@aptos-labs/ts-sdk 1.16.0 → 1.17.0-zeta.1

package/dist/esm/utils/apiEndpoints.d.mts

@@ -1,6 +1,8 @@
 declare const NetworkToIndexerAPI: Record<string, string>;
 declare const NetworkToNodeAPI: Record<string, string>;
 declare const NetworkToFaucetAPI: Record<string, string>;
+declare const NetworkToPepperAPI: Record<string, string>;
+declare const NetworkToProverAPI: Record<string, string>;
 declare enum Network {
     MAINNET = "mainnet",
     TESTNET = "testnet",
@@ -11,4 +13,4 @@ declare enum Network {
 declare const NetworkToChainId: Record<string, number>;
 declare const NetworkToNetworkName: Record<string, Network>;
 
-export { Network, NetworkToChainId, NetworkToFaucetAPI, NetworkToIndexerAPI, NetworkToNetworkName, NetworkToNodeAPI };
+export { Network, NetworkToChainId, NetworkToFaucetAPI, NetworkToIndexerAPI, NetworkToNetworkName, NetworkToNodeAPI, NetworkToPepperAPI, NetworkToProverAPI };

package/dist/esm/utils/apiEndpoints.mjs

@@ -1,2 +1,2 @@
-import{a,b,c,d,e,f}from"../chunk-HYCGMFC2.mjs";import"../chunk-FVA2OPG4.mjs";export{d as Network,e as NetworkToChainId,c as NetworkToFaucetAPI,a as NetworkToIndexerAPI,f as NetworkToNetworkName,b as NetworkToNodeAPI};
+import{a,b,c,d,e,f,g,h}from"../chunk-SCHZ67F3.mjs";import"../chunk-FVA2OPG4.mjs";export{f as Network,g as NetworkToChainId,c as NetworkToFaucetAPI,a as NetworkToIndexerAPI,h as NetworkToNetworkName,b as NetworkToNodeAPI,d as NetworkToPepperAPI,e as NetworkToProverAPI};
 //# sourceMappingURL=apiEndpoints.mjs.map

package/dist/esm/utils/const.d.mts

@@ -4,7 +4,9 @@
 declare enum AptosApiType {
     FULLNODE = "Fullnode",
     INDEXER = "Indexer",
-    FAUCET = "Faucet"
+    FAUCET = "Faucet",
+    PEPPER = "Pepper",
+    PROVER = "Prover"
 }
 /**
  * The default max gas amount when none is given.

package/dist/esm/utils/const.mjs

@@ -1,2 +1,2 @@
-import{a,b,c,d,e,f,g,h}from"../chunk-CYNQRMO5.mjs";import"../chunk-FVA2OPG4.mjs";export{e as APTOS_COIN,a as AptosApiType,b as DEFAULT_MAX_GAS_AMOUNT,c as DEFAULT_TXN_EXP_SEC_FROM_NOW,d as DEFAULT_TXN_TIMEOUT_SEC,h as ProcessorType,f as RAW_TRANSACTION_SALT,g as RAW_TRANSACTION_WITH_DATA_SALT};
+import{a,b,c,d,e,f,g,h}from"../chunk-YE5B2S5L.mjs";import"../chunk-FVA2OPG4.mjs";export{e as APTOS_COIN,a as AptosApiType,b as DEFAULT_MAX_GAS_AMOUNT,c as DEFAULT_TXN_EXP_SEC_FROM_NOW,d as DEFAULT_TXN_TIMEOUT_SEC,h as ProcessorType,f as RAW_TRANSACTION_SALT,g as RAW_TRANSACTION_WITH_DATA_SALT};
 //# sourceMappingURL=const.mjs.map

package/dist/esm/utils/helpers.d.mts

@@ -3,5 +3,8 @@
  * @param timeMs time in milliseconds to sleep
  */
 declare function sleep(timeMs: number): Promise<null>;
+declare const nowInSeconds: () => number;
+declare function floorToWholeHour(timestampInSeconds: number): number;
+declare function base64UrlDecode(base64Url: string): string;
 
