Skip to main content

Message Troubleshooting

The SIWE Message Validator is an interactive tool that helps you validate, lint, and debug Sign in with Ethereum (SIWE) messages for compliance with the EIP-4361 specification.

Validation Categories

Format Validation

  • Message structure and grammar compliance
  • Required field presence and formatting
  • Timestamp format (RFC 3339/ISO 8601)
  • Ethereum address format validation
  • URI format checking

Security Validation

  • Nonce entropy and uniqueness analysis
  • Domain binding verification
  • Time-based security checks
  • Resource access scope validation
  • Common vulnerability detection

Compliance Validation

  • EIP-4361 specification adherence
  • Version compatibility checking
  • Chain ID validation
  • Standard field requirements

Common Errors

Unnecessary Line Breaks

❌ example.com wants you to sign in with your Ethereum account:

❌ 0x742d35Cc6C4C1Ca5d428d9eE0e9B1E1234567890

✅ example.com wants you to sign in with your Ethereum account:
✅ 0x742d35Cc6C4C1Ca5d428d9eE0e9B1E1234567890

Fix: Only add line breaks where specified in ERC-4361.

Address Format Issues

❌ 742d35Cc6C4C1Ca5d428d9eE0e9B1E1234567890
✅ 0x742d35Cc6C4C1Ca5d428d9eE0e9B1E1234567890

Fix: Add the 0x prefix to Ethereum addresses.

Timestamp Format Issues

❌ 2023-10-31 16:25:24
✅ 2023-10-31T16:25:24Z

Fix: Use RFC 3339 format with T separator and timezone.

Common Suggestions

Weak Nonce Security

❌ test123
✅ a1B2c3D4e5F6g7H8

Fix: Use cryptographically secure random nonces with mixed characters.

Missing Expiration Time

  Nonce: a1B2c3D4e5F6g7H8
  Issued At: 2023-10-31T16:25:24Z
+ Expiration Time: 2023-10-31T16:35:24Z

Fix: Add expiration time for security (5-15 minutes recommended).

Security Best Practices

When implementing SIWE authentication, always:

  1. Generate messages server-side to prevent client manipulation
  2. Use strong nonces with sufficient entropy (16+ characters)
  3. Implement expiration times to limit message lifetime
  4. Validate domain binding to prevent phishing attacks
  5. Check signatures server-side - never trust client validation alone
  6. Store used nonces to prevent replay attacks

API Reference

The validator is built on a modular validation engine that you can use programmatically:

import { ValidationEngine } from '@site/src/components/SiweValidator';

// Validate a message
const result = ValidationEngine.validate(message, {
  profile: ValidationEngine.PROFILES.strict
});

// Quick validation for real-time feedback  
const quickCheck = ValidationEngine.quickValidate(message);

// Apply auto-fixes
const fixed = AutoFixer.fixMessage(parsedMessage, errors);