This guide will show you how you can control how user interact with your app.
The Lens API allows builders to have finer control over how users interact with their app. Specifically, builders can:
Control who can log in to the app
Revoke user credentials at any time
Decide if the app should sponsor user activities (coming soon)
Approve each operation with a cryptographic signature
Overview
The Lens Authentication flow is at the heart of this mechanism. It allows you to control who can acquire credentials for the Lens API as user of your Lens App, serving as the starting point to manage user activity sponsorship and operation approval.
Below is a high-level overview of the Lens Authentication Flow:
During the initial authentication, the Lens API makes a server-to-server call to a custom Authorization Endpoint that you define. This call containing information about the user’s Lens Account and the address that is signing the request. Based on this information, the endpoint determines whether the user is allowed acquire credentials for the Lens API as a user of your Lens App.
The endpoint response can also control:
Whether to sponsor the user's activities (more details coming soon)
The configuration of the operation approval mechanism
Optionally, for each social operation (e.g., post, comment, follow), the Lens API makes a server-to-server call to a custom Verification Endpoint that you define and configure in the previous step.
This call includes details about the operation and the user’s Lens Account. The endpoint evaluates this information and determines whether to approve the operation by returning a cryptographic signature.
If you have experience with the Lens V2 publication metadata signatures you will find that this feature achieve the same goal with the benefit of being verified on-chain.
Authentication Flow
In order to control how users interact with your app, you need to implement the following steps:
Implement an Authorization Endpoint
Configure the App with the Authorization Endpoint
1
The Authorization Endpoint must be a publicly accessible HTTPS URL accepting POST requests with a JSON body. The Lens API allows a maximum of 500ms for a response; delays beyond this will deny the user’s authentication request.
To ensure reliability, prioritize lightweight checks and avoid heavy operations. For complex validations, asynchronously populate a cache with necessary data (e.g., via a separate job) to meet timing requirements. If using serverless infrastructure, mitigate cold starts to ensure prompt responses.
Request
The Lens API will send a POST request to the Authorization Endpoint according to the following format:
POST /path/to/endpoint HTTP/1.1Host: myserver.comContent-Type: application/json{ "account": "0x4F10f685B6BF165e86f41CDf4a906B17F295C235", "signedBy": "0x00004747f7a56EE7Af7237220c960a7D06232626"}| Body Parameter | Description | |
|---|---|---|
| account | The Lens Account that wants to log-in to the Lens API for your Lens App. | |
| signedBy | The Lens Account owner or an Account Manager for it. |
Response
The Authorization Endpoint must respond with a JSON object according to the following format:
Any non-200 response or invalid response will end up in denying the user access to the Lens API for your Lens App.
- Allowed
- Not Allowed
The user is allowed to log in to the Lens API as a user of your Lens App.
HTTP/1.1 200 OKContent-Type: application/json{ "allowed": true, "sponsored": true}| Response Property | Description | |
|---|---|---|
| allowed | true - allowed | |
| sponsored | Boolean indication whether the account activities should be sponsored by the App Sponsorship. More details on this coming soon. | |
| appVerificationEndpoint | Optional, app's Verification Endpoint URL. If provided, the Lens API will call this endpoint for each operation to determine if it should be approved. |
You can include any secret or forward user's specific information (e.g., Lens Account, signer address) as part of the appVerificationEndpoint URL. The Lens API will not expose this information to the user.
Once you have your Authorization Endpoint ready, you can configure it for your Lens App.
You MUST be authenticated as Builder and be either the owner or an admin of the App you intend to configure.
- TypeScript
- GraphQL
- React
Use the addAppAuthorizationEndpoint action to configure the Authorization Endpoint for your Lens App.
Add Authorization Endpoint
import { evmAddress, uri } from "@lens-protocol/client";import { addAppAuthorizationEndpoint } from "@lens-protocol/client/actions";
const result = await addAppAuthorizationEndpoint(sessionClient, { endpoint: uri("https://myserver.com/path/to/endpoint"), app: evmAddress("0xa0182D914845ec1C3EF61a23C50D56370E23d94e"),});
if (result.isErr()) { return console.error(result.error);}You can include any secret or API key in the Authorization Endpoint URL. The Lens API will not expose this information to the user.
You can revert this configuration at any time.
- TypeScript
- GraphQL
- React
Use the removeAppAuthorizationEndpoint action to remove the Authorization Endpoint configuration for your Lens App.
