• 

  The PolkaPass demo app. Users start by choosing “Login with Polkadot.”

• 

  Wallet prompt asking the user to sign a challenge to verify ownership.

• 

  Successful login! User’s wallet address and verified ID token are displayed.

🧠 Inspiration

Most apps still rely on passwords or centralized logins like “Sign in with Google.” We wanted to bring that same convenience to Web3 but without surrendering user control.

PolkaPass was inspired by the idea that your Polkadot wallet can be your identity — a secure, self-owned passport across dApps and traditional Web2 platforms alike.

⚙️ What We Built

PolkaPass is an open-source OAuth 2.1 / OpenID Connect server that uses Polkadot wallet signatures instead of passwords.

It issues standard Access Tokens and ID Tokens (JWTs), so any existing OAuth-compatible app can instantly add “Sign in with Polkadot” - no code rewrites required.

Key features:

• 🔐 Passwordless authentication using sr25519 or ed25519 wallet signatures
  
• 🌐 Full OIDC compatibility (works with existing OAuth libraries)
  
• 🧩 Easy integration with Node.js, Express, and frontend frameworks
  
• 📜 JWKS endpoint and signature verification using @polkadot/util-crypto
  
• ⚡ Built for speed, tested with real wallet extensions (Polkadot.js, Talisman)
  

🏗️ How We Built It

We built PolkaPass as a lightweight Node.js / Express server with modern ESM modules and TypeScript, using the JOSE library for JWT handling.
For the demo application, we used the same Node.js + Express server (tested with Vitest) that demonstrates a simple “Sign in with Polkadot” flow compatible with browser wallet extensions.

Architecture highlights:

Frontend → OAuth 2.1 / OIDC endpoints → Signature verification → JWT issuance

All cryptographic verification happens locally using @polkadot/util-crypto, ensuring no secrets ever leave the user’s wallet.

🧩 What We Learned

We deepened our understanding of:

• How OAuth 2.1 / OIDC flows map to decentralized identity.
  
• The subtle differences between sr25519, ed25519, and ECDSA signature schemes.
  
• How to bridge Web2 auth standards with Web3 wallets using open cryptography instead of private APIs.
  

🚧 Challenges We Faced

• Implementing OAuth 2.1 correctly without existing wallet-based precedents.
  
• Handling cross-origin and redirect URI issues for browser extensions.
  
• Balancing developer usability with strict cryptographic validation.
  
• Creating a flow that feels familiar to users while staying fully decentralized.
  

Built With

• express.js
• jose
• node.js
• polkadot.js-extension-api
• polkadot/util-crypto
• typescript
• vite
• vitest