DEV Community

Cover image for πŸ›‘οΈ Day 19 of #30DaysOfSolidity β€” Signature-Based Web3 Authentication for Private Events
Saurav Kumar
Saurav Kumar

Posted on

πŸ›‘οΈ Day 19 of #30DaysOfSolidity β€” Signature-Based Web3 Authentication for Private Events

#solidity #smartcontract #ethereum #web3

🎯 Introduction

Welcome to Day 19 of #30DaysOfSolidity!

In this tutorial, we’ll build a signature-based Web3 authentication system β€” a gas-efficient, secure, and scalable solution for private Ethereum events, token-gated workshops, and VIP meetups.

Instead of maintaining an on-chain whitelist, the organizer signs invitations off-chain, and attendees verify their entry on-chain using smart contract verification. This approach mirrors real-world event workflows: off-chain approval, on-chain authentication.

By the end of this guide, you’ll understand how to implement Web3 authentication with Solidity and Foundry, minimizing gas costs while maintaining full security.

βš™οΈ Tech Stack

Layer Technology
Smart Contract Solidity (^0.8.20)
Testing & Deployment Foundry
Off-chain Signer Node.js + Ethers.js
Frontend Demo React + Ethers.js
Network Ethereum / EVM-compatible

Absolutely! We can add a file structure section to the blog to make it more developer-friendly and professional. Here’s the updated section for your Dev.to blog with proper structure placement:

πŸ“ Project File Structure

Here’s the recommended file structure for the Signature-Based Web3 Authentication project:

signature-gate/ β”‚ β”œβ”€ contracts/ β”‚ └─ SignatureGate.sol # Smart contract for signature-based entry β”‚ β”œβ”€ scripts/ β”‚ └─ signer.js # Node.js script for organizer to sign invites β”‚ β”œβ”€ frontend/ β”‚ β”œβ”€ src/ β”‚ β”‚ β”œβ”€ components/ β”‚ β”‚ β”‚ └─ ClaimEntry.jsx # React component to claim entry β”‚ β”‚ β”œβ”€ SignatureGateABI.json # ABI generated from contract β”‚ β”‚ └─ App.jsx # Main React app β”‚ └─ package.json # Frontend dependencies β”‚ β”œβ”€ test/ β”‚ └─ SignatureGate.t.sol # Foundry test file for contract β”‚ β”œβ”€ foundry.toml # Foundry configuration └─ README.md # Project README
Enter fullscreen mode Exit fullscreen mode

πŸ”Ή Explanation

  • contracts/ β€” Contains Solidity smart contracts; SignatureGate.sol implements the verification logic.
  • scripts/ β€” Off-chain scripts for signing messages (signer.js).
  • frontend/ β€” React app demonstrating on-chain claim functionality with Ethers.js.
  • test/ β€” Foundry tests for signature validation, replay protection, and expiry checks.
  • foundry.toml β€” Configuration for Foundry deployments and testing.
  • README.md β€” Project documentation.

πŸ’‘ Core Concept: Signature-Based Web3 Authentication

Traditional token-gated events require storing on-chain whitelists. This is costly and cumbersome.

With signature-based entry, we only store the used signatures on-chain. Here’s how it works:

  1. Organizer signs an invite off-chain including:
  • Attendee address
  • Event ID
  • Expiry timestamp
  • Unique nonce

  1. Attendee receives the signed message (via email, QR, or backend API).

  2. Attendee submits the signature on-chain by calling claim().

  3. Contract verifies the signature using ecrecover:

  • Confirms the signer is the organizer
  • Checks for expiration
  • Ensures the signature hasn’t been reused

βœ… If valid, the attendee is granted entry, and the contract emits an EntryGranted event.

