Wasabee Niantic Community Verification - wasabee-project/Wasabee-IITC GitHub Wiki

Verifying your Ingress Name in Wasabee using the Niantic Community

a.k.a. why are people posting random garbage to the Niantic Community?

Niantic does not provide a mechanism to determine who someone is in Ingress; there is no API for this. Wasabee cannot know who you are in Ingress unless you tell us -- and we would be a fool to trust you if you just told us. So Wasabee provides several mechanisms for determining your in-game agent name (IGN). The most reliable and accurate (in our opinion) is verifying your Niantic Community account by posting a secure token generated by Wasabee and having Wasabee verify it. This gives us reasonable assurance that you are who you say you are.

Technically it assures us that at least one person who controls a given Google account also controls a given Niantic Community account. This is good enough for our purposes.

How to verify your Niantic Community account with Wasabee

Using the WebUI

  1. Log in to the WebUI
  2. Switch to the settings tab.
  3. Put in your Ingress agent name (using the exact spelling and capitalization as in-game!)
  4. Click the "Get Proof" button.
  5. Copy the entire block generated
  6. Post that block at the Ingress Community's Activity feed
  7. Switch back to the WebUI and click the "Verify activity post" button.

Using the Wasabee-Mobile App

  1. Log in the mobile app
  2. You should be prompted with the "Agent Community Verification" program (if you didn't ticked the "Don't show again" thing). If you did, go to your profile, and click on "Link Ingress account" button
  3. Follow the step-by step guide in-app

Just in case, here is what you have to do:

  1. Fill in your agent name (using the exact spelling and capitalization as in-game!)
  2. Copy the token
  3. Open the Ingress Community's Activity feed with the button and post the token
  4. Go back to the app and click on "Verify me"
  5. If all is good, the app will tell you that your profile is now displaying a '🐝' next to your Agent name

Background and History

In December 2021, we noticed that many people were posting short codes to the Niantic Community and figured out that this was to verify people at Banergress. Wasabee-Mobile lead fisher01 prompted the dev team to build a similar solution. Wasabee-Server lead, deviousness, thought it was a dumb idea. fisher01 and Wasabee-IITC chief, LeJeu convinced him otherwise. Within 48 hours the team had built a solution modeled on Bannergress's good idea, but made even more secure by the use of strong cryptographic signatures.

I was told never to post an API key or Security Token

Yes. That's true. The verification token isn't either of those things. Because of how the values in the token are encoded, it can't be used to log in anywhere. The token is designed to be posted publicly. You can paste the token into the jwt.io debugger or jwt.ms and see its contents. It has the name you are claiming to be and your google ID (not a protected value; many google APIs expose this publicly).

This leaks Google IDs (GIDs)!

Yes. GIDs are not secure/private values. There is no reason to hide your GID since Google exposes it in many of its APIs.

Can I delete the post after verification?

Yes. Once you are verified, you can safely delete it.

How secure is this?

It gives us a strong assurance that the person who controls the Google ID used to generate the token is the same person who controls the Niantic Community account. If people are sharing either account, or if someone forgets to log out of one of the accounts from a public terminal, then it could be tricked. But, if you are forgetting to log out of a public terminal, then your Ingress account is probably your least worry.

Are there any potential drawbacks to this?

Yes. In theory a third-party could also read the tokens to develop a list of known Wasabee users by their IGN and GID. That is, RES could use this info to know that you are ENL.

Booya! I changed the values in jwt.io and am going to post the modified token!

OK, good luck with that. I won't try to explain cryptographic signatures to you.

I have a different Ingress related program, can I use your tokens?

Yes. We put the JKU in the token for that reason. If you want to trust our signature, go right ahead.