Authentication

From Social Handle to Self-Custody

The moment a new user taps Sign in with Twitter, Starry initiates a three-step handshake:

  1. Twitter OAuth Starry requests read-only scopes (no posting, no DMs). Twitter returns an access token plus a user-ID hash.

  2. Privy Wallet Minting The Twitter token is passed to Privy, which:

    • Generates a fresh Ed25519 keypair in the browser (client-side; never leaves the user’s session).

    • Encrypts the private key with AES-GCM, using a key derived from the Twitter token + a Privy secret salt.

    • Stores the ciphertext on a serverless edge KV store, indexed by a salted hash of the Twitter user-ID.

    • Returns the public key (your new Solana address) to Starry.

  3. Session Hardening Starry wraps the Privy session in a signed JWT that includes:

    • Twitter handle & avatar URL

    • Public Solana address

    • 60-minute expiry (renewed silently with activity)

    • CSRF token & device fingerprint

If any part of this chain fails (e.g., user revoked Twitter permissions), Starry invalidates the JWT, flashes an error modal, and offers a one-click retry. All cryptographic operations are audited against OWASP guidelines; no private keys ever traverse our servers in plaintext.

PreviousHow it WorksNextFunding

Last updated