The Clubcard hosted access flow is the core thing that you’ll use to request and grant someone access to your app, website, or community. You initiate an access flow from your application and redirect the customer to a unique URL hosted by Clubcard.

Clubcard will then take care of asking the user to connect a wallet, and will (optionally) verify if the connected wallet owns certain NFTs you set up to be required to get access. The user is asked to prove ownership of the wallet by signing a Sign In With Ethereum message.

Clubcard will then redirect back to a URL you defined when initiating the access flow. You can then fetch the final access flow’s status by using our API or by receiving a webhook.

This is what the access flow typically looks like from your user’s perspective.

1. Initial screen that shows your description and profile name to indicate the user where they are requesting access for.

2.The user connects their wallet and account address.

3. The access flow shows any owned NFTs required eligible to continue with.

4. The access flow asks the user to sign a Sign In With Ethereum login message to prove they own the connected wallet.

1. Create an AccessIntent

An access flow is initiated by creating an AccessIntent object via the API. The AccessIntent object controls what the user sees, what NFTs they need to own, and is used to track if someone successfully “signed in” or when the access flow was canceled or expired.

To begin, create an AccessIntent on your server (or cloud function) with a description, a profile_name, and return_url attributes.

curl <https://app.clubcard.dev/api/v1/access_intents> \\
  -H 'Content-Type: application/json' \\
  -d '{"description": "Log in to Clubcard with your wallet",
      "profile_name": "Clubcard",
      "return_url": "<https://www.clubcard.dev>"}'

You’ll get a JSON object back that contains the AccessIntent object id and the redirect_url:

{
  "id":"ai_wiE5k5hUku54Unx6z7srD8HW",
  "description":"Log in to Clubcard with your wallet",
  "profile_name":"Clubcard",
  "return_url":"<https://www.clubcard.dev>",
  "access_list":[],
  "status":"requires_wallet",
  "created_at":"2021-12-23T00:22:17.869Z",
  "updated_at":"2021-12-23T00:22:17.869Z",
  "redirect_url":"<https://app.clubcard.dev/a/wiE5k5hUku54Unx6z7srD8HW>"
}

Defining an access_list for specific NFTs

If you want to limit access to wallets owning certain NFTs you can do so by adding an access_list attribute, which is an array with JSON objects defining contracts and tokens.

curl <https://app.clubcard.dev/api/v1/access_intents> \\
  -H 'Content-Type: application/json' \\
  -d '{"description": "Access to RareBlocks Bonus",
      "profile_name": "Clubcard",
      "return_url": "<https://rareblocks.xyz>",
      "access_list": [
        {
          "contract_address": "0x1bb191e56206e11b14117711C333CC18b9861262"
        }
      ]}'

The access_list in this sample will give any wallet that ones one or multiple of the Rareblocks Full Access Pass NFT at contract address 0x1bb191e56206e11b14117711C333CC18b9861262.

If you want to limit even further to specific token IDs you can also add an array with token_ids to the access_list:

curl <https://app.clubcard.dev/api/v1/access_intents> \\
  -H 'Content-Type: application/json' \\
  -d '{"description": "Access to RareBlocks Bonus",
      "profile_name": "Clubcard",
      "return_url": "<https://rareblocks.xyz>",
      "access_list": [
        {
          "contract_address": "0x1bb191e56206e11b14117711C333CC18b9861262",
          "token_ids": ["100", "105"]
        }
      ]}'

This sample would only allow a wallet that specifically owns tokens 100 and 105 of the Rareblocks Full Access Pass NFT at address 0x1bb191e56206e11b14117711C333CC18b9861262.

2. Redirect your user