Sigma Auth
Reference

The Sigma Auth backup service provides secure storage and retrieval of encrypted Bitcoin key backups.

Authentication

Use the JWT access token from the OAuth flow:

Authorization: Bearer <access_token>

Endpoint Authentication Requirements

Authenticated Endpoints

These endpoints require authentication to protect user data:

EndpointMethodAuthenticationDescription
/backupGETBearer tokenRetrieve your encrypted backup
/backupPOSTBearer tokenStore encrypted backup
/backup/statusGETBearer tokenCheck backup status
/backup/link-oauthPOSTBearer tokenLink OAuth account to Bitcoin identity
/backup/oauth-accountsGETBearer tokenList linked OAuth accounts

Public Endpoints

These endpoints are intentionally public to enable cross-device restore:

EndpointMethodAuthenticationDescription
/backup/oauthGETNone (OAuth ID required)Retrieve backup by OAuth account

Authentication Examples

Example Request

// After OAuth authentication
const response = await fetch('https://auth.sigmaidentity.com/backup/status', {
  headers: {
    'Authorization': `Bearer ${accessToken}`
  }
});

Security Design

Why OAuth Backup Retrieval is Public

The /backup/oauth endpoint doesn't require authentication because:

  1. Enables cross-device restore - Users can restore from a new device without their Bitcoin key
  2. OAuth provider verification - The OAuth provider already verified the user's identity
  3. Client-side encryption - Backups are encrypted and require a password to decrypt
  4. No sensitive data exposed - Only encrypted blobs are returned

Protection Mechanisms

Even though OAuth backup retrieval is public, it's secure because:

  • Strong encryption: AES-256-GCM encryption with user-chosen passwords
  • OAuth verification: Must prove ownership of the OAuth account
  • Rate limiting: Prevents brute force attempts
  • No key exposure: Private keys are never transmitted or stored in plaintext

Best Practices

For Storing Backups

import { encryptBackup, type WifBackup } from 'bitcoin-backup';

// 1. Authenticate user
const accessToken = await authenticateUser();

// 2. Create backup object and encrypt client-side
const backup: WifBackup = {
  wif: privateKey.toWif(),
  label: 'My Wallet',
  createdAt: new Date().toISOString()
};
const encryptedBackup = await encryptBackup(backup, password);

// 3. Store encrypted backup
await fetch('https://auth.sigmaidentity.com/backup', {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${accessToken}`,
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    data: encryptedBackup,
    format: 'WifBackup', // Helps server categorize the backup type
    version: 1,
    metadata: {
      source: 'web',
      clientVersion: '1.0.0'
    }
  })
});

For Retrieving Backups

// Authenticated retrieval (when user has their key)
const backup = await fetch('https://auth.sigmaidentity.com/backup', {
  headers: {
    'Authorization': `Bearer ${accessToken}`
  }
});

// OAuth-based retrieval (for cross-device restore)
const oauthBackup = await fetch(
  'https://auth.sigmaidentity.com/backup/oauth?oauthId=google|123456789'
);

Error Responses

Authentication Failures

{
  "error": "unauthorized",
  "error_description": "Invalid or expired authentication token"
}

Missing Authentication

{
  "error": "authentication_required",
  "error_description": "This endpoint requires authentication"
}

Rate Limiting

All backup endpoints are rate-limited to prevent abuse:

  • Authenticated requests: 100 requests per minute
  • OAuth backup retrieval: 10 requests per minute per IP
  • Failed authentication: Progressive delays after failed attempts