-
Notifications
You must be signed in to change notification settings - Fork 5
How Hivesigner Works?
When user login to hivesigner, his private key is available within the interface to sign transaction or sign a message then discarded if the user close the website, desktop app or chrome extension. We never get access to users private keys. The access_token on hivesigner are just Hive signed messages encoded in base64u.
Code is here: https://github.com/ledgerconnect/hivesigner
When users login to a website like https://ecency.com, https://hive.blog or https://peakd.com using hivesigner, Users are requested to authorize the relevant Hive account @ecency.app, @hive.blog or @peakd.app to broadcast posting operations on the users behalf. This is a feature supported by the Hive protocol. If you go here https://hivesigner.com/auths you can see which account(s) you authorized, and which authority you give them. The hivesigner API hold the hive account @hivesigner posting key, when you make a vote on ecency, hive.blog or peakd, a access_token is being sent from those applications to hivesigner API, the API verify that token and if it's valid, it broadcasts the vote transaction using @hivesigner posting key. This is possible using double delegation of posting authority, for example @bob authorize the @ecency.app account to do posting operation on @bob behalf and @ecency.app authorize @hivesigner to do posting operation on @ecency.app behalf.
This flow is perfect for security and at any moment users can be safe from malicious apps.
Code is here: https://github.com/ledgerconnect/hivesigner-api