Deploy Wallet - Integration Guide

This guide explains how to deploy a wallet for your users, covering signup, signin, refresh token, and wallet recovery.

📊 View Flow Diagram

1. Sign Up

Simple ExternalUserId creation: Create account without passkey (quick signup)
Email validation: Create account with email verification
Passkey creation: Create account with passkey (with optional email validation)

Scenario 1: Simple ExternalUserId Creation

Endpoint : GET /v1.2/auth/sign-up?passkeys=FALSE

Query Parameters :

passkeys (string, required) : Set to FALSE to skip passkey creation

Request Example :

GET /v1.2/auth/sign-up?passkeys=FALSE

Response (200 OK) :

{
  "userId": "<userId>",
  "externalUserId": "<externalUserId>",
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "issuer": "foo.domain",
  "audience": "foo.domain",
  "subject": "<externalUserId>",
  "roles": ["USER"],
  "hasPasskey": false,
  "emailValidationRequired": false
}

💡 Note : This creates an account immediately without requiring biometric authentication. The user can add a passkey later by calling POST /v1.2/auth/sign-up with the externalUserId and a credential.

Scenario 2: Email Validation

Endpoint : GET /v1.2/auth/sign-up?passkeys=FALSE&email=user@example.com

Query Parameters :

passkeys (string, required) : Set to FALSE
email (string, required) : Email address for validation

Request Example :

GET /v1.2/auth/sign-up?passkeys=FALSE&email=user@example.com

Response (200 OK) :

{
  "userId": "<userId>",
  "externalUserId": "<externalUserId>",
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "emailValidationRequired": true
}

Complete Email Validation (POST) :

POST /v1.2/auth/sign-up
Content-Type: application/json

{
  "emailCode": "123456",
  "externalUserId": "<externalUserId>"
}

Scenario 3: Passkey Creation (Default)

Endpoint : GET /v1.2/auth/sign-up or GET /v1.2/auth/sign-up?passkeys=TRUE

Optional Parameters (query string) :

passkeys (string, optional) : TRUE (default) to generate WebAuthn challenge
email (string, optional) : Email address for validation (optional)
user.name (string) : Username for WebAuthn. Example: "jane.doe@foo.domain"
user.displayname (string) : Display name for WebAuthn. Example: "Jane Doe"
userName (string) : Alias for user.name
userDisplayName (string) : Alias for user.displayname

Request Example :

GET /v1.2/auth/sign-up?user.name=jane.doe@foo.domain&user.displayname=Jane%20Doe&email=user@example.com

Response (200 OK) :

{
  "credentialRequestOptions": {
    "rp": { "id": "foo.domain", "name": "foo.domain" },
    "user": { 
      "id": "<base64url>", 
      "name": "foo.domain <shortId>", 
      "displayName": "foo.domain <shortId>" 
    },
    "challenge": "<base64url>",
    "pubKeyCredParams": [{ "alg": -7, "type": "public-key" }],
    "authenticatorSelection": { 
      "residentKey": "preferred", 
      "userVerification": "preferred" 
    },
    "attestation": "none",
    "timeout": 60000
  },
  "emailValidationRequired": true
}

⚠️ Important : Keep the complete credentialRequestOptions object. It will be needed for the next step. If emailValidationRequired is true, you can optionally validate the email in the POST request.

