%22%3E%3Cstop%20offset%3D%220%25%22%20stop-color%3D%22%23052e16%22%2F%3E%3Cstop%20offset%3D%22100%25%22%20stop-color%3D%22%23059669%22%20stop-opacity%3D%220.6%22%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D%22800%22%20height%3D%22200%22%20fill%3D%22url(%23bg)%22%2F%3E%3Ccircle%20cx%3D%22215%22%20cy%3D%2292%22%20r%3D%22100%22%20fill%3D%22%23059669%22%20opacity%3D%220.28%22%2F%3E%3Ccircle%20cx%3D%22671%22%20cy%3D%2214%22%20r%3D%22129%22%20fill%3D%22%23059669%22%20opacity%3D%220.30%22%2F%3E%3Ccircle%20cx%3D%22641%22%20cy%3D%2257%22%20r%3D%22136%22%20fill%3D%22%23059669%22%20opacity%3D%220.18%22%2F%3E%3Ccircle%20cx%3D%22331%22%20cy%3D%225%22%20r%3D%2221%22%20fill%3D%22none%22%20stroke%3D%22%236ee7b7%22%20stroke-width%3D%225.7%22%20opacity%3D%220.30%22%2F%3E%3Crect%20x%3D%22563%22%20y%3D%22195%22%20width%3D%2250%22%20height%3D%2254%22%20rx%3D%2210%22%20fill%3D%22%23059669%22%20opacity%3D%220.16%22%20transform%3D%22rotate(28%20563%20195)%22%2F%3E%3Ccircle%20cx%3D%22352%22%20cy%3D%2243%22%20r%3D%2234%22%20fill%3D%22none%22%20stroke%3D%22%236ee7b7%22%20stroke-width%3D%224.2%22%20opacity%3D%220.31%22%2F%3E%3Ccircle%20cx%3D%22550%22%20cy%3D%229%22%20r%3D%2232%22%20fill%3D%22none%22%20stroke%3D%22%23059669%22%20stroke-width%3D%225.8%22%20opacity%3D%220.13%22%2F%3E%3Crect%20x%3D%22299%22%20y%3D%2286%22%20width%3D%2237%22%20height%3D%2236%22%20rx%3D%223%22%20fill%3D%22%236ee7b7%22%20opacity%3D%220.14%22%20transform%3D%22rotate(6%20299%2086)%22%2F%3E%3Cpolygon%20points%3D%2240%2C136%2030%2C95%2027%2C144%22%20fill%3D%22%23059669%22%20opacity%3D%220.31%22%2F%3E%3Crect%20x%3D%22438%22%20y%3D%2240%22%20width%3D%2273%22%20height%3D%2260%22%20rx%3D%223%22%20fill%3D%22%236ee7b7%22%20opacity%3D%220.26%22%20transform%3D%22rotate(4%20438%2040)%22%2F%3E%3Cpolygon%20points%3D%22336%2C100%20333%2C63%20316%2C87%22%20fill%3D%22%23059669%22%20opacity%3D%220.20%22%2F%3E%3Ccircle%20cx%3D%22516%22%20cy%3D%22119%22%20r%3D%226%22%20fill%3D%22%236ee7b7%22%20opacity%3D%220.46%22%2F%3E%3Ccircle%20cx%3D%22436%22%20cy%3D%2211%22%20r%3D%222%22%20fill%3D%22%236ee7b7%22%20opacity%3D%220.54%22%2F%3E%3Ccircle%20cx%3D%22261%22%20cy%3D%2265%22%20r%3D%227%22%20fill%3D%22%236ee7b7%22%20opacity%3D%220.78%22%2F%3E%3Ccircle%20cx%3D%22658%22%20cy%3D%22173%22%20r%3D%226%22%20fill%3D%22%236ee7b7%22%20opacity%3D%220.70%22%2F%3E%3C%2Fsvg%3E)
What is ROLA?
ROLA (Radix Off-Ledger Authentication) is a challenge-response protocol that lets your backend verify a user owns a Radix account or persona — without submitting any on-ledger transaction. It's the Radix equivalent of "Sign-In with Ethereum" but uses the native Radix Wallet.
How It Works
- Backend generates a challenge — a random 32-byte hex string stored with a 5-minute expiry
- Frontend requests proof — sends the challenge to the Radix Wallet via
requestProofOfOwnership() - User approves in wallet — wallet signs the challenge with the account's private key (Ed25519 or secp256k1)
- Frontend sends proof to backend — contains public key, signature, and curve type
- Backend verifies — checks the signature, confirms the public key matches the account's
owner_keysmetadata on ledger, and deletes the challenge
Implementation
1. Generate Challenges (Backend)
import crypto from 'crypto'
// Store challenges with expiry (use Redis, DB, or in-memory Map)
const challenges = new Map<string, { expires: number }>()
function createChallenge(): string {
const challenge = crypto.randomBytes(32).toString('hex')
challenges.set(challenge, {
expires: Date.now() + 5 * 60 * 1000 // 5 minutes
})
return challenge
}2. Request Proof (Frontend)
import { DataRequestBuilder } from '@radixdlt/radix-dapp-toolkit'
// Fetch challenge from your backend
const challenge = await fetch('/api/auth/challenge').then(r => r.json())
// Request proof of account ownership
const result = await rdt.walletApi.sendRequest(
DataRequestBuilder.accounts()
.atLeast(1)
.withProof(challenge)
)3. Verify Proof (Backend)
import { Rola } from '@radixdlt/rola'
import { RadixNetwork } from '@radixdlt/babylon-gateway-api-sdk'
const rola = Rola({
networkId: RadixNetwork.Mainnet,
applicationName: 'My dApp',
dAppDefinitionAddress: 'account_rdx...',
expectedOrigin: 'https://my-dapp.com'
})
// Verify the signed challenge
const result = await rola.verifySignedChallenge({
challenge: challengeHex,
proof: { publicKey, signature, curve },
address: accountAddress,
type: 'account'
})
if (result.isOk()) {
// Create session (JWT, cookie, etc.)
}Delete used challenges
Always delete a challenge after verification — successful or not. This prevents replay attacks where a captured proof is resubmitted.
When to Use ROLA
| Use Case | Auth Method |
|---|---|
| User login / session creation | ROLA |
| Prove account ownership to backend | ROLA |
| Transfer assets or call components | On-ledger transaction |
| Gate content by badge ownership | ROLA + Gateway query |
ROLA proves identity. On-ledger transactions perform actions. For token-gated access, verify ownership via ROLA then query the account's resources via the Gateway SDK.