-export { sleep };
+export { base64UrlDecode, floorToWholeHour, nowInSeconds, sleep };

package/dist/esm/utils/helpers.mjs

@@ -1,2 +1,2 @@
-import{a}from"../chunk-3JPVQHOR.mjs";import"../chunk-FVA2OPG4.mjs";export{a as sleep};
+import{a,b,c,d}from"../chunk-YTQVMLFD.mjs";import"../chunk-FVA2OPG4.mjs";export{d as base64UrlDecode,c as floorToWholeHour,b as nowInSeconds,a as sleep};
 //# sourceMappingURL=helpers.mjs.map

package/dist/esm/utils/index.d.mts

@@ -1,4 +1,4 @@
-export { Network, NetworkToChainId, NetworkToFaucetAPI, NetworkToIndexerAPI, NetworkToNetworkName, NetworkToNodeAPI } from './apiEndpoints.mjs';
+export { Network, NetworkToChainId, NetworkToFaucetAPI, NetworkToIndexerAPI, NetworkToNetworkName, NetworkToNodeAPI, NetworkToPepperAPI, NetworkToProverAPI } from './apiEndpoints.mjs';
 export { APTOS_COIN, AptosApiType, DEFAULT_MAX_GAS_AMOUNT, DEFAULT_TXN_EXP_SEC_FROM_NOW, DEFAULT_TXN_TIMEOUT_SEC, ProcessorType, RAW_TRANSACTION_SALT, RAW_TRANSACTION_WITH_DATA_SALT } from './const.mjs';
 export { DeserializableClass, normalizeBundle } from './normalizeBundle.mjs';
 import '../bcs/deserializer.mjs';

package/dist/esm/utils/index.mjs

@@ -1,2 +1,2 @@
-import"../chunk-GED6IT3S.mjs";import{a as o}from"../chunk-ROXFCLDT.mjs";import{a as i,b as j,c as k,d as l,e as m,f as n}from"../chunk-HYCGMFC2.mjs";import{a,b,c,d,e,f,g,h}from"../chunk-CYNQRMO5.mjs";import"../chunk-FZY4PMEE.mjs";import"../chunk-YJIRT3GJ.mjs";import"../chunk-5NSXEM3O.mjs";import"../chunk-FNKDXPPQ.mjs";import"../chunk-2XVDVF5C.mjs";import"../chunk-6IFMQ5AS.mjs";import"../chunk-OWW6SIDP.mjs";import"../chunk-4WPQQPUF.mjs";import"../chunk-4KMISR2H.mjs";import"../chunk-56CNRT2K.mjs";import"../chunk-BCUSI3N6.mjs";import"../chunk-LG7RJQ57.mjs";import"../chunk-FVA2OPG4.mjs";export{e as APTOS_COIN,a as AptosApiType,b as DEFAULT_MAX_GAS_AMOUNT,c as DEFAULT_TXN_EXP_SEC_FROM_NOW,d as DEFAULT_TXN_TIMEOUT_SEC,l as Network,m as NetworkToChainId,k as NetworkToFaucetAPI,i as NetworkToIndexerAPI,n as NetworkToNetworkName,j as NetworkToNodeAPI,h as ProcessorType,f as RAW_TRANSACTION_SALT,g as RAW_TRANSACTION_WITH_DATA_SALT,o as normalizeBundle};
+import"../chunk-GED6IT3S.mjs";import{a as q}from"../chunk-3RJZNUCQ.mjs";import"../chunk-FZY4PMEE.mjs";import"../chunk-GRHLQDHF.mjs";import"../chunk-7BW2N4IE.mjs";import"../chunk-FGGRPEQ3.mjs";import"../chunk-IBN7ETCB.mjs";import"../chunk-Q6LFIZ3L.mjs";import"../chunk-4WPQQPUF.mjs";import"../chunk-3IFR6T3V.mjs";import"../chunk-UMLUOYFK.mjs";import"../chunk-AOCNYMMX.mjs";import"../chunk-FBPNHF54.mjs";import"../chunk-56CNRT2K.mjs";import{a,b,c,d,e,f,g,h}from"../chunk-SCHZ67F3.mjs";import{a as i,b as j,c as k,d as l,e as m,f as n,g as o,h as p}from"../chunk-YE5B2S5L.mjs";import"../chunk-FVA2OPG4.mjs";export{m as APTOS_COIN,i as AptosApiType,j as DEFAULT_MAX_GAS_AMOUNT,k as DEFAULT_TXN_EXP_SEC_FROM_NOW,l as DEFAULT_TXN_TIMEOUT_SEC,f as Network,g as NetworkToChainId,c as NetworkToFaucetAPI,a as NetworkToIndexerAPI,h as NetworkToNetworkName,b as NetworkToNodeAPI,d as NetworkToPepperAPI,e as NetworkToProverAPI,p as ProcessorType,n as RAW_TRANSACTION_SALT,o as RAW_TRANSACTION_WITH_DATA_SALT,q as normalizeBundle};
 //# sourceMappingURL=index.mjs.map

