Part 5: Authorized Access Model

Introduction

The Authorized Access Model is an enhanced integration model for platforms such as centralised crypto exchange (CEX) or payment applications.

The Authorized Access Model technically enables:

• Fiat24 end users can authorise (approve) the platforms to move their USD, EUR, CHF, RMB balances, directly from their wallet address

• Fiat24 end users can authorise (approve) the platforms to access their identity information

Part 1: UX Integration

Connect an Fiat24 account

The platform can either mint a new Fiat24 NFT and then run the verification, or link user's existing NFT.

Option 1: Mint a new account

The platform can mint a new NFT for its user and get verified. The instruction is the same as illustrated in Part 1.

Option 2: Link an existing account

If the end user of the platform has a verified Fiat24 account already, it's easy to link inside the platform.

The platform must store the Fiat24 NFT id together with its client profile, and should include UI components that allow users to connect their Fiat24 NFT id. This NFT id will then be sent to the Fiat24 Connect API to confirm the validity of the associated account. The following connect function is used to verify whether the account is ready to link.

Showing balances

The platform can retrieve the following information from Fiat24 and display it across different UI components.

Account Balances

• Showing the NFT id from platform's database

• Showing the Avatar from api.fiat24.com/avatar?nftId=[nftId]

• Showing the client profile and masked card info from API api.fiat24.com/br

• Showing the USD, EUR, CHF and CNH balance from ERC20 contracts

Transaction History

• Showing the transactions from a specific currency from api.fiat24.com/transaction

Account Info

• Showing the Swiss IBAN from API api.fiat24.com/br

Cash Deposit

Each cash (fiat) deposit from end-user's Fiat24 account to platform account is a P2P transfer. It's free and real-time.

// Transfer 256.00 USD from client #123456 to platform #80
usd24.transferFrom(123456, 80, 25600);

// Transfer 1000.00 EUR from client #123456 to platform #80
eur24.transferFrom(123456, 80, 100000);

// Transfer 155.20 CHF from client #123456 to platform #80
chf24.transferFrom(123456, 80, 15520);

// Transfer 5000.00 RMB from client #123456 to platform #80
cnh24.transferFrom(123456, 80, 500000);

Cash Withdrawal

Each cash (fiat) withdrawal from platform account to end-user's account is a P2P transfer. It's free and real-time.

// Transfer 500.50 USD to client #123456
usd24.transferByAccountId(123456, 50050);

// Transfer 999.88 EUR to client #123456
eur24.transferByAccountId(123456, 99988)

// Transfer 125.60 CHF to client #123456
chf24.transferByAccountId(123456, 12560)

// Transfer 2500.15 RMB to client #123456
cnh24.transferByAccountId(123456, 250015)

Part 2: API Integration

Authentication & Access

In the section RESTful APIs, we illustrated two important APIs to access the client profile: /br and /transaction, which requires signature signed by address holding the client NFT.

In this section, we introduce the approach that the platform can call those two APIs from the address holding the platform NFT, as long as the client has authorised the identity to the platform.

Fiat24 does NOT use any standard protocol for authentication and authorization. All requests need to have a header with signed information by the NFT holder, which guarantees only the end-user can access his/her data.

const headers = {
    tokenid: <token id of user>,
    network: 42161,
    sign: <user's wallet signature>,
    hash: <original text that was hashed>,
    deadline: <deadline used for signing>,
    "Content-Type": "application/json"
}

where:

// We only allow the signature to be valid for 20 minutes max.
// Can be less than that if want more security.
const SIGNATURE_DEADLINE_IN_SECONDS = 1200;

// Alternative to Date.now()
// sometimes the device clock is out of sync and can give the wrong timestamp
const serverTimestamp = await fetch("https://api.fiat24.com/timestamp");
const now = serverTimestamp.timestamp;

const deadline = Math.round(now/1000) + SIGNATURE_DEADLINE_IN_SECONDS;

const hash = "Hello world"; // Could be any text
const deadlineHash = web3.utils.sha3(hash + deadline);
const messageToSign = `I agree to access my profile. ${deadlineHash}`;

// web3.js
const sign = await web3.eth.personal.sign(messageToSign, address)

// ethers
const sign = await signer.signMessage({ message: messageToSign }); 


return { hash, deadline, sign };

where:

• address is the address of the platform's wallet.

• signer.signMessage is the signatures of the platform's wallet sign.

• Please note that in some programming languages SHA3 function might act a bit different than the web3.utils.sha3(). The SHA3 of a simple text such as SHA3("Fiat24"), should give as a response 0x1cf688cdaa53bf4605bfbb1ab56565651179978e63d41cf2df557d5bb5f1bd90.

1. Connect

The platform can verify whether the client exists from following user information:

• NFT id

• Last name and first name

• Date of birth

This data, along with the provided User id (or UID) of the platform, will be sent to the Connect API to verify the user's Fiat24 account.

POST api.fiat24.com/verify

{
    "nftId"     : 123456,
    "uid"       : 80526632,
    "firstName" : "James",
    "lastName"  : "Bond",
    "birthday"  : "1975-02-25"
}

The response will have 200 or 401 response code.

2. Get Client Profile

The platform can retrieve client profile when the client NFT has been authorised to it. The calling method is the same as Part 2.

3. Get Transactions

The platform can retrieve client transaction details when the client NFT has been authorised to it. The calling method is the same as Part 2.