Shadow-Overlord

EIP-191 wallet signature → 5-minute JWT for the mindX admin tier. One wallet. No password. No cookies. Your private key never leaves your device.

Backend API:

Sovereign — privileged routes unlocked

/admin/cabinet/{company}/{preflight,provision,clear} — executive wallet management /vault/sign/{agent_id} — vault-as-signing-oracle (per-request shadow-JWT + fresh nonce) /admin/shadow/release-key/{agent_id} — emergency plaintext key release (audited) /admin/vault/credentials/{list,store,delete,reunlock} — vault CRUD /admin/publish-to-rage — operator publish to rage.pythai.net SHADOW_OVERLORD_GUIDE — full reference

What this does — and what it doesn't

This page is the browser-side login for the shadow-overlord admin tier. It implements the public half of the challenge → signature → JWT flow defined in mindx_backend_service/bankon_vault/shadow_overlord.py.

It calls two endpoints on the configured backend:

POST /admin/shadow/challenge   { "scope": "auth" }   → { nonce, message, expires_at }
POST /admin/shadow/verify      { nonce, signature }   → { jwt, exp }

The JWT lives only in JavaScript memory (never localStorage) and expires in ≤5 min. Reauth = re-sign.

Verifying the recovered signer happens server-side — you'll get a 403 if your wallet isn't SHADOW_OVERLORD_ADDRESS.

vault handoff guide · shadow-overlord guide · dashboard

Shadow-Overlord

Authenticated session

Sovereign — privileged routes unlocked