sessionparam is encoded in base58. A
sessionshould contain the following data:
timestamp(number): The timestamp at which the user approved the connection. At the time of this writing, sessions do not expire.
chain(string): The chain that the user connected to at the start of the session. Sessions cannot be used across two different chains with the same keypair (e.g. the user cannot connect to Solana and then sign on Ethereum). At the time of this writing, Phantom only supports
cluster(string) (optional): The approved cluster that the app and user initially connected to. Solana-only. Can be either:
devnet. Defaults to
sessionparam on every request. To decode the session, we decode it with
bs58, slice off the first 64 bytes of the signature, and the treat the rest as JSON data. We then sign the JSON data again with the same keypair and compare that signature against the signature in the session. If the signatures are the same, the session is valid. Otherwise, we conclude that the session has been faked, as the signature does not belong to the keypair it claims it does.
pubkey Awhen the user is currently using
pubkey Bin Phantom. In such a scenario, that session should not allow an app to request signatures. Instead, the app must issue a new connect request or use the correct session.
datadoes not pass muster. There are a few reasons why this might occur: