Generate a fresh Ed25519 JWT per request to freighter-backend-v2 in @shared/api. Sign with the auth private key.
Claims per the design doc:
sub = hex auth pubkey (= user ID)iss = "freighter-extension"iat = nowexp = iat + 15sbodyHash = SHA256 of raw request body (empty-byte hash e3b0c442... for GET)methodAndPath = e.g., "PUT /api/v1/contacts"
See Cross-Platform Contact Sync design doc — Auth Flow + JWT claims table.
Depends on: #2769 (auth keypair derivation), and freighter-backend-v2#88 (JWT middleware) for the end-to-end round-trip test.
Acceptance:
- Authenticated round-trip works end-to-end against
freighter-backend-v2 (200 on valid request, 401 on tampered body / wrong key / expired token).
- On 401: regenerate JWT and retry once before surfacing the error.
- JWT is generated fresh per request, not cached.
Generate a fresh Ed25519 JWT per request to
freighter-backend-v2in@shared/api. Sign with the auth private key.Claims per the design doc:
sub= hex auth pubkey (= user ID)iss="freighter-extension"iat= nowexp=iat+ 15sbodyHash= SHA256 of raw request body (empty-byte hashe3b0c442...for GET)methodAndPath= e.g.,"PUT /api/v1/contacts"See Cross-Platform Contact Sync design doc — Auth Flow + JWT claims table.
Depends on: #2769 (auth keypair derivation), and freighter-backend-v2#88 (JWT middleware) for the end-to-end round-trip test.
Acceptance:
freighter-backend-v2(200 on valid request, 401 on tampered body / wrong key / expired token).