Stop misusing the MetaMask request access window

Stop misusing the MetaMask request access window

Since MetaMask released the update that included the Privacy Mode feature last year, all decentralized applications using the browser extension had to update the way they interact with their users, more specifically during the login process (if present).

MetaMask Privacy Mode overview

In short, the aforementioned update stopped exposing the MetaMask addresses of users by default, meaning dapps would have to request access to the user’s MetaMask vault before, well, getting said access to the addresses therein.

The purpose of this Privacy Mode feature was to lower the chances that a malicious dapp has to steal funds from a user’s MetaMask addresses. While a well intentioned update, it certainly caused a lot of confusion in the dapp industry as developers were not really sure how they would implement this new request for access workflow.

Poor UI & UX

The end result was many dapps instantly requesting access to a user’s MetaMask addresses as soon as they landed on the website. Now, after the GDPR was introduced in May 2018, all websites that went about to comply with the regulation certainly lost a degree of their user experience and overall aesthetic.

Intrusive consent bars, popups, and the more aggressive page blockers that do not allow access to the website until the user agrees to the terms have assuredly made the Internet a bit uglier.

We won’t go into any more details regarding the GDPR, but the situation after the MetaMask update has been roughly similar. As mentioned, developers, not knowing exactly what to do, began requesting instant access to a user’s MetaMask addresses.

This caused the request access popup to fire up as soon as the user landed on the website, which is, in my opinion, a big minus in overall dapp user experience.

Some examples include Uniswap and AdEx, but many more can be found just by doing a quick surf through the dapp sphere.

An elegant solution

Since we also have a dapp that is leveraging MetaMask as a way to interact with the Ethereum blockchain, we also had to adapt it to the Privacy Mode update.

TokenGen, the leading ICO automation tool, has been working with MetaMask since the very start and user interface and user experience is a core value of the tool. So, we couldn’t afford an ugly solution as portrayed in the previous section.

The way we did it was by splitting the login process into two steps:

  1. The user is required to give access to TokenGen to their MetaMask addresses.
  2. The user logs in into TokenGen by signing a unique message.

Here is a preview of what that looks like:

TokenGen login page

There are no intrusive popups showing up as soon as the user lands on the website. The request access window only shows once the user clicks the Connect button on the login page. And once access is approved they can move onto the second step of the login process.


We think that the way TokenGen has complied with the Privacy Mode update is a far better approach than the alternative touched upon in section 2 of this article as it does not negatively impact user experience in any way. In fact, it is quite the opposite – the user can easily see that they are in control of the workflow of the dapp instead of being forced to give access to their MetaMask vault before even having a chance to look around.