StellarSplit supports two primary authentication modes: Standard JWT for production and general use, and a Development Bypass for local testing and debugging.
The API uses JSON Web Tokens (JWT) for secure authentication.
- The user authenticates (typically via their Stellar wallet).
- The server issues a JWT signed with
JWT_SECRET. - The client includes this token in the
Authorizationheader of subsequent requests.
Authorization: Bearer <your_jwt_token>- JWTs are validated against
JWT_SECRET. - In production,
NODE_ENV=productionmust be set to ensure strict validation. - Standard claims include
sub(user ID),email, andwalletAddress.
To simplify local development and testing without a full Stellar wallet lifecycle, a bypass is available via the x-user-id header.
If the server is NOT running in production mode (NODE_ENV != production), you can bypass JWT validation by providing a user identifier directly.
x-user-id: <any_user_identifier_or_wallet_address>The bypass is controlled by two environment variables:
NODE_ENV: Must NOT beproduction.AUTH_ALLOW_DEV_BYPASS: Must NOT befalse(defaults totrue).
curl -X GET http://localhost:3000/api/splits \
-H "x-user-id: GDZST3XVCDTUJ76ZAV2HA72KYQODXXZ5PTMAPZGDHZ6CS7RO7MGG3DBM"Warning
This header is completely ignored when NODE_ENV=production. Never rely on it for production integrations.
Regardless of the authentication mode used, the backend populates req.user with an AuthUser object:
interface AuthUser {
id: string; // User identifier
walletAddress: string; // Stellar wallet address
email?: string; // Optional email (JWT only)
}Many endpoints depend on this object to filter results by the active user (e.g., /api/groups, /api/split-history).