Step 2: Complete Sign Up with Passkey

Endpoint : POST /v1.2/auth/sign-up

Body (JSON) :

credential (object, required if passkeys=TRUE) : WebAuthn credential obtained via navigator.credentials.create() with the options from step 1
emailCode (string, optional) : Email validation code (if email was provided in GET request)
externalUserId (string, optional) : ExternalUserId from GET /sign-up (for deferred passkey creation)
chainIds (array of numbers, optional) : List of chain IDs for multi-chain deployment. The effective chain (from X-Blockchain-Id or ?blockchainId) is automatically included if missing
chainId (number, optional) : Single chain ID (alternative to chainIds)
keyName (string, optional) : Passkey display name
keyDisplayName (string, optional) : Passkey display label for the user

Request Example (Passkey only) :

POST /v1.2/auth/sign-up
Content-Type: application/json

{
  "credential": {
    "id": "AVZs0qRCBSmfThZWu37g...",
    "rawId": "AVZs0qRCBSmfThZWu37g...",
    "type": "public-key",
    "response": {
      "attestationObject": "o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YVh...",
      "clientDataJSON": "eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoi..."
    }
  },
  "chainIds": [421614],
  "keyName": "my-passkey",
  "keyDisplayName": "My Passkey"
}

Request Example (Passkey + Email validation) :

POST /v1.2/auth/sign-up
Content-Type: application/json

{
  "credential": {
    "id": "AVZs0qRCBSmfThZWu37g...",
    "rawId": "AVZs0qRCBSmfThZWu37g...",
    "type": "public-key",
    "response": {
      "attestationObject": "o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YVh...",
      "clientDataJSON": "eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoi..."
    }
  },
  "emailCode": "123456",
  "chainIds": [421614]
}

Request Example (Deferred passkey - add passkey to existing account) :

POST /v1.2/auth/sign-up
Content-Type: application/json

{
  "externalUserId": "<externalUserId-from-previous-signup>",
  "credential": {
    "id": "AVZs0qRCBSmfThZWu37g...",
    "rawId": "AVZs0qRCBSmfThZWu37g...",
    "type": "public-key",
    "response": {
      "attestationObject": "o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YVh...",
      "clientDataJSON": "eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoi..."
    }
  },
  "chainIds": [421614]
}

Response (200 OK) :

{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "issuer": "foo.domain",
  "audience": "foo.domain",
  "subject": "<externalUserId>",
  "roles": ["USER"],
  "safeAddress": { 
    "421614": "0xd676c6188195372EC269E9C2cAf815C56436A679"
  },
  "chainId": 421614,
  "keyName": "my-passkey",
  "keyDisplayName": "My Passkey"
}

💾 To Store :

access_token : JWT to authenticate subsequent requests (duration: ~1h)
refresh_token : JWT to obtain a new access_token (store securely)
subject : Unique externalUserId for this user for this rpId
safeAddress : Deployed Safe addresses by chainId

2. Sign In

Passkey authentication: Authenticate with existing passkey (default)
Email authentication: Authenticate with email validation code
ExternalUserId direct: Quick sign-in without challenge (for users without passkey)

Scenario 1: Passkey Authentication (Default)

Endpoint : GET /v1.2/auth/sign-in

Optional Parameters (query string) :

chainId (number) : Target chain ID for Safe operations

Request Example :

GET /v1.2/auth/sign-in?chainId=421614

Response (200 OK) :

{
  "credentialRequestOptions": {
    "challenge": "<base64url>",
    "rpId": "foo.domain",
    "userVerification": "required",
    "timeout": 60000
  }
}

Scenario 2: Email Authentication

Endpoint : GET /v1.2/auth/sign-in?email=user@example.com&externalUserId=<externalUserId>

Query Parameters :

email (string, required) : Email address
externalUserId (string, required) : ExternalUserId of the user

Request Example :

GET /v1.2/auth/sign-in?email=user@example.com&externalUserId=abc-123-def

Response (200 OK) :

{
  "emailCodeSent": true,
  "email": "user@example.com",
  "message": "A validation code has been sent to your email"
}

Scenario 3: ExternalUserId Direct Sign-In

Endpoint : GET /v1.2/auth/sign-in?externalUserId=<externalUserId>

Query Parameters :

externalUserId (string, required) : ExternalUserId of the user

Request Example :

GET /v1.2/auth/sign-in?externalUserId=abc-123-def

Response (200 OK) :