package/dist/esm/utils/normalizeBundle.mjs

@@ -1,2 +1,2 @@
-import{a}from"../chunk-ROXFCLDT.mjs";import"../chunk-FZY4PMEE.mjs";import"../chunk-YJIRT3GJ.mjs";import"../chunk-5NSXEM3O.mjs";import"../chunk-FNKDXPPQ.mjs";import"../chunk-2XVDVF5C.mjs";import"../chunk-6IFMQ5AS.mjs";import"../chunk-OWW6SIDP.mjs";import"../chunk-4WPQQPUF.mjs";import"../chunk-4KMISR2H.mjs";import"../chunk-56CNRT2K.mjs";import"../chunk-BCUSI3N6.mjs";import"../chunk-LG7RJQ57.mjs";import"../chunk-FVA2OPG4.mjs";export{a as normalizeBundle};
+import{a}from"../chunk-3RJZNUCQ.mjs";import"../chunk-FZY4PMEE.mjs";import"../chunk-GRHLQDHF.mjs";import"../chunk-7BW2N4IE.mjs";import"../chunk-FGGRPEQ3.mjs";import"../chunk-IBN7ETCB.mjs";import"../chunk-Q6LFIZ3L.mjs";import"../chunk-4WPQQPUF.mjs";import"../chunk-3IFR6T3V.mjs";import"../chunk-UMLUOYFK.mjs";import"../chunk-AOCNYMMX.mjs";import"../chunk-FBPNHF54.mjs";import"../chunk-56CNRT2K.mjs";import"../chunk-FVA2OPG4.mjs";export{a as normalizeBundle};
 //# sourceMappingURL=normalizeBundle.mjs.map

package/dist/esm/version.d.mts

@@ -3,6 +3,6 @@
  *
  * hardcoded for now, we would want to have it injected dynamically
  */
-declare const VERSION = "1.16.0";
+declare const VERSION = "1.17.0";
 
 export { VERSION };

package/dist/esm/version.mjs

@@ -1,2 +1,2 @@
-import{a}from"./chunk-NYXLPBKE.mjs";import"./chunk-FVA2OPG4.mjs";export{a as VERSION};
+import{a}from"./chunk-4BJA3QUQ.mjs";import"./chunk-FVA2OPG4.mjs";export{a as VERSION};
 //# sourceMappingURL=version.mjs.map

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@aptos-labs/ts-sdk",
   "description": "Aptos TypeScript SDK",
-  "packageManager": "pnpm@8.9.0",
+  "packageManager": "pnpm@9.1.4",
   "license": "Apache-2.0",
   "engines": {
     "node": ">=11.0.0"
@@ -48,13 +48,17 @@
   },
   "dependencies": {
     "@aptos-labs/aptos-client": "^0.1.0",
-    "@aptos-labs/aptos-cli": "^0.1.8",
+    "@aptos-labs/aptos-cli": "^0.1.2",
     "@noble/curves": "^1.4.0",
     "@noble/hashes": "^1.4.0",
     "@scure/bip32": "^1.4.0",
     "@scure/bip39": "^1.3.0",
+    "eventemitter3": "^5.0.1",
     "form-data": "^4.0.0",
-    "eventemitter3": "^5.0.1"
+    "jose": "^5.1.3",
+    "js-base64": "^3.7.7",
+    "jwt-decode": "^4.0.0",
+    "poseidon-lite": "^0.2.0"
   },
   "devDependencies": {
     "@babel/traverse": "^7.23.6",
@@ -63,7 +67,9 @@
     "@graphql-codegen/typescript": "^4.0.1",
     "@graphql-codegen/typescript-graphql-request": "^6.0.1",
     "@graphql-codegen/typescript-operations": "^4.0.1",
+    "@types/base-64": "^1.0.2",
     "@types/jest": "^29.5.11",
+    "@types/jsonwebtoken": "^9.0.6",
     "@types/node": "^20.10.4",
     "@typescript-eslint/eslint-plugin": "^6.14.0",
     "@typescript-eslint/parser": "^6.14.0",
@@ -76,6 +82,7 @@
     "graphql": "^16.8.1",
     "graphql-request": "^6.1.0",
     "jest": "^29.7.0",
+    "jsonwebtoken": "^9.0.2",
     "prettier": "^3.1.1",
     "tree-kill": "^1.2.2",
     "ts-jest": "^29.1.1",
@@ -85,5 +92,5 @@
     "typedoc": "^0.25.4",
     "typescript": "^5.3.3"
   },
-  "version": "1.16.0"
+  "version": "1.17.0-zeta.1"
 }

