Identity
Calimero uses cryptographic identities to manage access control and authentication across the network. Each participant has one or more identities that prove ownership and grant permissions.
Identity Model
Section titled “Identity Model”Calimero supports a hierarchical identity model:
flowchart LR
ROOT[Root Key<br/>alice.near] --> CLIENT1[Client Key A]
ROOT --> CLIENT2[Client Key B]
ROOT --> CLIENT3[Client Key C]
CLIENT1 --> CTX1[Context A]
CLIENT2 --> CTX2[Context B]
CLIENT3 --> CTX3[Context C]
style ROOT fill:#000000,stroke:#00ff00,stroke-width:4px,color:#ffffff
style CLIENT1 fill:#1a1a1a,stroke:#00ff00,stroke-width:3px,color:#ffffff
style CLIENT2 fill:#1a1a1a,stroke:#00ff00,stroke-width:3px,color:#ffffff
style CLIENT3 fill:#1a1a1a,stroke:#00ff00,stroke-width:3px,color:#ffffff
style CTX1 fill:#1a1a1a,stroke:#00ff00,stroke-width:3px,color:#ffffff
style CTX2 fill:#1a1a1a,stroke:#00ff00,stroke-width:3px,color:#ffffff
style CTX3 fill:#1a1a1a,stroke:#00ff00,stroke-width:3px,color:#ffffff
Root Keys
Section titled “Root Keys”A root key is an authentication credential that represents a user’s master identity in the Calimero auth system. It’s typically:
- Generated from a NEAR wallet or from username / password combination
- Used for high-level operations (creating contexts, managing memberships)
- Stored securely (hardware wallet, keychain, etc.)
Client Keys
Section titled “Client Keys”Client keys are derived from root keys and used for:
- Executing methods in specific contexts
- Signing transactions and deltas
- Proving membership in contexts
Benefits:
- Isolation: Compromise of one client key doesn’t affect others
- Revocation: Can revoke access per-context without changing root key
- Privacy: Different keys for different contexts
Identity Generation
Section titled “Identity Generation”Generate identities with meroctl:
$: meroctl --node node1 context identity generate> +-----------------------------------------+---------------------------------------------+> | Context Identity Generated | Public Key |> +=======================================================================================+> | Successfully generated context identity | 8XG254iKm6YGNJANbkKQpFknmE27TykArAvfJPqHBmw |> +-----------------------------------------+---------------------------------------------+See core/crates/meroctl/README.md for CLI details.
Blockchain Wallet Integration
Section titled “Blockchain Wallet Integration”Calimero supports wallet-based authentication:
| Protocol | Identity Source |
|---|---|
| NEAR | NEAR account ID + signature |
Flow:
- User connects wallet
- Signs challenge message
- Calimero verifies signature
- JWT token issued
See calimero-client-js/README.md for client authentication examples.
Authentication Flows
Section titled “Authentication Flows”For wallet authentication examples, see:
- JavaScript:
calimero-client-js/README.md- Client-side auth flows - Python:
calimero-client-py/README.md- Python client auth
JWT Tokens
Section titled “JWT Tokens”After authentication, Calimero issues JWT tokens containing:
context_id- Target contextexecutor_public_key- Client key for executionpermissions- Access permissionsexp- Expiration timestamp
Usage:
- Include in API requests:
Authorization: Bearer <token> - Tokens expire and can be refreshed
- See
core/crates/auth/README.mdfor details
Key Management
Section titled “Key Management”Hierarchical structure:
- Root keys delegate to client keys per context
- Each context has separate client keys
- Keys can be revoked independently
Revoke access:
$: meroctl --node <NODE_ID> context identity revoke <MEMBER_ALIAS> <CAPABILITY> --as <REVOKER_ALIAS> --context <CONTEXT_ALIAS>See core/crates/meroctl/README.md for key management commands.
What happens:
- Key is removed from context membership
- Key can no longer sign transactions for that context
- Existing transactions remain valid (immutable history)
- Root key remains unaffected
- Removed member stops receiving updates
Wallet Adapters
Section titled “Wallet Adapters”Calimero provides wallet adapters for easy integration:
JavaScript Client
Section titled “JavaScript Client”import { CalimeroConnectButton,} from "@calimero-network/calimero-client";
// Automatically handles node connection and authentication<CalimeroConnectButton />Supported wallets:
- NEAR Wallet
Python Client
Section titled “Python Client”from calimero_client_py import create_connection, create_client
# Connect to Calimero networkconnection = create_connection( api_url="https://node.calimero.network", node_name="your-node-name" # Optional but recommended for token caching)
# Create a client from the connectionclient = create_client(connection)...Best Practices
Section titled “Best Practices”- Use Client Keys: Don’t use root keys directly for context operations
- Rotate Keys: Periodically rotate client keys for security
- Secure Storage: Store private keys in secure keychains, never in code
- Multi-Sig Support: Use multi-signature wallets for high-value contexts
- Key Backup: Backup root keys securely (hardware wallet, paper backup)
Deep Dives
Section titled “Deep Dives”For detailed identity documentation:
- Identity Contracts:
contractsREADME - Smart contract implementations - Auth Service:
core/crates/auth/README.md- Authentication service - Client SDKs: Tools & APIs - Wallet integration guides
Related Topics
Section titled “Related Topics”- Contexts - Where identities are used
- Applications - What identities can access
- Architecture Overview - How identity fits into the system