🧩 Smart Contract β€” SignatureGate.sol 

// SPDX-License-Identifier: MIT pragma solidity ^0.8.20; contract SignatureGate { address public organizer; mapping(bytes32 => bool) public used; event EntryGranted(address indexed attendee, uint256 indexed eventId, uint256 nonce); event OrganizerChanged(address oldOrganizer, address newOrganizer); error InvalidSignature(); error SignatureExpired(); error SignatureAlreadyUsed(); error NotOrganizer(); constructor(address _organizer) { require(_organizer != address(0), "organizer zero"); organizer = _organizer; } function setOrganizer(address _new) external { if (msg.sender != organizer) revert NotOrganizer(); emit OrganizerChanged(organizer, _new); organizer = _new; } function claim( uint256 eventId, uint256 expiry, uint256 nonce, bytes calldata sig ) external { if (expiry != 0 && block.timestamp > expiry) revert SignatureExpired(); bytes32 digest = _hashForSigning(msg.sender, eventId, expiry, nonce); if (used[digest]) revert SignatureAlreadyUsed(); address signer = _recover(digest, sig); if (signer != organizer) revert InvalidSignature(); used[digest] = true; emit EntryGranted(msg.sender, eventId, nonce); } function hashForSigning( address attendee, uint256 eventId, uint256 expiry, uint256 nonce ) external pure returns (bytes32) { return _hashForSigning(attendee, eventId, expiry, nonce); } function _hashForSigning( address attendee, uint256 eventId, uint256 expiry, uint256 nonce ) internal pure returns (bytes32) { bytes32 raw = keccak256(abi.encodePacked("\x19Event Entry:\n", attendee, eventId, expiry, nonce)); return keccak256(abi.encodePacked("\x19Ethereum Signed Message:\n32", raw)); } function _recover(bytes32 digest, bytes memory sig) internal pure returns (address) { if (sig.length != 65) return address(0); bytes32 r; bytes32 s; uint8 v; assembly { r := mload(add(sig, 0x20)) s := mload(add(sig, 0x40)) v := byte(0, mload(add(sig, 0x60))) } if (v < 27) v += 27; return ecrecover(digest, v, r, s); } }
Enter fullscreen mode Exit fullscreen mode

πŸ”‘ How It Works

  • organizer is the signer.
  • claim() verifies the signature, expiry, and nonce.
  • used[digest] prevents replay attacks.
  • EntryGranted confirms successful verification.

πŸ§ͺ Off-Chain Signing β€” Node.js Script

The organizer generates signatures for attendees:

import { ethers } from "ethers"; // node signer.js <PK> <ATTENDEE> <EVENT_ID> <EXPIRY> <NONCE> async function main() { const [pk, attendee, eventId, expiry, nonce] = process.argv.slice(2); const wallet = new ethers.Wallet(pk); const abiPacked = ethers.utils.solidityPack( ["string", "address", "uint256", "uint256", "uint256"], ["\x19Event Entry:\n", attendee, eventId, expiry, nonce] ); const raw = ethers.utils.keccak256(abiPacked); const signature = await wallet.signMessage(ethers.utils.arrayify(raw)); console.log("Signature:", signature); } main();
Enter fullscreen mode Exit fullscreen mode

πŸ’» Frontend Demo β€” React + Ethers.js 

import React, { useState } from "react"; import { ethers } from "ethers"; import SignatureGateABI from "./SignatureGateABI.json"; export default function ClaimEntry({ contractAddress }) { const [eventId, setEventId] = useState(""); const [expiry, setExpiry] = useState(""); const [nonce, setNonce] = useState(""); const [sig, setSig] = useState(""); const [status, setStatus] = useState(""); async function claimEntry() { const provider = new ethers.providers.Web3Provider(window.ethereum); const signer = provider.getSigner(); const contract = new ethers.Contract(contractAddress, SignatureGateABI, signer); try { const tx = await contract.claim(eventId, expiry, nonce, sig); setStatus("Transaction sent: " + tx.hash); await tx.wait(); setStatus("βœ… Entry confirmed!"); } catch (err) { setStatus("❌ Error: " + err.message); } } return ( <div> <h3>Claim Event Entry</h3> <input placeholder="Event ID" onChange={(e) => setEventId(e.target.value)} /> <input placeholder="Expiry (Unix)" onChange={(e) => setExpiry(e.target.value)} /> <input placeholder="Nonce" onChange={(e) => setNonce(e.target.value)} /> <input placeholder="Signature" onChange={(e) => setSig(e.target.value)} /> <button onClick={claimEntry}>Submit</button> <p>{status}</p> </div> ); }
Enter fullscreen mode Exit fullscreen mode

πŸ”’ Security Considerations

Concern Mitigation
Replay attacks Nonce + signature hash stored
Expired invites Expiry timestamp
Key compromise setOrganizer() allows rotation
Gas costs Only store successful claim hashes
Privacy Off-chain approvals, no public whitelist

Pro tip: For production, use EIP-712 typed signatures for wallet-friendly structured signing.

πŸš€ Deployment Guide

  1. Deploy contract: 
forge create src/SignatureGate.sol:SignatureGate --constructor-args <organizer_address>
Enter fullscreen mode Exit fullscreen mode
  1. Sign invites with the Node.js script.
  2. Guests submit signatures via the React frontend.
  3. The contract verifies and emits entry confirmation events.

🌐 Use Cases

  • Token-gated events & workshops
  • DAO community meetups
  • NFT VIP access
  • KYC-free gated dApps
  • Decentralized conference check-ins

🏁 Summary

This signature-based Web3 authentication system is gas-efficient, secure, and real-world ready.
It provides off-chain invitation flexibility with on-chain verification, making it perfect for private Ethereum events.

β€œEfficient, secure, and decentralized β€” the future of Web3 event access control.”

Top comments (0)