Terp Network Docs
GuidesAuthenticationAuthenticators

Smart Account Authenticators

Programmable authentication for Terp Network accounts — register authenticators, combine strategies, build custom CosmWasm authenticator contracts

Smart Account Authenticators

The x/smart-account module replaces the default Cosmos SDK authentication with a programmable, per-account authentication framework. Instead of every transaction being authenticated by a single secp256k1 signature check, accounts can register multiple authenticators — each with their own rules for what they authorize.

How It Works

Transaction → Circuit Breaker → For each message:
                                   1. Identify the account for this message
                                   2. Fetch authenticator(s) registered to that account
                                   3. Call Authenticate() on the selected authenticator
                                   4. If authenticated → proceed; else → reject
                                 → Track() all authenticators
                                 → Execute messages
                                 → ConfirmExecution() on all authenticators

The flow has seven stages:

StageFunctionWhat Happens
1Gas limitTemporary cap set before fee payer is authenticated
2Identify fee payerFirst signer is the fee payer
3AuthenticateEach message authenticated by its selected authenticator
4Gas resetLimit restored after fee payer authenticated
5TrackAuthenticators notified of successful authentication
6ExecuteMessages run (state changes committed if succeed)
7ConfirmExecutionPost-execution rules enforced (spend limits, etc.)

Authentication flow diagram scaffold — a sequence diagram showing the full lifecycle of a transaction through the smart-account module.

The Authenticator Interface

Every authenticator on Terp Network implements this interface:

type Authenticator interface {
    Type() string                           // Unique type identifier
    StaticGas() uint64                      // Fixed gas per invocation
    Initialize(config []byte) (Authenticator, error)  // Set up from stored config
    Authenticate(ctx, request) error        // Validate the message
    Track(ctx, request) error               // Record successful authentication
    ConfirmExecution(ctx, request) error    // Enforce post-execution rules
    OnAuthenticatorAdded(ctx, account, config, id) error
    OnAuthenticatorRemoved(ctx, account, config, id) error
}

Available Authenticator Types

TypeDescriptionDocs
SignatureVerificationVerify a secp256k1 public key signature (default)Guide
MessageFilterMatch incoming messages against a JSON patternGuide
AllOfRequire ALL sub-authenticators to passGuide
AnyOfRequire ANY ONE sub-authenticator to passGuide
CosmwasmAuthenticatorV1Custom authentication logic via CosmWasm contractGuide

Registering an Authenticator

An authenticator is added to your account with a MsgAddAuthenticator transaction:

message MsgAddAuthenticator {
    string sender             = 1;   // Your account address
    string authenticator_type = 2;   // e.g. "SignatureVerification"
    bytes  data               = 3;   // Configuration (pubkey, pattern, etc.)
}

Each authenticator gets a globally unique ID (incrementing uint64). This ID is used when:

  • Selecting which authenticator to use in a transaction (via TxExtension)
  • Removing an authenticator (via MsgRemoveAuthenticator)

Selecting an Authenticator Per Message

Transactions using authenticators must include a TxExtension specifying which authenticator to use for each message:

message TxExtension {
    repeated uint64 selected_authenticators = 1;
}

If no selected_authenticators are provided, the transaction defaults to standard Cosmos SDK signature verification (backward compatible).

Available APIs

Each guide below demonstrates the same steps across multiple language APIs:

APIPackageUse Case
terpd CLIterpd tx smart-accountQuick prototyping, node operators
TypeScript/JS@cosmjs/stargate + cosmjs-typesWeb dApps, frontend
Rustcw-orchestrator, terp-rsContract deployment, integration tests
Goterp-core/typesBackend services, automation
Pythonterp-rs (PyO3 bindings)Scripting, analysis

Examples

SignatureVerification

Register a public key as an authenticator for your account — the simplest authenticator

MessageFilter

Authorize messages that match a JSON pattern — permissionless utility accounts and faucets

Composite Authenticators

Combine multiple authenticators with AllOf (AND) and AnyOf (OR) logic — multisig, tiered access

Safe-word Contract

Build a CosmWasm authenticator that authorizes transactions containing a pre-registered safe-word — custom auth logic

Backup And Recovery

Previous Page

SignatureVerification Authenticator

Register a secp256k1 public key as an authenticator — the simplest account-level authentication override

On this page

Smart Account AuthenticatorsHow It WorksThe Authenticator InterfaceAvailable Authenticator TypesRegistering an AuthenticatorSelecting an Authenticator Per MessageAvailable APIsExamples