Wallet Authentication
OnDB Dashboard uses wallet authentication to ensure that only the wallet owner can manage their applications and API keys.Connecting Your Wallet
- Navigate to app.ondb.ai
- Click Connect Wallet
- Approve the connection request in your wallet
- Your wallet address is now linked to your session
Session Management
After connecting your wallet, a secure session is created:- Session Duration: 10 minutes
- Auto-Renewal: Sessions automatically renew when you sign a new message
- Secure Storage: Session tokens are stored in httpOnly cookies
Request Signing
All sensitive operations require cryptographic signature verification:| Header | Description |
|---|---|
X-Wallet-Address | Your wallet address |
X-Timestamp | Request timestamp (5-minute validity window) |
X-Signature | Base64-encoded signature |
X-Pubkey | Your public key (base64-encoded) |
On-Chain Verification
Critical operations require on-chain transaction verification to prove wallet ownership:Operations Requiring Verification
| Operation | Transaction Memo | Fee |
|---|---|---|
| Generate API Key | regenerate_key:{appId} | ~$0.001 USDC |
| Revoke API Key | revoke_key:{appId}:{keyHash} | ~$0.001 USDC |
| List API Keys | list_keys:{appId} | ~$0.001 USDC |
| Update Encryption | update_encryption:{appId} | ~$0.001 USDC |
Verification Flow
Encryption Settings
OnDB supports encryption for sensitive data at both the application and collection level.Private Application
Making your application private encrypts all data by default:- Go to your app’s Encryption tab
- Toggle Private App on
- Approve the on-chain verification transaction
Private Collections
You can also encrypt specific collections while keeping others public:- Navigate to the Encryption tab
- Select collections to encrypt
- Save changes and approve the transaction
App Ownership
Each OnDB application is linked to a wallet address. Only the owner can:- Generate, list, or revoke API keys
- Modify encryption settings
- Update app configuration
- View usage analytics
Ownership Verification
The Dashboard verifies ownership by:- Checking your connected wallet address
- Comparing against the app’s
owner_walletfield - Returning 403 Forbidden if addresses don’t match
Application ownership cannot be transferred. To change ownership, create a new application with the desired wallet.
API Key Security
Key Format
App Keys are cryptographically generated tokens:- Length: 64 characters
- Format: Alphanumeric with special characters
- Storage: Only the hash is stored server-side
Key Headers
When making API requests, include the appropriate headers:Security Implementation
| Feature | Implementation |
|---|---|
| httpOnly Cookies | Session tokens protected from XSS |
| HMAC Signing | Token integrity verification |
| Timestamp Validation | 5-minute replay attack window |
| On-Chain Verification | Wallet ownership proof |
| Immediate Invalidation | Revoked keys stop working instantly |
| One-Time Display | Keys shown once, never stored in plaintext |
Troubleshooting
Session Expired
If you see “Session Expired” errors:- Sign the authentication message in your wallet
- Your session will automatically renew
- The original request will be retried
Authorization Failed
If you receive 403 Forbidden errors:- Verify you’re connected with the correct wallet
- Check that you own the application
- Ensure your session hasn’t expired
Next Steps
Authentication
App Key and Agent Key permissions
Payment Flows
Payment callback and pre-paid options
Best Practices
Security recommendations for production