{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "issuer": "foo.domain",
  "audience": "foo.domain",
  "subject": "<externalUserId>",
  "roles": ["USER"],
  "authMethod": "EXTERNAL_USER_ID",
  "hasPasskey": false
}

Step 2: Complete Sign In

Endpoint : POST /v1.2/auth/sign-in

Body (JSON) :

credential (object, optional) : WebAuthn credential obtained via navigator.credentials.get() (for passkey authentication)
emailCode (string, optional) : Email validation code (for email authentication)
email (string, optional) : Email address (required if emailCode provided)
externalUserId (string, optional) : ExternalUserId (required for email-only sign-in)
chainId (number, optional) : Target chain ID for Safe operations
includeBalance (boolean, optional) : Include current balance in HTTP response (for non-WebSocket clients)
includeTransactions (boolean, optional) : Include full transaction history in HTTP response
includeUserdata (boolean, optional) : Include IBEX Safe userData in HTTP response

Request Example (Passkey) :

POST /v1.2/auth/sign-in
Content-Type: application/json

{
  "credential": {
    "id": "AVZs0qRCBSmfThZWu37g...",
    "rawId": "AVZs0qRCBSmfThZWu37g...",
    "type": "public-key",
    "response": {
      "authenticatorData": "SZYN5YgOjGh0NBcPZHZgW4/krrmihjLHmVzzuoMdl2MFAAAAAQ...",
      "clientDataJSON": "eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoi...",
      "signature": "MEUCIQC..."
    }
  },
  "chainId": 421614,
  "includeBalance": true,
  "includeUserdata": true
}

Request Example (Email) :

POST /v1.2/auth/sign-in
Content-Type: application/json

{
  "emailCode": "123456",
  "email": "user@example.com",
  "externalUserId": "abc-123-def"
}

Response (200 OK) :

{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "issuer": "foo.domain",
  "audience": "foo.domain",
  "subject": "<externalUserId>",
  "roles": ["USER"],
  "authMethod": "PASSKEY",
  "hasPasskey": true,
  "safeAddress": { 
    "421614": "0xd676c6188195372EC269E9C2cAf815C56436A679"
  },
  "chainId": 421614,
  "keyName": "my-passkey",
  "keyDisplayName": "My Passkey",
  "balance": { /* BCReader balances si includeBalance=true */ },
  "transactions": { /* Historique si includeTransactions=true */ },
  "userdata": { /* IBEX Safe userdata si includeUserdata=true */ }
}

💾 To Store : Same as signup, keep access_token, refresh_token, and subject.

3. Refresh Token

The refresh token allows you to obtain a new access_token before expiration (duration: ~1h).

Endpoint : POST /v1.2/auth/refresh

💡 Note : The refresh endpoint is the same for all API versions. You can use /v1.2/auth/refresh, /v1.1/auth/refresh, or /v1.2/auth/refresh.

Body (JSON) :

refresh_token (string, required) : Refresh token (JWT) obtained during sign-in or sign-up

Request Example :

POST /v1.2/auth/refresh
Content-Type: application/json

{
  "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}

Response (200 OK) :

{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "issuer": "foo.domain",
  "audience": "foo.domain",
  "subject": "<externalUserId>",
  "roles": ["USER"]
}

💡 Note : The refresh token issues a new access_token AND a new refresh_token. Replace both in your local storage.

4. Recovery

Recovery allows a user to configure a wallet recovery mechanism in case of access loss.

💡 Note : Recovery operations use the Safe operations endpoints. These are available in all API versions (v1, v1.1, v1.2).

