Auth + Permissions

Asset Layer uses a dual authentication model whereby most API requests require authentication from the app making the request as well as from the user who's resources are being accessed by the request.

Asset Layer also leverages app-to-app permissions to determine which of a user's resources a particular app can access. An app can always access its the resources it created (collections, assets, currencies, etc). However, for an app to access the resources of another app, the app must request and be granted permission from the other app.

User Authentication

Asset Layer uses a platform called Magic to power a user authentication method that enables interoperability between applications. From the users perspective, they login using an email address and OTP or through social logins, an extremely familiar, low-friction experience.

If you are using the Asset Layer SDK, the authentication process is extremely simple.

const { AssetLayer } = require('@assetlayer/sdk-client');

const assetlayer = new AssetLayer();

Behind the scenes, Magic creates a secure iframe which can securely access a private key associated with that email address. This private key can then be used to generate a DID (decentralized ID) token. These DID tokens enable Asset Layer to link users across different applications, since only a user that has logged into the app with Magic can create a valid DID token.

In order to make a request for a particular user, the app registers a DID token created by that user through the Asset Layer API. This is a two-step process which is all handled by the SDK with the single line of code:


First, the app submits a DID token with no attachment and receives a one-time code. Then, the app generates a new DID token from the same user with the one-time code as an attachment. This token then gets registered with the Asset Layer API and can be used to make subsequent API calls on behalf of the user.

App Authentication

All Asset Layer API requests require an App Secret, regardless of the platform from which they originate. The App Secret can be found in the App Info section of the selected app.


Apps grant permissions to other apps. An app can request two levels of access to another app, read-only or read-and-transfer. An app with read-only access to another app can see assets from that other app. If a user logs into your app, then you can see that user's resources which belong to any app that you have at least read-only permission for. If you have read-and-transfer permission, you can also initiate a resource transfer between two users or access marketplace functions.

Permissions can be managed in the Manage Permissions section for the selected app.

Last updated