Validating Cotter's Identity Token

Cotter's token includes the user's email or phone number, your API_KEY_ID, and a signature . Here's the full token object:

"token": {
    "identifier_id": "e8a47aff-f520-4b8d-952b-79d36d10fb3e",
    "expire_at": "1588849208",
    "identifier": "+12345678910", // user's email or phone
    "identifier_type": "PHONE",
    "receiver": "<YOUR API KEY ID>",
    "signature": "21P6mXSF2x357kZGkEMQTRTn3r...",
    "timestamp": "1586257208" // unix Timestamp
 }

Check that the receiver contains your API_KEY_ID

Verifying the Signature

The signature ensures that this token comes from Cotter's server:

  • Signature algorithm: ed25519

  • Cotter's Public Key: qqOaiQGjGsxBMgI5rdAasaACRiJthOqadmefjY5mS/c=

  • Signed Message:

{token.identifier}{token.identifier_type}{token.receiver}{token.expire_at}

Note that there is no space and no {} in the message. It's all just 1 long string. ex. +1234567890PHONEaaf7319d-8f91-4752-a23f-c43ba862d5481582679175

Example

Libraries for ed25519 algorithm are available in Javascript, Golang, Python and other languages.

PreviousReset PIN APINextValidating Cotter's Event Response

Last updated