Implementing Sign-In with Ethereum (SIWE) on Website
Sign-In with Ethereum (EIP-4361) is an Ethereum authorization standard. Like "Sign in with Google," but instead of OAuth — signature of a structured message with private key. The standard describes the exact format of the message user signs.
SIWE Message Format
example.com wants you to sign in with your Ethereum account:
0x742d35Cc6634C0532925a3b844Bc454e4438f44e
Sign in to Example App
URI: https://example.com
Version: 1
Chain ID: 1
Nonce: oBbLoEldZs
Issued At: 2026-03-28T10:00:00.000Z
Expiration Time: 2026-03-28T10:15:00.000Z
Standard prevents phishing attacks: signed URI must match the website domain.
Installation
npm install siwe ethers
Frontend — React
import { SiweMessage } from 'siwe';
import { ethers } from 'ethers';
async function signInWithEthereum() {
const provider = new ethers.BrowserProvider(window.ethereum);
await provider.send('eth_requestAccounts', []);
const signer = await provider.getSigner();
const address = await signer.getAddress();
const chainId = (await provider.getNetwork()).chainId;
// Get nonce from server
const nonce = await fetch('/api/siwe/nonce').then(r => r.text());
// Create SIWE message per EIP-4361 standard
const message = new SiweMessage({
domain: window.location.host, // required — your domain
address,
statement: 'Sign in to Example App',
uri: window.location.origin,
version: '1',
chainId: Number(chainId),
nonce,
issuedAt: new Date().toISOString(),
expirationTime: new Date(Date.now() + 15 * 60 * 1000).toISOString() // 15 min
});
const signature = await signer.signMessage(message.prepareMessage());
const response = await fetch('/api/siwe/verify', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ message: message.prepareMessage(), signature })
});
const { token } = await response.json();
return token;
}
Backend — Verification
import { SiweMessage } from 'siwe';
// GET /api/siwe/nonce
app.get('/api/siwe/nonce', (req, res) => {
const nonce = generateNonce(); // from siwe package
req.session.nonce = nonce;
res.send(nonce);
});
// POST /api/siwe/verify
app.post('/api/siwe/verify', async (req, res) => {
const { message, signature } = req.body;
try {
const siweMessage = new SiweMessage(message);
const { data: fields } = await siweMessage.verify({
signature,
nonce: req.session.nonce,
domain: 'example.com', // domain check — phishing protection
time: new Date().toISOString()
});
// Nonce is one-time — delete after use
req.session.nonce = null;
// Create session
const user = await userRepo.findOrCreateByAddress(fields.address.toLowerCase());
const token = jwt.sign(
{ sub: user.id, address: fields.address, chainId: fields.chainId },
process.env.JWT_SECRET,
{ expiresIn: '7d' }
);
res.json({ token, address: fields.address });
} catch (error) {
if (error.type === SiweErrorType.EXPIRED_MESSAGE) {
return res.status(401).json({ error: 'Message expired, please try again' });
}
if (error.type === SiweErrorType.INVALID_SIGNATURE) {
return res.status(401).json({ error: 'Invalid signature' });
}
if (error.type === SiweErrorType.DOMAIN_MISMATCH) {
return res.status(401).json({ error: 'Domain mismatch' });
}
res.status(500).json({ error: 'Verification failed' });
}
});
Integration with next-auth
// pages/api/auth/[...nextauth].ts
import { SiweMessage } from 'siwe';
import NextAuth from 'next-auth';
import CredentialsProvider from 'next-auth/providers/credentials';
export default NextAuth({
providers: [
CredentialsProvider({
name: 'Ethereum',
credentials: {
message: { label: 'Message', type: 'text' },
signature: { label: 'Signature', type: 'text' }
},
async authorize(credentials) {
const siwe = new SiweMessage(credentials.message);
const result = await siwe.verify({
signature: credentials.signature,
domain: process.env.NEXTAUTH_URL
});
if (result.success) {
return { id: result.data.address };
}
return null;
}
})
],
session: { strategy: 'jwt' }
});
Timeline
SIWE with nonce, verification, and JWT — 2–4 days.