Stats
Actions
Tags
'%20stop-opacity%3D'0.16'%2F%3E%3Cstop%20offset%3D'1'%20stop-color%3D'rgb(200%2C90%2C60)'%20stop-opacity%3D'0.03'%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D'320'%20height%3D'200'%20fill%3D'url(%23g)'%2F%3E%3Ccircle%20cx%3D'250'%20cy%3D'56'%20r%3D'92'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.06'%2F%3E%3Ccircle%20cx%3D'64'%20cy%3D'172'%20r%3D'58'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.05'%2F%3E%3C%2Fsvg%3E)
From sigma-auth
This skill should be used when the user asks about "TokenPass", "install TokenPass", "run TokenPass server", "TokenPass desktop app", "TokenPass API", "personal identity server", "be your own OAuth provider", or needs help setting up, configuring, or integrating TokenPass Server or Desktop applications. Provides installation, configuration, and API integration guidance.
How this skill is triggered — by the user, by Claude, or both
Slash command
/sigma-auth:tokenpassThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
TokenPass is a personal identity server that enables Bitcoin-backed authentication. Run your own OAuth provider with cryptographic signing, encryption, and BAP (Bitcoin Attestation Protocol) identity management.
TokenPass is a personal identity server that enables Bitcoin-backed authentication. Run your own OAuth provider with cryptographic signing, encryption, and BAP (Bitcoin Attestation Protocol) identity management.
TokenPass consists of two components:
| Component | Description | Port |
|---|---|---|
| TokenPass Server | REST API for wallet management, signing, encryption | 21000 |
| TokenPass Desktop | Electron app with system tray, auto-start | - |
# Clone and install
git clone https://github.com/b-open-io/tokenpass-server
cd tokenpass-server
bun install
# Start the server
bun dev
Server runs at http://localhost:21000 with API prefix /api/.
Download from GitHub Releases:
| Platform | File |
|---|---|
| macOS (Apple Silicon) | TokenPass-X.X.X-arm64.dmg |
| macOS (Intel) | TokenPass-X.X.X-x64.dmg |
| Windows | TokenPass-X.X.X-setup.exe |
| Linux | TokenPass-X.X.X.AppImage |
The desktop app wraps the server with a system tray icon and auto-start capability.
TokenPass uses a two-step authentication model:
POST /api/registerPOST /api/login with passwordPOST /api/auth with host and scopesAuthorization header// 1. Register (first time only)
await fetch('http://localhost:21000/api/register', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
password: 'secure-password',
displayName: 'Alice'
})
});
// 2. Login (unlocks wallet)
await fetch('http://localhost:21000/api/login', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ password: 'secure-password' })
});
// 3. Get access token for a host
const { accessToken } = await fetch('http://localhost:21000/api/auth', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
password: 'secure-password',
host: 'example.com',
expire: '1h',
scopes: 'sign,encrypt'
})
}).then(r => r.json());
// 4. Sign a message
const signature = await fetch('http://localhost:21000/api/sign', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Authorization': accessToken // No "Bearer" prefix
},
body: JSON.stringify({ message: 'Hello World' })
}).then(r => r.json());
| Endpoint | Method | Auth | Description |
|---|---|---|---|
/api/register | POST | - | Create new wallet |
/api/login | POST | - | Unlock wallet |
/api/logout | POST | - | Lock wallet |
/api/status | GET | - | Check wallet status |
/api/export | POST | Password | Export seed/mnemonic |
| Endpoint | Method | Auth | Description |
|---|---|---|---|
/api/auth | POST | Password | Generate access token |
Token Expiry Options: once (10s), 1h, 1d, 1w, 1m, forever
Scopes: sign, encrypt, decrypt, read_profile, write_profile, read_state, write_state, fund, transfer
| Endpoint | Method | Auth | Description |
|---|---|---|---|
/api/sign | POST | Token | Sign message (BSM format) |
/api/encrypt | POST | Token | Encrypt with ECIES |
| Endpoint | Method | Auth | Description |
|---|---|---|---|
/api/profile | GET | - | Get BAP profile |
/api/profile | POST | - | Update BAP profile |
# CORS whitelist (comma-separated)
TOKENPASS_ORIGIN_WHITELIST=https://app1.com,https://app2.com
All data stored in ~/.tokenpass/:
| File | Description |
|---|---|
seed.db | Encrypted master seed (AES-256-CBC) |
keys.db | Derived Bitcoin keys per host |
state.db | Access tokens and per-host state |
The @sigma-auth/better-auth-plugin provides a full React client with automatic TokenPass detection:
import { createAuthClient } from "better-auth/client";
import { sigmaClient } from "@sigma-auth/better-auth-plugin/client";
export const authClient = createAuthClient({
baseURL: "https://auth.sigmaidentity.com",
plugins: [
sigmaClient({
preferLocal: true, // Auto-detect local TokenPass
localServerUrl: "http://localhost:21000",
onServerDetected: (url, isLocal) => {
console.log(`Using ${isLocal ? 'local' : 'cloud'} signer: ${url}`);
}
})
],
});
// Sign requests (uses TokenPass if available)
const authToken = await authClient.sigma.sign("/api/endpoint", { data: "value" });
// Encrypt/decrypt with Type42 key derivation
const encrypted = await authClient.sigma.encrypt("secret", friendBapId);
const decrypted = await authClient.sigma.decrypt(encrypted, friendBapId);
The client automatically:
localhost:21000For detailed API documentation and examples:
references/api-reference.md - Complete REST API documentationreferences/integration-examples.md - Code examples for common integrationsnpx claudepluginhub b-open-io/claude-plugins --plugin sigma-authProvides decision trees, JWT references, and patterns for authentication/authorization including OAuth2, sessions, RBAC, ABAC, passkeys, MFA. Use for secure login, tokens, access control.
Implements FIDO2/WebAuthn hardware security key authentication with registration, YubiKey enrollment, and passkey migration. Builds a relying party server using python-fido2.
Designs API authentication with prefixed keys (e.g., Stripe sk_live_), OAuth 2.0 flows, JWT tokens, Bearer auth, key rotation, and permission scoping.