Core Concepts

​

User Authentication

Meso offers multiple different ways for a user to authenticate when completing a transfer, and no transfer is ever completed without two forms of user authentication. How these different methods are used depends on your platform needs, the integration path you choose, and user behavior. See Authentication Strategies for details on the integration options. Each has pros and cons depending on your particular app and the user experience you are aiming for, so it is important you understand these options.

​

Wallet Authentication

Meso is designed to provide a crypto-native experience wherever possible. As such, our default authentication pattern leverages the user’s wallet as the first authentication factor. Unless specified otherwise in the transfer initialization, when a user is first presented with the Meso iframe, they will be prompted to verify their wallet by signing a message. This ensures that the destination wallet address for the funds is accurate and that the user is in possession of that wallet at the time of the transfer.

However, depending on your platform, the prompt for a user to sign a message may not be desired. This is common in two cases:

Standalone or Embedded Wallets

• Problem: If the user is already logged in to your wallet, or your platform has created a wallet on the user’s behalf (embedded), it may not make sense to request a signature.
• Solution: You can sign a message on your user’s behalf using the headless wallet verification strategy. Existing users will move to the SMS one-time passcode entry screen, and new users will move to onboarding.

Smart Contract Wallets

• Problem: If your platform uses smart contract wallets or you use ERC-6492 to allow for signature validation pre-deployment, then prompting for the signing of a message in the wallet may not be feasible.
• Solution: You can bypass wallet verification and force users always to sign in using email and password as their primary authentication method.

​

Email & Password

All users will create an email and password when onboarding with Meso. As specified above, wallet verification is the default primary user authentication factor but email and password are used as the first factor in the following scenarios:

• The “Bypass wallet verification” authentication strategy is used (typically by smart contract wallet platforms).
• Existing Meso users who verify a different wallet address than those used during onboarding or previous transfers. In this case, an email and password are required as the first authentication factor, followed by a one-time passcode sent via SMS to their phone. Once the user is fully authenticated, the new wallet is attached to their account and set as the destination address for the transfer in progress.

​

One-time Password (OTP)

All Meso transfers require two forms of user authentication. Whether the user has come through the wallet or email/password primary authentication path, the final step is a one-time passcode sent via SMS to the phone they verified ownership of during onboarding. This is a mandated step by Meso that all users must complete before transferring.

​

Transfer Lifecycle

A Meso transfer takes place within the context of your application. Therefore, there is a sequence of handoffs between your app and the Meso iframe/webview that happens in three stages:

​

Transfer Approved vs. Complete

Once a transfer is in progress, it moves through two states.

1. Approved: A transfer is approved as soon as the processor approves the fiat payment. Depending on your integration, at this point, the Meso iframe will close or the user will be prompted to close the window.
2. Complete: A transfer is complete once Meso has confirmation that the crypto is in the user’s wallet.