Sign-In with Ethereum (SIWE)

Sign-In with Ethereum (SIWE) is an authentication standard (EIP-4361) that allows users to prove ownership of an Ethereum wallet address by signing a structured message, replacing email/password login with cryptographic proof of identity.

Definition

Sign-In with Ethereum (SIWE) is an authentication standard defined by EIP-4361 that enables users to authenticate with web services by cryptographically signing a structured message with their Ethereum wallet. Instead of providing an email address, creating a password, and trusting a centralized identity provider to store and protect those credentials, the user proves ownership of a public key by producing a signature that only the corresponding private key could have generated.

The protocol requires no personal information. No name. No email. No phone number. No government ID. The identity is the wallet address—a pseudonymous, user-controlled cryptographic identifier that cannot be forged, revoked by a third party, or linked to a real-world identity without external data.

Why It Matters

The average internet user manages 168 online accounts, each requiring credentials stored and protected by the service operator. In 2024, credential-based attacks accounted for 49% of all initial breach vectors (Verizon DBIR 2024). The fundamental vulnerability is structural: password-based authentication requires the server to store a secret (or its hash), creating a centralized target that attackers have breached billions of times.

SIWE eliminates this attack surface entirely. The server stores no credential. There is no password database to breach, no OAuth token to intercept, no session cookie tied to an email address. The authentication proof is generated fresh for each session, verified against the Ethereum public key registry (the blockchain), and discarded.

The Web3 identity model represents a philosophical inversion of centralized authentication: instead of the user proving their identity to the server, the server proves the user’s assertion to itself. The private key never leaves the wallet. The signature is the proof. The verification is mathematical, not relational.

For privacy-first applications, SIWE is the only widely adopted authentication standard that requires zero personally identifiable information by design—not as a configuration option, not as a privacy mode, but as a protocol constraint.

How It Works

The SIWE authentication flow follows a challenge-response pattern:

Nonce request: The client requests a one-time nonce from the server (GET /auth/nonce), preventing replay attacks.
Message construction: The client builds a human-readable EIP-4361 message containing the domain, wallet address, nonce, timestamp, and an optional statement the user reviews before signing.
Wallet signature: The user’s wallet (MetaMask, WalletConnect, Coinbase Wallet, Rainbow) displays the message and requests approval. The wallet signs with the user’s private key via personal_sign (EIP-191), producing a 65-byte ECDSA signature.
Server verification: The client sends message and signature to the server (POST /auth/verify). The server performs ecrecover to derive the wallet address from the signature, verifies the nonce, and confirms the timestamp window.
Session issuance: Upon verification, the server issues a short-lived JWT (1-hour TTL, httpOnly cookie) containing only a hash of the wallet address—not the address itself. No PII has been transmitted, stored, or logged at any point.

Stealth Cloud Relevance

SIWE is the authentication layer of Stealth Cloud, branded as GhostPass in the product interface. The term “Sign In” is deliberately absent from the UI—users “Manifest” their identity, reflecting the Stealth Cloud brand vocabulary and the fundamental difference between proving you control a key and surrendering your identity to a database.

The architectural significance is profound. In a system built on zero-persistence and zero-knowledge principles, traditional authentication is a contradiction: you cannot require an email or password without storing it, and storing it violates the zero-persistence guarantee. SIWE resolves the contradiction by providing cryptographic authentication that generates no storable credential.

Combined with a Software-Defined Perimeter at the API layer, SIWE ensures that the authentication step itself reveals nothing about the user beyond a mathematical proof of key ownership. The Stealth Cloud API stores only a SHA-256 hash of the wallet address—not the address itself—making it impossible to reconstruct the user’s on-chain identity from the session token, even if the server were fully compromised.

The three paradigms of cloud computing are distinguished by their identity models as much as their data models. Public cloud requires full identity disclosure. Private cloud requires enterprise identity. Stealth Cloud requires only a cryptographic signature—and forgets even that when the session ends.

The Stealth Cloud Perspective

Sign-In with Ethereum answers the question every privacy system must confront: how do you authenticate a user without learning who they are? SIWE’s answer—a cryptographic proof that requires nothing but a key pair and yields nothing but a boolean—is the only authentication model compatible with infrastructure that refuses to remember.