Enable Recovery

Endpoint : POST /v1.2/safes/operations

Headers :

Authorization: Bearer <access_token> (required)

Body (JSON) :

safeAddress (string, required) : Safe address for which to enable recovery
operations (array, required) : Array containing an operation of type ENABLE_RECOVERY

ENABLE_RECOVERY Operation :

type (string, required) : "ENABLE_RECOVERY"
newOwners (array of strings, required) : List of new owner addresses (0x... format)
threshold (number, required) : Required signature threshold (usually 1)
firstName (string, optional) : First name for personal data
lastName (string, optional) : Last name for personal data
birthDate (string, optional) : Birth date (YYYY-MM-DD format)
birthCity (string, optional) : Birth city
birthCountry (string, optional) : Birth country

Request Example :

POST /v1.2/safes/operations
Content-Type: application/json
Authorization: Bearer <access_token>

{
  "safeAddress": "0xd676c6188195372EC269E9C2cAf815C56436A679",
  "operations": [
    {
      "type": "ENABLE_RECOVERY",
      "newOwners": ["0x303f215950f7B07Ae45FD98590d503E0242E7de3"],
      "threshold": 1,
      "firstName": "Jane",
      "lastName": "Doe",
      "birthDate": "1990-01-01",
      "birthCity": "Paris",
      "birthCountry": "France"
    }
  ]
}

Response (200 OK) :

{
  "credentialRequestOptions": {
    "challenge": "<base64url_encoded_userOpHash>",
    "rpId": "foo.domain",
    "userVerification": "required"
  }
}

⚠️ Important : After receiving credentialRequestOptions, you must:

Use navigator.credentials.get() with these options to obtain a credential
Send a PUT /v1.2/safes/operations request with the credential to finalize activation

Finalize Activation (PUT)

Endpoint : PUT /v1.2/safes/operations

Body (JSON) :

credential (object, required) : WebAuthn credential obtained with the options from the previous step

Request Example :

PUT /v1.2/safes/operations
Content-Type: application/json
Authorization: Bearer <access_token>

{
  "credential": {
    "id": "AVZs0qRCBSmfThZWu37g...",
    "rawId": "AVZs0qRCBSmfThZWu37g...",
    "type": "public-key",
    "response": {
      "authenticatorData": "SZYN5YgOjGh0NBcPZHZgW4/krrmihjLHmVzzuoMdl2MFAAAAAQ...",
      "clientDataJSON": "eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoi...",
      "signature": "MEUCIQC..."
    }
  }
}

Cancel Recovery

To cancel an ongoing recovery, use the CANCEL_RECOVERY operation:

Request Example :

POST /v1.2/safes/operations
Content-Type: application/json
Authorization: Bearer <access_token>

{
  "safeAddress": "0xd676c6188195372EC269E9C2cAf815C56436A679",
  "operations": [
    {
      "type": "CANCEL_RECOVERY"
    }
  ]
}

💡 Note : Recovery requires a delay (default 1 day = 86400 seconds) before it can be executed. Final execution is performed by the IBEX team via an administrative endpoint after the delay expires.

Summary of Data to Store

access_token : JWT to authenticate requests (duration ~1h, needs refresh)
refresh_token : JWT to obtain a new access_token (store securely)
subject (externalUserId) : Unique user identifier for this rpId
authMethod : Authentication method used (PASSKEY, EMAIL, EXTERNAL_USER_ID, PASSKEY_AND_EMAIL)
hasPasskey : Boolean indicating if user has a passkey
safeAddress : Deployed Safe addresses, organized by chainId (only if passkey exists)
keyName / keyDisplayName : Passkey metadata (optional, for display)

Technical Deep Dive - For AI Integration

This section provides detailed technical information for AI systems integrating the IBEX API, including architecture patterns, data models, and implementation details.

