Authorization Workflows

This guide will show you how you can control how user interact with your app.

The Lens API allows builders to have finer control over how users interact with their app. Specifically, builders can:

Control who can log in to the app
Revoke user credentials at any time
Decide if the app should sponsor user activities
Approve each operation with a cryptographic signature

Overview

The Lens Authentication flow is at the heart of this mechanism. It allows you to control who can acquire credentials for the Lens API as user of your Lens App, serving as the starting point to manage user activity sponsorship and operation approval.

Below is a high-level overview of the Lens Authentication flow working with the Operation Approval mechanism:

Initial Authentication

During the initial authentication, the Lens API makes a server-to-server call to a custom Authorization Endpoint that you define. This call containing information about the user’s Lens Account and the address that is signing the request. Based on this information, the endpoint determines whether the user is allowed acquire credentials for the Lens API as a user of your Lens App.

The endpoint response can also control:

Whether to sponsor the user's activities
The configuration of the operation approval mechanism

Operations Approval

Optionally, for each social operation (e.g., post, comment, follow), the Lens API makes a server-to-server call to a custom Verification Endpoint that you define and configure in the previous step.

This call includes details about the operation and the user’s Lens Account. The endpoint evaluates this information and determines whether to approve the operation by returning a cryptographic signature.

If you have experience with the Lens V2 publication metadata signatures you will find that this feature achieve the same goal with the benefit of being verified on-chain.

Credentials Refresh

When the user's credentials are about to expire and the client requests a refresh, the Lens API makes a server-to-server call to the Authorization Endpoint to determine if the user is still allowed to act as a user of your Lens App.

To help you get started, we have provided an example implementation using Express.js.

Authentication Flow

In order to control how users interact with your app, you need to implement the following steps:

Implement an Authorization Endpoint
Configure the App with the Authorization Endpoint

Authorization Endpoint

The Authorization Endpoint must be a publicly accessible HTTPS URL accepting POST requests with a JSON body. The Lens API allows a maximum of 500ms for a response; delays beyond this will deny the user’s authentication request.

To ensure reliability, prioritize lightweight checks and avoid heavy operations. For complex validations, asynchronously populate a cache with necessary data (e.g., via a separate job) to meet timing requirements. If using serverless infrastructure, mitigate cold starts to ensure prompt responses.

Request

The Lens API will send a POST request to the Authorization Endpoint according to the following format:

POST /path/to/endpoint HTTP/1.1Host: myserver.comContent-Type: application/json{  "account": "0x4F10f685B6BF165e86f41CDf4a906B17F295C235",  "signedBy": "0x00004747f7a56EE7Af7237220c960a7D06232626"}

Body Parameter	Description
account	The Lens Account that wants to log-in to the Lens API for your Lens App.
signedBy	The Lens Account owner or an Account Manager for it.

Response

The Authorization Endpoint must respond with a JSON object according to the following format:

Any non-200 response or invalid response will end up in denying the user access to the Lens API for your Lens App.

Allowed
Not Allowed

The user is allowed to log in to the Lens API as a user of your Lens App.

HTTP/1.1 200 OKContent-Type: application/json{  "allowed": true,  "sponsored": true}

Response Property	Description
allowed	true - allowed
sponsored	Boolean indication whether the Lens API can use the App Sponsorship to cover transaction fees for this Account-Signer pair.
appVerificationEndpoint	Optional, app's Verification Endpoint URL. If provided, the Lens API will call this endpoint for each operation to determine if it should be approved.

You can include any secret or forward user's specific information (e.g., Lens Account, signer address) as part of the appVerificationEndpoint URL. The Lens API will not expose this information to the user.

Configure App

Once you have your Authorization Endpoint ready, you can configure it for your Lens App.

You MUST be authenticated as Builder and be either the owner or an admin of the App you intend to configure.

TypeScript
GraphQL

Use the addAppAuthorizationEndpoint action to configure the Authorization Endpoint for your Lens App.

Add Authorization Endpointimport { evmAddress, uri } from "@lens-protocol/client";import { addAppAuthorizationEndpoint } from "@lens-protocol/client/actions";
const result = await addAppAuthorizationEndpoint(sessionClient, {  endpoint: uri("https://myserver.com/path/to/endpoint"),  app: evmAddress("0xa0182D914845ec1C3EF61a23C50D56370E23d94e"),});
if (result.isErr()) {  return console.error(result.error);}

You can include any secret or API key in the Authorization Endpoint URL. The Lens API will not expose this information to the user.

You can revert this configuration at any time.

TypeScript
GraphQL

Use the removeAppAuthorizationEndpoint action to remove the Authorization Endpoint configuration for your Lens App.

Remove Authorization Endpointimport { evmAddress } from "@lens-protocol/client";import { removeAppAuthorizationEndpoint } from "@lens-protocol/client/actions";
const result = await removeAppAuthorizationEndpoint(sessionClient, {  app: evmAddress("0xa0182D914845ec1C3EF61a23C50D56370E23d94e"),});
if (result.isErr()) {  return console.error(result.error);}

Operations Approval

The Operations Approval mechanism allows you to control which operations are allowed for a given Lens Account. This mechanism is used to approve social operations such as posting, commenting, following, etc.

Verification Endpoint

First, create a Verification Endpoint to handle the Operations Approval mechanism.

