Manifold

Manifold OAuth2 Authentication API

Server-side session authentication API for validating wallet addresses of authenticated Manifold clients. Supports two grant types: Signature Grant (POST /verify to confirm a wallet signature session token) and Authorization Code Grant (POST /token to exchange a one-time code for a 30-day access token). Enables backends to securely access and modify private user data without exposing session keys client-side. Requires a Developer App configured at the Manifold Developer Portal.

GitHub OpenAPI

Documentation

📖
Documentation
https://docs.manifold.xyz/manifold-for-developers/tools-and-apis/server-side-session-authentication

Specifications

OpenAPI
https://raw.githubusercontent.com/api-evangelist/manifold/refs/heads/main/openapi/manifold-oauth2-authentication-api.yml

Other Resources

🔗
AuthDocs
https://docs.manifold.xyz/manifold-for-developers/tools-and-apis/server-side-session-authentication/signature-grant
🔗
AuthDocs
https://docs.manifold.xyz/manifold-for-developers/tools-and-apis/server-side-session-authentication/authorization-code-grant
🔗
DeveloperPortal
https://docs.manifold.xyz/manifold-for-developers/resources/apps

OpenAPI Specification

manifold-oauth2-authentication-api.yml Raw ↑ 
openapi: 3.1.0
info:
  title: Manifold OAuth2 Authentication API
  description: >-
    Server-side session authentication API for validating wallet addresses of
    authenticated Manifold clients. Supports two grant types: Signature Grant
    (POST /verify to confirm a wallet signature session token) and Authorization
    Code Grant (POST /token to exchange a one-time code for a 30-day access
    token). Enables backends to securely access and modify private user data
    without exposing session keys client-side. Requires a Developer App
    configured at the Manifold Developer Portal.
  version: 1.0.0
  contact:
    name: Manifold
    url: https://manifold.xyz
  license:
    name: MIT
servers:
  - url: https://oauth2.manifoldxyz.dev
    description: Manifold OAuth2 Authentication Server
tags:
  - name: Signature Grant
    description: >-
      Validate a wallet signature session token to confirm a user's wallet
      address server-side.
  - name: Authorization Code Grant
    description: >-
      Exchange a one-time authorization code for a long-lived access token
      allowing server-side access to private user data.
paths:
  /verify:
    post:
      operationId: verifySignatureToken
      summary: Verify a Signature Grant session token
      description: >-
        Validates a session token obtained from the Manifold frontend client
        (via the Manifold Ethereum Provider or the `m-authenticated` event).
        Returns the wallet address associated with the authenticated session.
      tags:
        - Signature Grant
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/VerifyRequest'
            example:
              token: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
      responses:
        '200':
          description: Token verified successfully; wallet address returned.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/VerifyResponse'
              example:
                unwrappedJWT:
                  address: "0xAbCd1234..."
        '403':
          description: >-
            Token validation failed or wallet address not present in token
            payload.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
  /token:
    post:
      operationId: exchangeAuthorizationCode
      summary: Exchange an authorization code for an access token
      description: >-
        Exchanges a one-time authorization code (obtained after a user
        completes the Manifold OAuth2 flow) for a 30-day access token. The
        access token can then be used server-side to read and modify private
        user data. Requires credentials from a Developer App configured at
        the Manifold Developer Portal.
      tags:
        - Authorization Code Grant
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/TokenRequest'
            example:
              clientId: "my-app-client-id"
              code: "one-time-authorization-code"
              clientSecret: "my-app-client-secret"
              signature: "0xsignature..."
      responses:
        '200':
          description: Authorization code accepted; access token returned.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/TokenResponse'
              example:
                access_token: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
                expires_in: 2592000
        '400':
          description: Invalid request parameters.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
        '401':
          description: Invalid client credentials or signature.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
        '403':
          description: Authorization code already used or expired.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
components:
  schemas:
    VerifyRequest:
      type: object
      required:
        - token
      properties:
        token:
          type: string
          description: >-
            The session token retrieved from the Manifold frontend via the
            Manifold Ethereum Provider or the `m-authenticated` event.
    VerifyResponse:
      type: object
      properties:
        unwrappedJWT:
          type: object
          properties:
            address:
              type: string
              description: The Ethereum wallet address of the authenticated user.
              example: "0xAbCd1234..."
    TokenRequest:
      type: object
      required:
        - clientId
        - code
        - clientSecret
        - signature
      properties:
        clientId:
          type: string
          description: >-
            The client ID for your Developer App, obtained from the Manifold
            Developer Portal.
        code:
          type: string
          description: >-
            The one-time authorization code received after the user completes
            the OAuth2 authorization flow.
        clientSecret:
          type: string
          description: >-
            The client secret for your Developer App, obtained from the
            Manifold Developer Portal.
        signature:
          type: string
          description: >-
            A cryptographic signature used to authenticate the token exchange
            request.
    TokenResponse:
      type: object
      properties:
        access_token:
          type: string
          description: A 30-day access token for server-side access to private user data.
        expires_in:
          type: integer
          description: Token lifetime in seconds (typically 2592000 for 30 days).
          example: 2592000
    ErrorResponse:
      type: object
      properties:
        error:
          type: string
          description: Machine-readable error code.
        error_description:
          type: string
          description: Human-readable description of the error.