package/src/account/EphemeralKeyPair.ts

@@ -0,0 +1,158 @@
+// Copyright © Aptos Foundation
+// SPDX-License-Identifier: Apache-2.0
+
+import { randomBytes } from "@noble/hashes/utils";
+
+import { Ed25519PrivateKey, EphemeralPublicKey, EphemeralSignature, PrivateKey } from "../core/crypto";
+import { Hex } from "../core/hex";
+import { bytesToBigIntLE, padAndPackBytesWithLen, poseidonHash } from "../core/crypto/poseidon";
+import { EphemeralPublicKeyVariant, HexInput } from "../types";
+import { Deserializer, Serializable, Serializer } from "../bcs";
+import { floorToWholeHour, nowInSeconds } from "../utils/helpers";
+
+const TWO_WEEKS_IN_SECONDS = 1_209_600;
+
+/**
+ * A class which contains a key pair that is used in signing transactions via the Keyless authentication scheme. This key pair
+ * is ephemeral and has an expiration time.  For more details on how this class is used -
+ * https://aptos.dev/guides/keyless-accounts/#1-present-the-user-with-a-sign-in-with-idp-button-on-the-ui
+ */
+export class EphemeralKeyPair extends Serializable {
+  static readonly BLINDER_LENGTH: number = 31;
+
+  /**
+   * A byte array of length BLINDER_LENGTH used to obfuscate the public key from the IdP.
+   * Used in calculating the nonce passed to the IdP and as a secret witness in proof generation.
+   */
+  readonly blinder: Uint8Array;
+
+  /**
+   * A timestamp in seconds indicating when the ephemeral key pair is expired.  After expiry, a new
+   * EphemeralKeyPair must be generated and a new JWT needs to be created.
+   */
+  readonly expiryDateSecs: number;
+
+  /**
+   * The value passed to the IdP when the user authenticates.  It comprises of a hash of the
+   * ephermeral public key, expiry date, and blinder.
+   */
+  readonly nonce: string;
+
+  /**
+   * A private key used to sign transactions.  This private key is not tied to any account on the chain as it
+   * is ephemeral (not permanent) in nature.
+   */
+  private privateKey: PrivateKey;
+
+  /**
+   * A public key used to verify transactions.  This public key is not tied to any account on the chain as it
+   * is ephemeral (not permanent) in nature.
+   */
+  private publicKey: EphemeralPublicKey;
+
+  constructor(args: { privateKey: PrivateKey; expiryDateSecs?: number; blinder?: HexInput }) {
+    super();
+    const { privateKey, expiryDateSecs, blinder } = args;
+    this.privateKey = privateKey;
+    this.publicKey = new EphemeralPublicKey(privateKey.publicKey());
+    // By default, we set the expiry date to be two weeks in the future floored to the nearest hour
+    this.expiryDateSecs = expiryDateSecs || floorToWholeHour(nowInSeconds() + TWO_WEEKS_IN_SECONDS);
+    // Generate the blinder if not provided
+    this.blinder = blinder !== undefined ? Hex.fromHexInput(blinder).toUint8Array() : generateBlinder();
+    // Calculate the nonce
+    this.nonce = this.generateNonce();
+  }
+
+  /**
+   * Returns the public key of the key pair.
+   * @return EphemeralPublicKey
+   */
+  getPublicKey(): EphemeralPublicKey {
