Stellar / SEP-10 (web authentication)
The Anchor sends a challenge → your wallet signs it (proves you control the account) → the Anchor returns a short-lived pass (JWT) → the site sends that pass only for actions that need to know which wallet is behind the request. Your secret key does not go to the server.
The app needs your Stellar account (G…) before allowing authenticated actions.
The backend asks the Anchor for a one-time, unsigned challenge.
You confirm in Freighter. The key stays on your device; only the signature is checked.
The Anchor verifies the signature and issues a time-limited token tied to your account.
The browser sends the pass on API calls (e.g. register). Close the tab → the pass is gone.