-
Notifications
You must be signed in to change notification settings - Fork 88
How it works?
When an user login to steemconnect, his private key is available within the interface to sign transaction or sign a message then discarded if the user close the website, desktop app or chrome extension. We never get access to users private keys. The access_tokens on steemconnect are just steem signed messages encoded in base64u.
Code is here: https://github.com/bonustrack/steemconnect
When users login to a website like busy.org using steemconnect, they are requested to authorize the steem account of busy.org @busy.app to broadcast posting operations on the users behalf. This is a feature from the steem protocol. If you go here https://beta.steemconnect.com/auths you can see which account(s) you authorize, and which authority you give them. The steemconnect API hold the steem account @steemconnect posting key, when you make a vote on busy.org, a access_token is being sent from busy.org to steemconnect API, the API verify that token and if it's valid, it broadcast the vote transaction using @steemconnect posting key. This is possible using double delegation of posting authority, for example @bob authorize the @busy.app account to do posting operation on @bob behalf and @busy.app authorize @steemconnect to do posting operation on @busy.app behalf.
Code is here: https://github.com/bonustrack/steemconnect-api