Meet the Tech: NativeAuth 🧩 The MultiversX-native authentication scheme — a signed token bound to a specific origin, a recent block hash, and an expiry, issued by a wallet and verified by an API. No password, no shared secret, no centralized identity provider. Proof of wallet control, time-bounded. Standard across MultiversX dApps and backend APIs. Wired into the dApp SDK and the JS SDK. 💡 🧵

How it works: import { nativeAuth } from '@multiversx/sdk-dapp/out/services/nativeAuth/nativeAuth'; const client = nativeAuth({ origin: 'https://[myapp]', apiAddress: 'api.multiversx.com', expirySeconds: 86400 }); const initToken = await client.initialize(); // user signs initToken via their wallet const accessToken = client.getToken({ address, token: initToken, signature }); initialize() produces a token containing the origin, latest block hash, expiry, and any extra info. The user signs it. getToken() bundles the signed result into the final accessToken.

The pattern that makes it broadly useful: cryptographic expiry binding. The token includes a recent block hash. The block hash anchors the token to a specific point in MultiversX's chain history. Expiry isn't a server-side clock — it's the distance from the bound block. Once the chain has moved past bound_block + expirySeconds, the token is invalid by construction. No revocation list. No timer. token = encodedOrigin.blockHash.expirySeconds.encodedExtraInfo

What to use it for: • Wallet-gated APIs — verify the bearer token, check the signature, check the block-hash expiry. Reject if any step fails. • Single sign-on across MultiversX dApps — same scheme, different apps; the token proves wallet control without sharing credentials • Long-lived sessions with chain-anchored expiry — set expirySeconds for the lifetime you want; the chain enforces it • Multi-shard apps — blockHashShard config picks which shard's blocks anchor the tokens. Default metachain works for most apps

Tips & Tricks 💡 ✦ initApp({ dAppConfig: { nativeAuth: true } }) wires NativeAuth into the dApp SDK with sensible defaults. Pass a config object instead of true to customize origin, expirySeconds, or blockHashShard. ✦ LogoutManager auto-logs out users when their token expires. tokenExpirationToastWarningSeconds shows a warning before the logout fires — useful for letting users save work or refresh proactively. ✦ Backend verification needs the @multiversx/sdk-native-auth-server package, not the client. It does the signature check, the origin check, and the chain-state check against your gateway URL. ✦ extraInfo is signed into the token. Use it to bind additional context — a request scope, a tenant ID, a permission level — without trusting it to be reported client-side.