+    return this.publicKey;
+  }
+
+  /**
+   * Returns the public key of the key pair.
+   * @return boolean
+   */
+  isExpired(): boolean {
+    const currentTimeSecs: number = Math.floor(Date.now() / 1000);
+    return currentTimeSecs > this.expiryDateSecs;
+  }
+
+  serialize(serializer: Serializer): void {
+    serializer.serializeU32AsUleb128(this.publicKey.variant);
+    serializer.serializeBytes(this.privateKey.toUint8Array());
+    serializer.serializeU64(this.expiryDateSecs);
+    serializer.serializeFixedBytes(this.blinder);
+  }
+
+  static deserialize(deserializer: Deserializer): EphemeralKeyPair {
+    const variantIndex = deserializer.deserializeUleb128AsU32();
+    let privateKey: PrivateKey;
+    switch (variantIndex) {
+      case EphemeralPublicKeyVariant.Ed25519:
+        privateKey = Ed25519PrivateKey.deserialize(deserializer);
+        break;
+      default:
+        throw new Error(`Unknown variant index for EphemeralPublicKey: ${variantIndex}`);
+    }
+    const expiryDateSecs = deserializer.deserializeU64();
+    const blinder = deserializer.deserializeFixedBytes(31);
+    return new EphemeralKeyPair({ privateKey, expiryDateSecs: Number(expiryDateSecs), blinder });
+  }
+
+  static fromBytes(bytes: Uint8Array): EphemeralKeyPair {
+    return EphemeralKeyPair.deserialize(new Deserializer(bytes));
+  }
+
+  /**
+   * Returns the public key of the key pair.
+   * @param scheme the type of keypair to use for the EphemeralKeyPair.  Only Ed25519 supported for now.
+   * @param expiryDateSecs the date of expiry.
+   * @return boolean
+   */
+  static generate(args?: { scheme?: EphemeralPublicKeyVariant; expiryDateSecs?: number }): EphemeralKeyPair {
+    let privateKey: PrivateKey;
+
+    switch (args?.scheme) {
+      case EphemeralPublicKeyVariant.Ed25519:
+      default:
+        privateKey = Ed25519PrivateKey.generate();
+    }
+
+    return new EphemeralKeyPair({ privateKey, expiryDateSecs: args?.expiryDateSecs });
+  }
+
+  /**
+   * From the ephemeral public key, expiry timestamp, and blinder, calculate the nonce to be used at authentication via OIDC.
+   * @returns string
+   */
+  private generateNonce(): string {
+    const fields = padAndPackBytesWithLen(this.publicKey.bcsToBytes(), 93);
+    fields.push(BigInt(this.expiryDateSecs));
+    fields.push(bytesToBigIntLE(this.blinder));
+    const nonceHash = poseidonHash(fields);
+    return nonceHash.toString();
+  }
+
+  /**
+   * Sign the given message with the private key.
+   * @param data in HexInput format
+   * @returns EphemeralSignature
+   */
+  sign(data: HexInput): EphemeralSignature {
+    if (this.isExpired()) {
+      throw new Error("EphemeralKeyPair has expired");
+    }
+    return new EphemeralSignature(this.privateKey.sign(data));
+  }
+}
+
+/**
+ * Generates a random byte array of length EphemeralKeyPair.BLINDER_LENGTH
+ * @returns Uint8Array
+ */
+function generateBlinder(): Uint8Array {
+  return randomBytes(EphemeralKeyPair.BLINDER_LENGTH);
+}

