Validating Cotter's Identity Token

Cotter's token includes the user's email or phone number, your API_KEY_ID, and a signature . Here's the full token object:

"token": {
    "identifier_id": "e8a47aff-f520-4b8d-952b-79d36d10fb3e",
    "expire_at": "1588849208",
    "identifier": "+12345678910", // user's email or phone
    "identifier_type": "PHONE",
    "receiver": "<YOUR API KEY ID>",
    "signature": "21P6mXSF2x357kZGkEMQTRTn3r...",
    "timestamp": "1586257208" // unix Timestamp

Check that the receiver contains your API_KEY_ID

Verifying the Signature

The signature ensures that this token comes from Cotter's server:

  • Signature algorithm: ed25519

  • Cotter's Public Key: qqOaiQGjGsxBMgI5rdAasaACRiJthOqadmefjY5mS/c=

  • Signed Message:


Note that there is no space and no {} in the message. It's all just 1 long string. ex. +1234567890PHONEaaf7319d-8f91-4752-a23f-c43ba862d5481582679175


var cotter = require("cotter-token-js");

var cotterIdentity = new cotter.CotterIdentity(token);
var valid = cotterIdentity.validate()

Libraries for ed25519 algorithm are available in Javascript, Golang, Python and other languages.

Last updated