Kirby Login app

From IndieWeb

What is Kirby

Kirby is a mockup of a mobile app that can be used to sign GPG challenges. It is meant as a reference implementation of this type of app.

The end result is that you can sign in to any site that supports IndieAuth verification via GPG, without a pre-existing relationship with the site you're signing in to.

The end user experience after setup is as follows:

  • Enter your domain in an IndieAuth login prompt
  • A challenge code is presented on screen
  • Scan the code with your mobile app
  • You are signed in to the site

Ideally the user should not even have to know they are using GPG under the hood, it should Just Workโ„ข


Download the Kirby App

Generate a public/private key pair

Upon first launch of the app, it will prompt you to generate a public/private key pair within the app.

The app should store this securely on the device, such as in the Keychain in iOS. (Bonus points that in iOS 8, it will be possible to unlock keychain items with your thumbprint![1])

Export your public key

From within the app, you can export your public key by emailing it to yourself or copying it to the clipboard.

Link to your public key from your website

On your website, add a rel="pgpkey" tag pointing to the public key.

<link rel="pgpkey" href="/key.asc">

Signing In

Login prompt

When signing in to a site that supports GPG auth, you'll enter your domain name like you would as normal. The site will find your GPG public key you linked to.

Clicking the Kirby GPG button will present a Kirby Code challenge.

Scan the Kirby Code

Launching the Kirby app on your mobile device will open it directly to a camera interface. Point it at the code on your computer screen and it will scan the code.

The code is actually a JSON encoding of a challenge and a URL to submit the signature to.


The mobile app will sign the challenge with the private key, and submits the signed text to the URL indicated.

POST /verify HTTP/1.1
Content-type: x-www-form-encoded


Signature is Verified

After the server verifies the signature matches what it was expecting, it generates an authorization code and completes the signin.

See Also