package/src/account/KeylessAccount.ts

@@ -0,0 +1,360 @@
+// Copyright © Aptos Foundation
+// SPDX-License-Identifier: Apache-2.0
+
+import { JwtPayload, jwtDecode } from "jwt-decode";
+import EventEmitter from "eventemitter3";
+import { EphemeralCertificateVariant, HexInput, SigningScheme } from "../types";
+import { AccountAddress } from "../core/accountAddress";
+import {
+  AnyPublicKey,
+  AnySignature,
+  KeylessPublicKey,
+  KeylessSignature,
+  EphemeralCertificate,
+  Signature,
+  ZeroKnowledgeSig,
+  ZkProof,
+} from "../core/crypto";
+
+import { Account } from "./Account";
+import { EphemeralKeyPair } from "./EphemeralKeyPair";
+import { Hex } from "../core/hex";
+import { AccountAuthenticatorSingleKey } from "../transactions/authenticator/account";
+import { Deserializer, Serializable, Serializer } from "../bcs";
+import { deriveTransactionType } from "../transactions/transactionBuilder/signingMessage";
+import { AnyRawTransaction, AnyRawTransactionInstance } from "../transactions/types";
+import { AptsoDomainSeparator, CryptoHashable } from "../core/crypto/cryptoHashable";
+import { base64UrlDecode } from "../utils/helpers";
+
+/**
+ * Account implementation for the Keyless authentication scheme.
+ *
+ * Used to represent a Keyless based account and sign transactions with it.
+ *
+ * Use KeylessAccount.fromJWTAndProof to instantiate a KeylessAccount with a JWT, proof and EphemeralKeyPair.
+ *
+ * When the proof expires or the JWT becomes invalid, the KeylessAccount must be instantiated again with a new JWT,
+ * EphemeralKeyPair, and corresponding proof.
+ */
+export class KeylessAccount extends Serializable implements Account {
+  static readonly PEPPER_LENGTH: number = 31;
+
+  /**
+   * The KeylessPublicKey associated with the account
+   */
+  readonly publicKey: KeylessPublicKey;
+
+  /**
+   * The EphemeralKeyPair used to generate sign.
+   */
+  readonly ephemeralKeyPair: EphemeralKeyPair;
+
+  /**
+   * The claim on the JWT to identify a user.  This is typically 'sub' or 'email'.
+   */
+  readonly uidKey: string;
+
+  /**
+   * The value of the uidKey claim on the JWT.  This intended to be a stable user identifier.
+   */
+  readonly uidVal: string;
+
+  /**
+   * The value of the 'aud' claim on the JWT, also known as client ID.  This is the identifier for the dApp's
+   * OIDC registration with the identity provider.
+   */
+  readonly aud: string;
+
+  /**
+   * A value contains 31 bytes of entropy that preserves privacy of the account. Typically fetched from a pepper provider.
+   */
+  readonly pepper: Uint8Array;
+
+  /**
+   * Account address associated with the account
+   */
+  readonly accountAddress: AccountAddress;
+
+  /**
+   * The zero knowledge signature (if ready) which contains the proof used to validate the EphemeralKeyPair.
+   */
+  proof: ZeroKnowledgeSig | undefined;
+
+  /**
+   * The proof of the EphemeralKeyPair or a promise that provides the proof.  This is used to allow for awaiting on
+   * fetching the proof.
+   */
+  readonly proofOrPromise: ZeroKnowledgeSig | Promise<ZeroKnowledgeSig>;
+
+  /**
+   * Signing scheme used to sign transactions
+   */
+  readonly signingScheme: SigningScheme;
+
+  /**
+   * The JWT token used to derive the account
+   */
+  readonly jwt: string;
+
+  /**
+   * An event emitter used to assist in handling asycronous proof fetching.
+   */
+  private readonly emitter: EventEmitter<ProofFetchEvents>;
+
+  constructor(args: {
+    address?: AccountAddress;
+    ephemeralKeyPair: EphemeralKeyPair;
+    iss: string;
+    uidKey: string;
+    uidVal: string;
+    aud: string;
+    pepper: HexInput;
+    proofOrFetcher: ZeroKnowledgeSig | Promise<ZeroKnowledgeSig>;
+    proofFetchCallback?: ProofFetchCallback;
+    jwt: string;
+  }) {
+    super();
+    const { address, ephemeralKeyPair, uidKey, uidVal, aud, pepper, proofOrFetcher, proofFetchCallback, jwt } = args;
+    this.ephemeralKeyPair = ephemeralKeyPair;
