How to do a secure login with web3 (Metamask)?

So, I want to do a webpage, where you have to log in with metamask, only.

I’ve seen that did a really good job, not even prompting for a password.

The only thing they require is a signature from you. But here is the thing I don’t understand: What do you sign, that you are protected from a signature replay?
Or are they protected from a signature replay in the first place?

What I thought about so far (but it didn’t work):

  • Using a nonce -> What happens if the client wipes localhost?
  • Using time -> There are different timezones and taking UTC -> One can send the two requests almost instantly one after another.

However, if I invalidate the signed hash of the time on the server side and don’t accept a second attempt, would this be a good practice?


Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

You can try:

  • Client sign a nonce
  • Check with his public key that it is him and return a token (JWT) with encrypted information (expiration date, public key, etc)
  • The user is already authenticated.

I think it can work, but possibly there is a better way.

These systems are zero knowledge

Method 2

Okay, so while @Rimander has some good input, I found the exact way how to do it.

Turns out that the exact same question was asked before here:

And this is a pretty good tutorial on how to do it:

The interesting point:
The server is the one giving you the message to sign, you sign it and therefore verify that it’s you. Afterwards, one can proceed like @Rimander proposed, by returning a JWT.

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x