The Verification Endpoint must be a publicly accessible HTTPS URL that accepts POST requests with a JSON payload and responds within 500ms; delays will cause the request to be treated as invalid. Like the Authorization Endpoint, optimize its performance by using caching or pre-computed data where necessary and ensure reliable hosting to avoid downtime or delays.

Request

The Lens API will send a POST request to the Verification Endpoint according to the following format:

POST /path/to/endpoint HTTP/1.1Host: myserver.comContent-Type: application/json{  "nonce": "42",  "deadline": "1630000000",  "operation": "Post",  "validator": "0x78731D3Ca6b7E34aC0F824c42a7cC18A495cabaB",  "account": "0x4F10f685B6BF165e86f41CDf4a906B17F295C235"}

Body Parameter	Description
nonce	A unique identifier for the operation.
deadline	A Unix timestamp in seconds indicating when the operation will expire.
operation	An enum value indicating the operation type.
validator	The Lens Primitive (e.g., Feed, Graph, etc.) validating the operation.
account	The Lens Account performing the operation.

Possible values for the operation field are:

enum Operation {  Post  Repost  EditPost  DeletePost  Follow  Unfollow  CreateAccount  CreateUsername  CreateAndAssignUsername  AssignUsername  UnassignUsername  SetAccountMetadata  JoinGroup  LeaveGroup}

Response

The Verification Endpoint must respond with a JSON object according to the following format:

Any non-200 response or invalid response will end up in denying the user to perform the operation.

Allowed
Not Allowed

The user is allowed to perform the operation.

HTTP/1.1 200 OKContent-Type: application/json{  "allowed": true,  "signature": "0x2b8a91ad7b6db0c29a09d592e8f16287b82a40a6d245cb3e1f174b02d0fb08a2"}

Response Property	Description
allowed	true - allowed
signature	The cryptographic signature used to authorize the operation on-chain.

Signature Logic

Then, implement the signing logic within your Verification Endpoint to handle operation approvals.

The Verification Endpoint must return an EIP-712 signature as cryptographic proof that the app has approved the operation.

TypeScript
JSON

The example below demonstrates how to generate this signature using viem and Express.

import express from "express";
import { approver } from "./approver";
const app = express();
app.use(express.json());
app.post("/verify-operation", async (req, res) => {  // Validate if the account is authorized to perform the requested operation  const isAllowed = true; // Replace with actual validation logic
  if (!isAllowed) {    return res.json({      allowed: false,      reason: "Operation not allowed for this account",    });  }
  // If the operation is valid, sign it  res.json({    allowed: true,    signature: await approver.signOperationApproval(req.body),  });});
app.listen(process.env.PORT || 3000);

Configure App Signers

Then, add the approver address to the list of App Signers associated with your Lens App.

You MUST be authenticated as Builder and be either the owner or an admin of the App you intend to configure.

TypeScript
GraphQL

Use the addAppSigners action to add the approver addresses to the list of App Signers associated with your Lens App.

example.tsimport { evmAddress } from "@lens-protocol/client";import { addAppSigners } from "@lens-protocol/client/action";
const result = await addAppSigners(sessionClient, {  app: evmAddress("0x75bb5fBdb559Fb2A8e078EC2ee74aad791e37DCc"),  signers: [evmAddress("0xe2f2a5C287993345a840db3B0845fbc70f5935a5")],});

And, handle the result using the adapter for the library of your choice:

import { handleOperationWith } from "@lens-protocol/client/viem";
// …
const result = await addAppSigners(sessionClient, {  app: evmAddress("0x75bb5fBdb559Fb2A8e078EC2ee74aad791e37DCc"),  signers: [evmAddress("0xe2f2a5C287993345a840db3B0845fbc70f5935a5")],}).andThen(handleOperationWith(walletClient));

See the Transaction Lifecycle guide for more information on how to determine the status of the transaction.

Enable App Verification

Finally, enable the App Verification for your Lens App.

You MUST be authenticated as Builder and be either the owner or an admin of the App you intend to configure.

TypeScript
GraphQL

Use the setAppVerification action to enable the App Verification for your Lens App.

example.tsimport { evmAddress } from "@lens-protocol/client";import { addAppSigners } from "@lens-protocol/client/action";
const result = await setAppVerification(sessionClient, {  app: evmAddress("0x75bb5fBdb559Fb2A8e078EC2ee74aad791e37DCc"),  enabled: true,});

And, handle the result using the adapter for the library of your choice:

import { handleOperationWith } from "@lens-protocol/client/viem";
// …
const result = await setAppVerification(sessionClient, {  app: evmAddress("0x75bb5fBdb559Fb2A8e078EC2ee74aad791e37DCc"),  enabled: true,}).andThen(handleOperationWith(walletClient));

See the Transaction Lifecycle guide for more information on how to determine the status of the transaction.

That's it—only legit operations signed by your Verification Endpoint will succeed.

Revoke Credentials

The Lens Authentication flow allows you to implement a credentials revocation mechanism. This is useful when you want to invalidate a user's session or revoke access to the Lens API for interactions involving your app.

To revoke a user's credentials, you should include the relevant Account address in a denylist that is accessible to your Authorization Endpoint. On the subsequent request to refresh the credentials you can then deny access to the Lens API.