Architecture Overview

The IBEX API uses a multi-layered architecture:

Fastify Framework : Web server handling HTTP/WebSocket requests
Prisma ORM : Database access layer with PostgreSQL
WebAuthn/Passkey : FIDO2 authentication via @simplewebauthn/server
Safe4337Pack : Safe Account Abstraction (ERC-4337) for wallet operations
JWT : Token-based authentication with short-lived access tokens and refresh tokens

Database Schema Relationships

The authentication and wallet system uses the following entity relationships:

Domain (rpId)
  └── ExternalUser (id, rpId, userId)
       └── Signer (id, externalUserId, type: PASSKEY)
            └── Safe (address, blockchainId, signerId, threshold)
                 ├── SafeOperation (userOpHash, status, safeAddress, blockchainId)
                 └── Iban (safeAddress, blockchainId, status)

User (id, ky, lock)
  └── ExternalUser (id, rpId, userId)
       └── Login (id, userId, signerId, safeAddress, type, event)

Key Relationships:

User : Internal user entity (one-to-many with ExternalUser)
ExternalUser : Domain-scoped user identity (unique per rpId, linked to User)
Signer : WebAuthn credential/passkey (linked to ExternalUser, identified by credential ID)
Safe : Smart contract wallet (composite key: address + blockchainId, linked to Signer)
SafeOperation : User operation for Safe transactions (status: CREATED → SIGNED → EXECUTED → CONFIRMED)
Login : Authentication event log (tracks sign-in/sign-up events)

Sign Up Flow - Technical Details

Step 1: GET /v1.2/auth/sign-up

Creates User and ExternalUser records immediately
If passkeys=FALSE: Returns JWT tokens directly (no WebAuthn challenge)
If passkeys=TRUE: Generates WebAuthn registration options using generateRegistrationOptions() from @simplewebauthn/server
If email provided: Calls validateEmail() to send validation code
Stores signup state in Redis for POST /sign-up validation

Step 2: POST /v1.2/auth/sign-up

Verifies WebAuthn credential using verifyRegistrationResponse()
Creates database records in a transaction:
1. User record (if new user, UUID generated)
2. ExternalUser record (UUID, linked to User and Domain via rpId)
3. Signer record (credential ID as primary key, linked to ExternalUser)
4. Safe records (one per chainId, computed address via Safe4337Pack)
5. Login record (SIGNER type, SIGNUP event)
Deploys Safe wallets on-chain if not already deployed (via Safe4337Pack)
Registers Safe addresses with BCReader for balance/transaction monitoring
Subscribes to WebSocket updates for Safe addresses
Generates JWT tokens:
- access_token : JWT with issuer=rpId, audience=rpId, subject=externalUserId, expires_in=3600s
- refresh_token : JWT containing challenge, used to refresh access_token

Sign In Flow - Technical Details

Step 1: GET /v1.2/auth/sign-in

If no params: Retrieves existing Signer by credential ID, generates WebAuthn authentication options
If externalUserId provided: Returns JWT tokens directly (no challenge)
If email + externalUserId provided: Sends email validation code
Creates challenge stored in Redis with key ChallengeKey.AUTHENTICATION (if passkey flow)

Step 2: POST /v1.2/auth/sign-in

Verifies WebAuthn assertion using verifyAuthenticationResponse()
Validates challenge from Redis
Creates Login record (SIGNER type, SIGNIN event, linked to User, Signer, and Safe)
Checks User lock status (HARD lock throws FORBIDDEN)
Renews WebSocket subscriptions for all user's Safe addresses
Optionally pushes balance/transactions/userData via WebSocket if clients connected
Generates JWT tokens (same structure as sign-up)
May include optional fields: keyName, keyDisplayName, userOpHash, transactionHash

Refresh Token Flow - Technical Details

POST /v1.2/auth/refresh

Verifies refresh_token JWT (contains challenge, not user data)
Retrieves challenge from Redis to get userId
Creates new Login record (REFRESH_TOKEN type)
Generates new access_token and refresh_token (both replaced)
Uses same JWT structure as sign-in, but without Safe deployment logic

