Auth by operation
| Operation | Auth |
|---|
POST /api/v1/verification | Wallet signature (standard string) |
GET /api/v1/proofs/{qHash} | Public metadata for public/unlisted; private needs owner rules |
| Private payload reads | Owner signature / SDK helpers |
Do Not
- Do not treat proof signatures as bearer tokens (they are request-bound)
- Do not embed secrets in browser bundles
- Do not log or persist:
- proof signatures
- API keys
- third-party auth credentials or provider tokens
Defaults
client.verify() defaults private. VerifyGate create also defaults private. Security and trust
If you need proof reuse without owner-authenticated access, opt into unlisted public explicitly:
{
privacyLevel: 'public',
publicDisplay: false,
}
| Control | Purpose |
|---|
privacyLevel | Default private; switch to public only for intentional public reuse |
publicDisplay | Discovery vs unlisted |
storeOriginalContent | Advanced storage control |
Unlisted public proofs are still public to anyone with the proof id.
