Skip to main content

Sign In With Ethereum

AppKit provides a simple solution for integrating with "Sign In With Ethereum" (SIWE), a new form of authentication that enables users to control their digital identity with their Ethereum account. SIWE is a standard also known as EIP-4361.

One-Click Auth

One-Click Auth represents a key advancement within WalletConnect v2, streamlining the user authentication process in Web3Modal by enabling them to seamlessly connect with a wallet and sign a SIWE message with just one click.

Connecting a wallet, proving control of an address with an off-chain signature, authorizing specific actions. These are the kinds of authorizations that can be encoded as "ReCaps". ReCaps are permissions for a specific website or dapp that can be compactly encoded as a long string in the message you sign and translated by any wallet into a straight-forward one-sentence summary. WalletConnect uses permissions expressed as ReCaps to enable a One-Click Authentication.


NextAuth is a complete open-source authentication solution for Next.js applications. It is designed from the ground up to support Next.js and Serverless. We can use NextAuth with SIWE to handle users authentication and sessions.


npm i @web3modal/siwe next-auth

Configure your SIWE Client

import { getCsrfToken, signIn, signOut, getSession } from 'next-auth/react'
import type { SIWEVerifyMessageArgs, SIWECreateMessageArgs, SIWESession } from '@web3modal/siwe'
import { createSIWEConfig, formatMessage } from '@web3modal/siwe'
import { mainnet, sepolia } from 'viem/chains'

export const siweConfig = createSIWEConfig({
getMessageParams: async () => ({
domain: typeof window !== 'undefined' ? : '',
uri: typeof window !== 'undefined' ? window.location.origin : '',
chains: [,],
statement: 'Please sign with your account'
createMessage: ({ address, ...args }: SIWECreateMessageArgs) => formatMessage(args, address),
getNonce: async () => {
const nonce = await getCsrfToken()
if (!nonce) {
throw new Error('Failed to get nonce!')

return nonce
getSession: async () => {
const session = await getSession()
if (!session) {
throw new Error('Failed to get session!')

const { address, chainId } = session as unknown as SIWESession

return { address, chainId }
verifyMessage: async ({ message, signature }: SIWEVerifyMessageArgs) => {
try {
const success = await signIn('credentials', {
redirect: false,
callbackUrl: '/protected'

return Boolean(success?.ok)
} catch (error) {
return false
signOut: async () => {
try {
await signOut({
redirect: false

return true
} catch (error) {
return false


Verify a SIWE signature.

import { verifySignature } from '@web3modal/siwe'

const isValid = await verifySignature({ address, message, signature, chainId, projectId })


Get the chain ID from the SIWE message.

import { getChainIdFromMessage } from '@web3modal/siwe'

const chainId = getChainIdFromMessage(message)


Get the address from the SIWE message.

import { getAddressFromMessage } from '@web3modal/siwe'

const address = getAddressFromMessage(message)

Set up your API route

Add NEXTAUTH_SECRET as an environment variable, it will be used to encrypt and decrypt user sessions. Learn more.

Create your API route at app/api/auth/[...nextauth]/route.ts.

import NextAuth from 'next-auth'
import credentialsProvider from 'next-auth/providers/credentials'
import {
type SIWESession,
} from '@web3modal/siwe'

declare module 'next-auth' {
interface Session extends SIWESession {
address: string
chainId: number

const nextAuthSecret = process.env.NEXTAUTH_SECRET
if (!nextAuthSecret) {
throw new Error('NEXTAUTH_SECRET is not set')

const projectId = process.env.NEXT_PUBLIC_PROJECT_ID
if (!projectId) {
throw new Error('NEXT_PUBLIC_PROJECT_ID is not set')

const providers = [
name: 'Ethereum',
credentials: {
message: {
label: 'Message',
type: 'text',
placeholder: '0x0'
signature: {
label: 'Signature',
type: 'text',
placeholder: '0x0'
async authorize(credentials) {
try {
if (!credentials?.message) {
throw new Error('SiweMessage is undefined')
const { message, signature } = credentials
const address = getAddressFromMessage(message)
const chainId = getChainIdFromMessage(message)

const isValid = await verifySignature({ address, message, signature, chainId, projectId })

if (isValid) {
return {
id: `${chainId}:${address}`

return null
} catch (e) {
return null

const handler = NextAuth({
secret: nextAuthSecret,
session: {
strategy: 'jwt'
callbacks: {
session({ session, token }) {
if (!token.sub) {
return session

const [, chainId, address] = token.sub.split(':')
if (chainId && address) {
session.address = address
session.chainId = parseInt(chainId, 10)

return session

export { handler as GET, handler as POST }

Initialize Web3Modal with your siweConfig.


SIWE Config reference

interface SIWEConfig {
// Required
getNonce: () => Promise<string>
createMessage: (args: SIWECreateMessageArgs) => string
verifyMessage: (args: SIWEVerifyMessageArgs) => Promise<boolean>
getSession: () => Promise<SIWESession | null>
signOut: () => Promise<boolean>

// Optional
onSignIn?: (session?: SIWESession) => void
onSignOut?: () => void
// Defaults to true
enabled?: boolean
// In milliseconds, defaults to 5 minutes
nonceRefetchIntervalMs?: number
// In milliseconds, defaults to 5 minutes
sessionRefetchIntervalMs?: number
// Defaults to true
signOutOnDisconnect?: boolean
// Defaults to true
signOutOnAccountChange?: boolean
// Defaults to true
signOutOnNetworkChange?: boolean



The getNonce method functions as a safeguard against spoofing, akin to a CSRF token. The siwe package provides a generateNonce() helper, or you can utilize an existing CSRF token from your backend if available.


The official siwe package offers a straightforward method for generating an EIP-4361-compatible message, which can subsequently be authenticated using the same package. The nonce parameter is derived from your getNonce endpoint, while the address and chainId variables are sourced from the presently connected wallet.


The verifyMessage method should lean on the siwe package's new


to ensure the message is valid, has not been tampered with, and has been appropriately signed by the wallet address.


The backend session should store the associated address and chainId and return it via the getSession method.


The users session can be destroyed calling signOut.


onSignIn (session?: SIWESession) => void

Callback when user signs in.

onSignOut () => void

Callback when user signs out.

enabled boolean - defaults to true

Whether or not to enable SIWE. Defaults to true.

nonceRefetchIntervalMs number - defaults to 300000ms (5 minutes)

How often to refetch the nonce, in milliseconds.

sessionRefetchIntervalMs number - defaults to 300000ms (5 minutes)

How often to refetch the session, in milliseconds.

signOutOnDisconnect boolean - defaults to true

Whether or not to sign out when the user disconnects their wallet.

signOutOnAccountChange boolean - defaults to true

Users will be signed out and redirected to the SIWE view to sign a new message in order to keep the SIWE session in sync with the connected account.

signOutOnNetworkChange boolean - defaults to true

Users will be signed out and redirected to the SIWE view to sign a new message in order to keep the SIWE session in sync with the connected account/network.