ERC721 Media API (0.1.0)

Download OpenAPI specification:Download

URL: https://github.com/elsewhat/nft-erc721-media-api License: Apache 2.0

Introduction

The ERC721 Media API provides a standardized approach for allowing third party access to media files for ERC721 NFTs if the owner gives permission.

Example of media files are:

Rigged 3D models in VRM, FBX and GLB formats to be used in open worlds such as Cryptovoxels, Sandbox, Decentraland or Somnium
2D sprite sheets to use in 2D based worlds such as worldwideweb3

The media files in question are not stored on the blockchain, but are securely stored as part at the website of the ERC721 contract owner. An ERC721 contract owner can implement this API to provide third party access to the media files.

Requesting owner permission

At a high-level, a third party application would like access to media files on behalf of the NFT owner. To prove the ownership, the NFT owner must sign a message using web3 at the website of the ERC721 contract owner. This will trigger a redirect to a callback URI defined by the third party application, and include the necessary access-token to access the media files for a limited time period.

The overall authentication flow is inspired by the OAuth Authorization Code Flow, but is simpler (access_token returned in initial callbackURI).

The first step is the endpoint /authorize which initialize the flow from the third party application. The third party application must provide a callbackURI and is recommended to provide a state parameter for preventing cross-site request forgery attacks.

The results of the first step is a HTTP 302 redirect to a URI at the website of the ERC721 contract owner. This redirect includes the callbackURI and state from the third party application.

By following the redirect, the NFT owner will need to sign a message using web3 to prove ownership. If the authentication through web3 signature was completed successfully, the callback URL will be triggered with three parameters:

account: The account address that approved access.
access-token: The token that grants access to the owner files.
state (optional): Optional state parameter which should be compared with  in order to protect against cross-site request forgery

If authentication was not successful, for example the user cancelled the request, the callback URL will be triggered with a single parameter:

error-message: The message describing the error that occured, or that the user declined access.

Get available media files

Available media files are found through /nfts. This endpoint may require a valid access-token.

Download media file

Media files are downloaded from /nfts/{nft-id}/media/{media-id}. This endpoint will always required a valid access-token.

Future improvements

Currently, the access-token is passed around as a query parameter. This can have security implications. Bearer based authentication via Authorization HTTP header ought to be defined as an alternative.

Ideally, there should be a reference from the Ethereum smart contract to this API. However, it will not be feasible to adjust existing contracts with this information. New contracts are encouraged to provide a tokenMediaURI function which returns the base URI of the ERC721 Media API implementation for the contract.

Authorize

Redirect to authorize URI

Overview

Initiate the authorization flow where the NFT owner must sign a message using web3 at the website of the ERC721 collection owner.

A successful signature verification will result in a HTTP 302 redirect to the provided callbackURI which should be part of third party application requiring access to the media file.

Important information

The response of this API call is normally a HTTP 302 redirect where the Location HTTP header contains the URI the NFT owner must visit in order to prove ownership.

Response 503 indicate the media files are temporarily unavailable (for example due to planned maintenance).

query Parameters

callbackURI

required

string

Example: callbackURI=https%3A%2F%2Fmeebits.larvalabs.com%2Fmeebits%2FtestCallback

URI to redirect back to after owner has successfully proved ownership through web3 signature

state

string

Example: state=73ec3d0a-b206-4840-a493-2c20a8d893bb

An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back after owner has successfully proved ownership through web3 signature. The parameter should be used for preventing cross-site request forgery attacks and should not be guessable. A GUID or hash of the user session can be used as value.

Responses

Response samples

503

Content type

application/json

{"type": "https://tools.ietf.org/html/rfc7231#section-6.5.1",
"title": "One or more validation errors occurred.",
"status": 400,
"traceId": "00-d9dc368e6caec4449a64e798dad1b5b2-7d82bdde82c9474a-00",
"errors": {"property1": { },
"property2": { }
}
}

NFTs

Get NFTs with media for this contract and wallet

Overview

Get ERC721 Non-Fungible tokens and their media for this single contract and wallet.

The response will contain the standard ERC721 metadata, but also references to additional media files that can be downloaded via /nfts/{nft-id}/media/{media-id}.

Authorizations:

None

query Parameters

wallet required	string Example: wallet=0x1912365cf48b8d0cd9081958e69b7a1708249123 The ethereum wallet address of the user
access-token	string Example: access-token=uuzGVVFwklbyDBFERTxe Access token from authentication. May not be required for some contracts
per-page	integer <= 100 Default: 100 Results to return pr page
page	integer Default: 1 Page to fetch

Responses

Response samples

200
default

Content type

application/json

{"nfts": [{"nftId": "0x7Bd29408f11D2bFC23c34f18275bBf23bB716Bc7-13396",
"contract": "0x7Bd29408f11D2bFC23c34f18275bBf23bB716Bc7",
"tokenId": "13396",
"owner": {"address": "0x1234..."
},
"erc721": {"name": "Meebit #13396",
"description": "Meebit #13396",
"image": "https://meebits.larvalabs.com/meebitimages/characterimage?index\\u003d13386\\u0026type\\u003dfull\\u0026imageType\\u003djpg",
"attributes": [{"trait_type": "Shirt",
"value": "Hoodie up"
}
]
},
"media": [{"mediaId": "string",
"mediaType": "model/gltf-binary",
"mediaFileEnding": "gltf"
}
]
}
],
"total_count": 20,
"incomplete_results": false
}

Media

Download media file for NFT

Overview

Download a media file for an NFT.

The nft-id and media-id can be found using /nfts

Important information

Response 401 will occur if provided access-token is expired or not valid.

Response 403 will occur if the access-token is valid, but does not have authorization to download the media.

Authorizations:

None

path Parameters

nft-id required	string `nft-id` from response of `/nfts`
media-id required	string `media-id` from response of `/nfts`

query Parameters

access-token

required

string

Example: access-token=uuzGVVFwklbyDBFERTxe

Access token from authentication

Responses

Response samples

400
401
403
404

Content type

application/json

{"type": "https://tools.ietf.org/html/rfc7231#section-6.5.1",
"title": "One or more validation errors occurred.",
"status": 400,
"traceId": "00-d9dc368e6caec4449a64e798dad1b5b2-7d82bdde82c9474a-00",
"errors": {"property1": { },
"property2": { }
}
}