+    this.publicKey = KeylessPublicKey.create(args);
+    this.accountAddress = address ? AccountAddress.from(address) : this.publicKey.authKey().derivedAddress();
+    this.uidKey = uidKey;
+    this.uidVal = uidVal;
+    this.aud = aud;
+    this.jwt = jwt;
+    this.emitter = new EventEmitter<ProofFetchEvents>();
+    this.proofOrPromise = proofOrFetcher;
+    if (proofOrFetcher instanceof ZeroKnowledgeSig) {
+      this.proof = proofOrFetcher;
+    } else {
+      if (proofFetchCallback === undefined) {
+        throw new Error("Must provide callback for async proof fetch");
+      }
+      this.emitter.on("proofFetchFinish", async (status) => {
+        await proofFetchCallback(status);
+        this.emitter.removeAllListeners();
+      });
+      this.init(proofOrFetcher);
+    }
+    this.signingScheme = SigningScheme.SingleKey;
+    const pepperBytes = Hex.fromHexInput(pepper).toUint8Array();
+    if (pepperBytes.length !== KeylessAccount.PEPPER_LENGTH) {
+      throw new Error(`Pepper length in bytes should be ${KeylessAccount.PEPPER_LENGTH}`);
+    }
+    this.pepper = pepperBytes;
+  }
+
+  /**
+   * This initializes the asyncronous proof fetch
+   * @return
+   */
+  async init(promise: Promise<ZeroKnowledgeSig>) {
+    try {
+      this.proof = await promise;
+      this.emitter.emit("proofFetchFinish", { status: "Success" });
+    } catch (error) {
+      if (error instanceof Error) {
+        this.emitter.emit("proofFetchFinish", { status: "Failed", error: error.toString() });
+      } else {
+        this.emitter.emit("proofFetchFinish", { status: "Failed", error: "Unknown" });
+      }
+    }
+  }
+
+  serialize(serializer: Serializer): void {
+    serializer.serializeStr(this.jwt);
+    serializer.serializeStr(this.uidKey);
+    serializer.serializeFixedBytes(this.pepper);
+    this.ephemeralKeyPair.serialize(serializer);
+    if (this.proof === undefined) {
+      throw new Error("Connot serialize - proof undefined");
+    }
+    this.proof.serialize(serializer);
+  }
+
+  static deserialize(deserializer: Deserializer): KeylessAccount {
+    const jwt = deserializer.deserializeStr();
+    const uidKey = deserializer.deserializeStr();
+    const pepper = deserializer.deserializeFixedBytes(31);
+    const ephemeralKeyPair = EphemeralKeyPair.deserialize(deserializer);
+    const proof = ZeroKnowledgeSig.deserialize(deserializer);
+    return KeylessAccount.create({
+      proof,
+      pepper,
+      uidKey,
+      jwt,
+      ephemeralKeyPair,
+    });
+  }
+
+  /**
+   * Checks if the proof is expired.  If so the account must be rederived with a new EphemeralKeyPair
+   * and JWT token.
+   * @return boolean
+   */
+  isExpired(): boolean {
+    return this.ephemeralKeyPair.isExpired();
+  }
+
+  /**
+   * Sign a message using Keyless.
+   * @param message the message to sign, as binary input
+   * @return the AccountAuthenticator containing the signature, together with the account's public key
+   */
+  signWithAuthenticator(message: HexInput): AccountAuthenticatorSingleKey {
+    const signature = new AnySignature(this.sign(message));
+    const publicKey = new AnyPublicKey(this.publicKey);
+    return new AccountAuthenticatorSingleKey(publicKey, signature);
+  }
+
+  /**
+   * Sign a transaction using Keyless.
+   * @param transaction the raw transaction
+   * @return the AccountAuthenticator containing the signature of the transaction, together with the account's public key
+   */
+  signTransactionWithAuthenticator(transaction: AnyRawTransaction): AccountAuthenticatorSingleKey {
+    const signature = new AnySignature(this.signTransaction(transaction));
+    const publicKey = new AnyPublicKey(this.publicKey);
+    return new AccountAuthenticatorSingleKey(publicKey, signature);
+  }
+
+  /**
+   * Waits for asyncronous proof fetching to finish.
+   * @return
+   */
+  async waitForProofFetch() {
+    if (this.proofOrPromise instanceof Promise) {
+      await this.proofOrPromise;
+    }
+  }
+
+  /**