Remove Authorization Endpoint
import { evmAddress } from "@lens-protocol/client";import { removeAppAuthorizationEndpoint } from "@lens-protocol/client/actions";
const result = await removeAppAuthorizationEndpoint(sessionClient, { app: evmAddress("0xa0182D914845ec1C3EF61a23C50D56370E23d94e"),});
if (result.isErr()) { return console.error(result.error);}Operations Approval
The Operations Approval mechanism allows you to control which operations are allowed for a given Lens Account. This mechanism is used to approve social operations such as posting, commenting, following, etc.
First, create a Verification Endpoint to handle the Operations Approval mechanism.
The Verification Endpoint must be a publicly accessible HTTPS URL that accepts POST requests with a JSON payload and responds within 500ms; delays will cause the request to be treated as invalid. Like the Authorization Endpoint, optimize its performance by using caching or pre-computed data where necessary and ensure reliable hosting to avoid downtime or delays.
Request
The Lens API will send a POST request to the Verification Endpoint according to the following format:
POST /path/to/endpoint HTTP/1.1Host: myserver.comContent-Type: application/json{ "nonce": "42", "deadline": "1630000000", "operation": "Post", "account": "0x4F10f685B6BF165e86f41CDf4a906B17F295C235"}| Body Parameter | Description | |
|---|---|---|
| nonce | A unique identifier for the operation. | |
| deadline | A Unix timestamp in seconds indicating when the operation will expire. | |
| operation | An enum value indicating the operation type. | |
| account | The Lens Account performing the operation. |
Possible values for the operation field are:
enum Operation { Post Repost EditPost DeletePost Follow Unfollow CreateAccount CreateUsername CreateAndAssignUsername AssignUsername UnassignUsername SetAccountMetadata JoinGroup LeaveGroup}Response
The Verification Endpoint must respond with a JSON object according to the following format:
Any non-200 response or invalid response will end up in denying the user to perform the operation.
- Allowed
- Not Allowed
The user is allowed to perform the operation.
HTTP/1.1 200 OKContent-Type: application/json{ "allowed": true, "signature": "0x2b8a91ad7b6db0c29a09d592e8f16287b82a40a6d245cb3e1f174b02d0fb08a2"}| Response Property | Description | |
|---|---|---|
| allowed | true - allowed | |
| signature | The cryptographic signature used to authorize the operation on-chain. |
Then, implement the signing logic within your Verification Endpoint to handle operation approvals.
The Verification Endpoint must return an EIP-712 signature as cryptographic proof that the app has approved the operation. The example below demonstrates how to generate this signature using viem and TypeScript.
Then, add the approver address to the list of App Signers associated with your Lens App.
You MUST be authenticated as Builder and be either the owner or an admin of the App you intend to configure.
- TypeScript
- GraphQL
- React
Use the addAppSigners action to add the approver addresses to the list of App Signers associated with your Lens App.
example.ts
import { evmAddress } from "@lens-protocol/client";import { addAppSigners } from "@lens-protocol/client/action";
const result = await addAppSigners(sessionClient, { app: evmAddress("0x75bb5fBdb559Fb2A8e078EC2ee74aad791e37DCc"), signers: [evmAddress("0xe2f2a5C287993345a840db3B0845fbc70f5935a5")],});And, handle the result using the adapter for the library of your choice:
See the Transaction Lifecycle guide for more information on how to determine the status of the transaction.
Finally, enable the App Verification for your Lens App.
You MUST be authenticated as Builder and be either the owner or an admin of the App you intend to configure.
- TypeScript
- GraphQL
- React
Use the setAppVerification action to enable the App Verification for your Lens App.
example.ts
import { evmAddress } from "@lens-protocol/client";import { addAppSigners } from "@lens-protocol/client/action";
const result = await setAppVerification(sessionClient, { app: evmAddress("0x75bb5fBdb559Fb2A8e078EC2ee74aad791e37DCc"), enabled: true,});And, handle the result using the adapter for the library of your choice:
See the Transaction Lifecycle guide for more information on how to determine the status of the transaction.
That's it—only legit operations signed by your Verification Endpoint will succeed.
Revoke Credentials
The Lens Authentication flow allows you to implement a credentials revocation mechanism. This is useful when you want to invalidate a user's session or revoke access to the Lens API for interactions involving your app.
To revoke a user's credentials, you should include the relevant Account address in a denylist that is accessible to your Authorization Endpoint. On the subsequent request to refresh the credentials you can then deny access to the Lens API.