Admin Authentication
QUICK GUIDE
Purpose
Admin access uses a 3-layer security system: Wallet allowlist: only specific wallet addresses are permitted.
Best for
Understanding security measures and admin controls
Read time
1 min
Next action
Review how submissions are verified and protected
Admin access uses a 3-layer security system:
- Wallet allowlist: only specific wallet addresses are permitted. The list is configured in the server environment — not in the database
- Signed challenge: after connecting an allowed wallet, the admin must sign a cryptographic challenge message with their wallet's private key. This proves ownership of the wallet without revealing any private key
- Server session: after signing, a session cookie is issued valid for 8 hours. Every admin page and every admin action verifies the session server-side before executing
Admin sessions expire after 8 hours. After expiry, the admin must re-authenticate. A live countdown in the admin sidebar shows remaining session time.
Every admin action — approvals, rejections, gate overrides, reward dispatches — is permanently recorded in the audit log with the admin wallet address, timestamp, action type, and a before/after snapshot of the changed data.