Password / code based (or any) claims are simply Merkle Challenges where the leaves of the Merkle tree are all unique codes generated by the claim creator (and thus only known to the claim creator and kept private). The claim creator then distributes the codes (leaves) to the users they want to receive the badges / be approved. The claimees will then provide the valid Merkle path with the unique code as leaf to be able to claim badges.

Who stores the codes?

If created through the BitBadges website / indexer, then codes will be stored by the BitBadges private, centralized servers and handed out accordingly. This allows us to distribute them as necessary and eliminates any storage requirement for the creator. Codes / password can be fetched by the manager at anytime.

Note that this is provided for ease of use but also introduces another centralized trust factor. You always have the option to self-store and distribute your own codes and passwords / implement your own Merkle Challenges.

How are password claims implemented?

Distribution of codes can be done via many methods, including via a centralized password solution. Passwords make it so that only one reusable password needs to be distributed to all users for simplicity, instead of unique codes.

However, passwords cannot be implemented straightforward on the blockchain because it is public and is prone to replay attacks. Behind the scenes, for password claims, we still must create N unique codes via a MerkleChallenge but distribute them (one per address) to whoever enters the correct password. This is because if we use the password directly on-chain, after its first use, it is public to anyone.

This password distribution process thus involves a centralized third party, which is the BitBadges indexer / API in this case. We will store the codes and distribute them to whichever users enter the correct password.