A production-ready authentication service built with Encore.ts that bridges Web2 gaming providers (Steam, EpicStore etc) with Web3 cryptographic infrastructure using Lit Protocol. Implements a complete Steam OpenID login flow with automated Programmable Key Pair (PKP) generation, enabling seamless player onboarding into blockchain gaming ecosystems.
Game Auth is a microservice that handles:
- Steam Authentication: OpenID 2.0 integration for player verification
- JWT Token Generation: RS256-signed tokens for Lit Protocol authentication
- PKP Generation: Automated creation of programmable key pairs using Lit Protocol v7
- MPC Key Sharing: 2-of-3 threshold scheme supporting:
- Share A: Passkey (user-controlled)
- Share B: Lit PKP (protocol-managed)
- Share C: QR Code (recovery mechanism)
- Node.js: >= 21.0.0
- npm or yarn: Latest version
- Docker: For local development (optional)
# macOS
brew install encoredev/tap/encore
# Linux
curl -L https://encore.dev/install.sh | bash
# Windows (PowerShell)
iwr https://encore.dev/install.ps1 | iexnpm install
# or
yarn installCreate .secrets.local.cue file in the project project root:
// Server Configuration
ServerUrl: "http://localhost:4000"
ClientUrl: "http://localhost:3000"
// Steam API Configuration
SteamApiKey: "YOUR_STEAM_API_KEY"
SteamDomain: "yourdomain.com"
// JWT Configuration (RS256)
JwtPublicKey: """
-----BEGIN PUBLIC KEY-----
YOUR_RSA_PUBLIC_KEY_HERE
-----END PUBLIC KEY-----
"""
JwtKeyID: "your-key-id-here"
JwtPrivateKey: """
-----BEGIN PRIVATE KEY-----
YOUR_RSA_PRIVATE_KEY_HERE
-----END PRIVATE KEY-----
"""
JwtLifeTime: "24h"
// Lit Protocol Configuration
// Private key for paying PKP minting fees on Chronicle Yellowstone
LitAdminPrivateKey: "0x..."If you don't have RSA keys, generate them:
# Generate private key
openssl genrsa -out private.pem 2048
# Extract public key
openssl rsa -in private.pem -pubout -out public.pem
# Convert private key to PKCS8 format for JWT
openssl pkcs8 -topk8 -inform PEM -in private.pem -out private_pkcs8.pem -nocryptThe admin wallet must have funds on Chronicle Yellowstone to pay minting fees:
# 1. Extract address from private key
# 2. Get testnet ETH from https://faucet.litprotocol.com
# 3. Verify balance on Chronicle explorerStart the Encore server with debug mode
npm run dev or yarn dev
encore runAuthentication
POST /api/login - Steam login initiation
GET /api/auth/callback - Steam OpenID callback
Wallet Management
POST /api/wallet/mint - Mint PKP with Steam auth method
Public Endpoints
GET /.well-known/jwks.json - JWKS endpoint for JWT verification
GET /.well-known/openid-configuration - OpenID Connect discovery
Frontend Routes
GET / - Home page
GET /auth - Authentication page
GET /auth/success - Success redirect (with token parameter)
┌─────────────────────────────────────────────────────────┐
│ Game Auth Service │
├──────────────┬──────────────┬──────────────┬────────────┤
│ │ Auth │ │ │
│ Login │ Steam │ Wallet │ Validators │
│ Controller │ EpicStore │ Management │ │
├──────────────┴──────────────┴──────────────┴────────────┤
│ Common Configuration & Providers │
│ • Secret Management (Encore Secrets) │
│ • Config Data (Steam, JWT, Lit Protocol) │
│ • Utility Functions │
├─────────────────────────────────────────────────────────┤
│ External Integrations │
│ • Steam API (Player Profiles & Ban Info) │
│ • EpicStore API │
│ • Lit Protocol (PKP Minting & Management) │
│ • Chronicle Yellowstone (EVM-compatible chain) │
└─────────────────────────────────────────────────────────┘
| Component | Technology | Version |
|---|---|---|
| Backend | Encore.ts | Latest |
| Language | TypeScript | 5.9.3+ |
| Runtime | Node.js | >= 21.0.0 |
| Blockchain | Lit Protocol SDK | v7.4.0+ |
| Cryptography | ethers.js | v6.x |
| Signing | jose | v6.0.9+ |
| Frontend | EJS Templates | v3.1.10+ |
| OpenID | node-openid | v2.0.14+ |
MIT License - Copyright (c) 2025 Sergei Khrul See LICENSE file for details.