can have both a Stellar and a Solana wallet linked simultaneously.

All Features
NFT-Encrypted IdentityWallet-Based LoginOAuth 2.0 / OIDCOTP AuthenticationOrganizations & Sub-OrganizationsImmutable Audit Trail

Ready to implement?

ZKey deploys on Railway in minutes. Postgres + Redis included.

Sign in to admin
← Previous
NFT-Encrypted Identity
Next →
OAuth 2.0 / OIDC
© 2026 ZKey — Dishub TechnologiesSystem Admin →