+   * Sign the given message using Keyless.
+   * @param message in HexInput format
+   * @returns Signature
+   */
+  sign(data: HexInput): KeylessSignature {
+    const { expiryDateSecs } = this.ephemeralKeyPair;
+    if (this.isExpired()) {
+      throw new Error("EphemeralKeyPair is expired");
+    }
+    if (this.proof === undefined) {
+      throw new Error("Proof not defined");
+    }
+    const ephemeralPublicKey = this.ephemeralKeyPair.getPublicKey();
+    const ephemeralSignature = this.ephemeralKeyPair.sign(data);
+
+    return new KeylessSignature({
+      jwtHeader: base64UrlDecode(this.jwt.split(".")[0]),
+      ephemeralCertificate: new EphemeralCertificate(this.proof, EphemeralCertificateVariant.ZkProof),
+      expiryDateSecs,
+      ephemeralPublicKey,
+      ephemeralSignature,
+    });
+  }
+
+  /**
+   * Sign the given transaction with Keyless.
+   * Signs the transaction and proof to guard against proof malleability.
+   * @param transaction the transaction to be signed
+   * @returns KeylessSignature
+   */
+  signTransaction(transaction: AnyRawTransaction): KeylessSignature {
+    if (this.proof === undefined) {
+      throw new Error("Proof not found");
+    }
+    const raw = deriveTransactionType(transaction);
+    const txnAndProof = new TransactionAndProof(raw, this.proof.proof);
+    const signMess = txnAndProof.hash();
+    return this.sign(signMess);
+  }
+
+  // eslint-disable-next-line @typescript-eslint/no-unused-vars, class-methods-use-this
+  verifySignature(args: { message: HexInput; signature: Signature }): boolean {
+    throw new Error("Not implemented");
+  }
+
+  static fromBytes(bytes: Uint8Array): KeylessAccount {
+    return KeylessAccount.deserialize(new Deserializer(bytes));
+  }
+
+  static create(args: {
+    proof: ZeroKnowledgeSig | Promise<ZeroKnowledgeSig>;
+    jwt: string;
+    ephemeralKeyPair: EphemeralKeyPair;
+    pepper: HexInput;
+    uidKey?: string;
+    proofFetchCallback?: ProofFetchCallback;
+  }): KeylessAccount {
+    const { proof, jwt, ephemeralKeyPair, pepper, uidKey = "sub", proofFetchCallback } = args;
+
+    const jwtPayload = jwtDecode<JwtPayload & { [key: string]: string }>(jwt);
+    const iss = jwtPayload.iss!;
+    if (typeof jwtPayload.aud !== "string") {
+      throw new Error("aud was not found or an array of values");
+    }
+    const aud = jwtPayload.aud!;
+    const uidVal = jwtPayload[uidKey];
+    return new KeylessAccount({
+      proofOrFetcher: proof,
+      ephemeralKeyPair,
+      iss,
+      uidKey,
+      uidVal,
+      aud,
+      pepper,
+      jwt,
+      proofFetchCallback,
+    });
+  }
+}
+
+/**
+ * A container class to hold a transaction and a proof.  It implements CryptoHashable which is used to create
+ * the signing message for Keyless transactions.  We sign over the proof to ensure non-malleability.
+ */
+export class TransactionAndProof extends CryptoHashable {
+  /**
+   * The transaction to sign.
+   */
+  transaction: AnyRawTransactionInstance;
+
+  /**
+   * The zero knowledge proof used in signing the transaction.
+   */
+  proof?: ZkProof;
+
+  /**
+   * The domain separator prefix used when hashing.
+   */
+  domainSeparator: AptsoDomainSeparator;
+
+  constructor(transaction: AnyRawTransactionInstance, proof?: ZkProof) {
+    super();
+    this.transaction = transaction;
+    this.proof = proof;
+    this.domainSeparator = "APTOS::TransactionAndProof";
+  }
+
+  serialize(serializer: Serializer): void {
+    serializer.serializeFixedBytes(this.transaction.bcsToBytes());
+    serializer.serializeOption(this.proof);
+  }
+}
+
+export type ProofFetchSuccess = {
+  status: "Success";
+};
+
+export type ProofFetchFailure = {
+  status: "Failed";
+  error: string;
+};
+
+export type ProofFetchStatus = ProofFetchSuccess | ProofFetchFailure;
+
+export type ProofFetchCallback = (status: ProofFetchStatus) => Promise<void>;
+
+export interface ProofFetchEvents {
+  proofFetchFinish: (status: ProofFetchStatus) => void;
+}