Recovery Flow - Technical Details

ENABLE_RECOVERY Operation

Creates a Safe user operation to deploy RecoveryModule (if not exists) or enable recovery
Uses MODULE_PROXY_FACTORY to deploy RecoveryModule via CREATE2
Encodes init parameters: owner, avatar, target (all = Safe address), cooldown, expiration
Stores personal data (firstName, lastName, birthDate, etc.) in Operation.data JSON field
Returns credentialRequestOptions with challenge = userOpHash (base64url encoded)
After signature (PUT), operation status becomes SIGNED, then EXECUTED by bundler, then CONFIRMED

CANCEL_RECOVERY Operation

Creates Safe user operation to call cancelRecovery() on RecoveryModule
Requires passkey signature to authorize cancellation

JWT Token Structure

Access Token Payload:

{
  "iss": "foo.domain",        // rpId (issuer)
  "aud": "foo.domain",        // rpId (audience)
  "sub": "<externalUserId>", // ExternalUser.id
  "roles": ["USER"],          // User role
  "iat": 1234567890,         // Issued at
  "exp": 1234571490          // Expires at (iat + 3600s)
}

Refresh Token Payload:

{
  "challenge": "<base64url>", // Challenge stored in Redis
  "iat": 1234567890,
  "exp": 1234571490
}

Safe Wallet Deployment

Address Computation:

Safe address is deterministically computed from signer's private key (derived from passkey)
Uses Safe4337Pack with threshold=1, owners=[] (single signer)
Address is computed before on-chain deployment (CREATE2 deterministic address)
Deployment happens lazily on first transaction, or explicitly during sign-up if chainIds provided

Multi-Chain Support:

Each chainId gets its own Safe address (same signer, different address per chain)
Safe composite key: (address, blockchainId)
Effective chain determined by: X-Blockchain-Id header → query.chainId → body.chainId → DEFAULT_CHAIN_ID

State Management

SafeOperation Status Flow:

CREATED : Operation created, awaiting passkey signature
SIGNED : Passkey signature received, operation ready for bundler
EXECUTED : Bundler submitted userOp to blockchain, awaiting confirmation
CONFIRMED : Sufficient block confirmations received (typically 1-2 blocks)
FAILED : Operation failed (bundler error, insufficient funds, etc.)

Status Transitions:

CREATED → SIGNED : Via PUT /v1.2/safes/operations with credential
SIGNED → EXECUTED : Automatic via bundler (ERC-4337 entrypoint)
EXECUTED → CONFIRMED : Automatic via cron job checking block confirmations

WebSocket Integration

Connection Flow:

Client connects to wss://api.ibex.fi/ws
Client sends auth message: { type: "auth", token: "<JWT>", clientName: "..." }
Server verifies JWT, extracts externalUserId and rpId
Server subscribes to BCReader WebSocket for all user's Safe addresses
Server sends initial data: balance_data, transaction_data, user_data, recovery_data
Server forwards BCReader updates: balance_update, new_transaction
Server sends IBEX-specific updates: user.ky.updated, user.iban.updated

Error Handling Patterns

401 Unauthorized : Invalid/expired JWT, missing Authorization header
403 Forbidden : User locked (HARD lock), insufficient permissions
400 Bad Request : Invalid parameters, missing required fields, invalid Safe address
404 Not Found : Safe address not found, externalUserId not found
409 Conflict : Challenge collision, duplicate nonce, concurrent operation
500 Internal Server Error : Database error, bundler error, upstream service error

Key Implementation Files

src/routes/v1.2/auth.ts : Enhanced authentication endpoints (v1.2) with multiple auth methods
src/routes/v1/auth.ts : Legacy authentication endpoints (v1) for backward compatibility
src/passkey.ts : WebAuthn verification, Safe deployment, multi-chain logic
src/routes/v1/safesOperations.ts : Safe operation preparation and execution
src/routes/websocket.ts : WebSocket connection handling and message routing
src/clients/IbexSafe.ts : Email validation functions (validateEmail, confirmEmail)
prisma/schema.prisma : Complete database schema definition

← Back to Main Guide