docs/_includes/sign_in.md

For an application developer, the application flow is similar to the typical client-server flow used by centralized sign in services (e.g., OAuth). However, with Blockstack, the authentication flow happens entirely client-side.

A decentralized application (DApp) and the Blockstack Browser communicate during the authentication flow by passing back and forth two tokens. The requesting application sends the Blockstack Browser an `authRequest` token. Once a user approves a sign-in, the Blockstack Browser responds to the application with an `authResponse` token. These tokens are <a href="https://jwt.io/" target="\_blank">JSON Web Tokens</a>, and they are passed via URL query strings.

![](/storage/images/app-sign-in.png)

When a user chooses to **Sign in with Blockstack** on a DApp, it calls the `redirectToSignIn()` method which sends an  `authRequest` to the Blockstack Browser. Blockstack passes the token in via a URL query string in the `authRequest` parameter:

`https://browser.blockstack.org/auth?authRequest=j902120cn829n1jnvoa...`

When the Blockstack Browser receives the request, it generates an (`authResponse`) token to the application using an _ephemeral transit key_ . The ephemeral transit key is just used for the particular instance of the application, in this case, to sign the `authRequest`. The application stores the ephemeral transit key during the request generation. The public portion of the transit key is passed in the `authRequest` token. The Blockstack Browser uses the public portion of the key to encrypt an _app-private key_ which is returned via the `authResponse`. 

During sign in, the Blockstack Browser generates the app-private key from the user's _identity-address private_ key and the application's `appDomain`. The app private key serves three functions:

* It is used to create the credentials that give an app access to the Gaia storage bucket for that specific app.
* It is used in the end-to-end encryption of files stored for the app in the user's Gaia storage.
* It serves as a cryptographic secret that apps can use to perform other cryptographic functions.

Finally, the app private key is deterministic, meaning that for a given user ID and domain name, the same private key is generated each time.
Add in basic information from Javascript Updates to browser information Creating shared auth between auth and todo Minor updates to the toddo sample Signed-off-by: Mary Anthony <mary@blockstack.com> 6 years ago			`For an application developer, the application flow is similar to the typical client-server flow used by centralized sign in services (e.g., OAuth). However, with Blockstack, the authentication flow happens entirely client-side.`

			A decentralized application (DApp) and the Blockstack Browser communicate during the authentication flow by passing back and forth two tokens. The requesting application sends the Blockstack Browser an `authRequest` token. Once a user approves a sign-in, the Blockstack Browser responds to the application with an `authResponse` token. These tokens are <a href="https://jwt.io/" target="\_blank">JSON Web Tokens</a>, and they are passed via URL query strings.

			`![](/storage/images/app-sign-in.png)`

Search and replace auth to add UserSessions Signed-off-by: Mary Anthony <mary@blockstack.com> 6 years ago			When a user chooses to Sign in with Blockstack on a DApp, it calls the `redirectToSignIn()` method which sends an `authRequest` to the Blockstack Browser. Blockstack passes the token in via a URL query string in the `authRequest` parameter:
Add in basic information from Javascript Updates to browser information Creating shared auth between auth and todo Minor updates to the toddo sample Signed-off-by: Mary Anthony <mary@blockstack.com> 6 years ago
			`https://browser.blockstack.org/auth?authRequest=j902120cn829n1jnvoa...`

Entering kantai comments Signed-off-by: Mary Anthony <mary@blockstack.com> 6 years ago			When the Blockstack Browser receives the request, it generates an (`authResponse`) token to the application using an _ephemeral transit key_ . The ephemeral transit key is just used for the particular instance of the application, in this case, to sign the `authRequest`. The application stores the ephemeral transit key during the request generation. The public portion of the transit key is passed in the `authRequest` token. The Blockstack Browser uses the public portion of the key to encrypt an _app-private key_ which is returned via the `authResponse`.
Add in basic information from Javascript Updates to browser information Creating shared auth between auth and todo Minor updates to the toddo sample Signed-off-by: Mary Anthony <mary@blockstack.com> 6 years ago
Entering kantai comments Signed-off-by: Mary Anthony <mary@blockstack.com> 6 years ago			During sign in, the Blockstack Browser generates the app-private key from the user's _identity-address private_ key and the application's `appDomain`. The app private key serves three functions:
Add in basic information from Javascript Updates to browser information Creating shared auth between auth and todo Minor updates to the toddo sample Signed-off-by: Mary Anthony <mary@blockstack.com> 6 years ago
Entering kantai comments Signed-off-by: Mary Anthony <mary@blockstack.com> 6 years ago			`* It is used to create the credentials that give an app access to the Gaia storage bucket for that specific app.`
			`* It is used in the end-to-end encryption of files stored for the app in the user's Gaia storage.`
Add in basic information from Javascript Updates to browser information Creating shared auth between auth and todo Minor updates to the toddo sample Signed-off-by: Mary Anthony <mary@blockstack.com> 6 years ago			`* It serves as a cryptographic secret that apps can use to perform other cryptographic functions.`

Entering kantai comments Signed-off-by: Mary Anthony <mary@blockstack.com> 6 years ago			`Finally, the app private key is deterministic, meaning that for a given user ID and domain name, the same private key is generated each time.`