@dynamic-labs-wallet/node 0.0.0-preview.160.0 → 0.0.1-paolo-1

package/index.cjs.js

@@ -1,16 +1,20 @@
 'use strict';
 
+var core$1 = require('#internal/core');
 var core = require('@dynamic-labs-wallet/core');
-var node = require('./internal/node');
-var logger$1 = require('@dynamic-labs/logger');
+var node = require('#internal/node');
+var uuid = require('uuid');
 var crypto = require('crypto');
+var logger$1 = require('@dynamic-labs/logger');
+require('node:crypto');
 
+// Removed duplicate exports - these are already exported from #internal/core
 const getMPCSignatureScheme = ({ signingAlgorithm, baseRelayUrl = core.MPC_RELAY_PROD_API_URL })=>{
     switch(signingAlgorithm){
         case core.SigningAlgorithm.ECDSA:
             return new node.Ecdsa(baseRelayUrl);
         case core.SigningAlgorithm.ED25519:
-            return new node.Ed25519(baseRelayUrl);
+            return new node.ExportableEd25519(baseRelayUrl);
         case core.SigningAlgorithm.BIP340:
             return new node.BIP340(baseRelayUrl);
         default:
@@ -65,7 +69,8 @@ const getExternalServerKeyShareBackupInfo = (params)=>{
         [core.BackupLocation.GOOGLE_DRIVE]: [],
         [core.BackupLocation.ICLOUD]: [],
         [core.BackupLocation.USER]: [],
-        [core.BackupLocation.EXTERNAL]: []
+        [core.BackupLocation.EXTERNAL]: [],
+        [core.BackupLocation.DELEGATED]: []
     };
     if (!(params == null ? void 0 : (_params_walletProperties = params.walletProperties) == null ? void 0 : _params_walletProperties.keyShares)) {
         return {
@@ -75,7 +80,11 @@ const getExternalServerKeyShareBackupInfo = (params)=>{
     }
     params.walletProperties.keyShares.forEach((keyShare)=>{
         if (backups[keyShare.backupLocation]) {
-            backups[keyShare.backupLocation].push(keyShare.id);
+            backups[keyShare.backupLocation].push({
+                location: keyShare.backupLocation,
+                keyShareId: keyShare.id,
+                passwordEncrypted: keyShare.passwordEncrypted
+            });
         }
     });
     const passwordEncrypted = Boolean((_params_walletProperties_keyShares_ = params.walletProperties.keyShares[0]) == null ? void 0 : _params_walletProperties_keyShares_.passwordEncrypted);
@@ -125,13 +134,64 @@ const getExternalServerKeyShareBackupInfo = (params)=>{
     // TypeScript needs this even though it's unreachable
     throw new Error('Unreachable code');
 }
+const formatEvmMessage = (message)=>{
+    if (typeof message === 'string' && message.startsWith('0x')) {
+        const serializedTxBytes = Uint8Array.from(Buffer.from(message.slice(2), 'hex'));
+        return node.MessageHash.keccak256(serializedTxBytes);
+    }
+    return node.MessageHash.keccak256(message);
+};
+const formatSolanaMessage = (message)=>{
+    if (typeof message === 'string') {
+        if (!isHexString(message)) {
+            return Buffer.from(message).toString('hex');
+        } else {
+            return new Uint8Array(Buffer.from(message, 'hex'));
+        }
+    } else {
+        return message;
+    }
+};
+const formatMessage = (chainName, message)=>{
+    switch(chainName){
+        case 'EVM':
+            return formatEvmMessage(message);
+        case 'SVM':
+            return formatSolanaMessage(message);
+        case 'SUI':
+            return message;
+        default:
+            throw new Error('Unsupported chain name');
+    }
+};
 
+const ENCRYPTION_VERSION_LEGACY = 'v1';
+const ENCRYPTION_VERSION_CURRENT = 'v2';
 const PBKDF2_ALGORITHM = 'PBKDF2';
-const PBKDF2_ITERATIONS = 100000;
 const PBKDF2_HASH_ALGORITHM = 'SHA-256';
 const AES_GCM_ALGORITHM = 'AES-GCM';
 const AES_GCM_LENGTH = 256;
-const getKey = async ({ password, salt })=>{
+const ENCRYPTION_VERSIONS = {
+    [ENCRYPTION_VERSION_LEGACY]: {
+        version: ENCRYPTION_VERSION_LEGACY,
+        algorithm: AES_GCM_ALGORITHM,
+        keyDerivation: PBKDF2_ALGORITHM,
+        iterations: 100000,
+        hashAlgorithm: PBKDF2_HASH_ALGORITHM,
+        algorithmLength: AES_GCM_LENGTH
+    },
+    [ENCRYPTION_VERSION_CURRENT]: {
+        version: ENCRYPTION_VERSION_CURRENT,
+        algorithm: AES_GCM_ALGORITHM,
+        keyDerivation: PBKDF2_ALGORITHM,
+        iterations: 1000000,
+        hashAlgorithm: PBKDF2_HASH_ALGORITHM,
+        algorithmLength: AES_GCM_LENGTH
+    }
+};
+ENCRYPTION_VERSIONS[ENCRYPTION_VERSION_CURRENT].iterations;
+ENCRYPTION_VERSIONS[ENCRYPTION_VERSION_LEGACY].iterations;
+const getKey = async ({ password, salt, encryptionConfig })=>{
     const passwordBytes = stringToBytes(password);
     const initialKey = await crypto.subtle.importKey('raw', passwordBytes, {
         name: 'PBKDF2'
@@ -139,26 +199,34 @@ const getKey = async ({ password, salt })=>{
         'deriveKey'
     ]);
     return crypto.subtle.deriveKey({
-        name: PBKDF2_ALGORITHM,
-        salt,
-        iterations: PBKDF2_ITERATIONS,
-        hash: PBKDF2_HASH_ALGORITHM
+        name: encryptionConfig.keyDerivation,
+        salt: salt,
+        iterations: encryptionConfig.iterations,
+        hash: encryptionConfig.hashAlgorithm
     }, initialKey, {
-        name: AES_GCM_ALGORITHM,
-        length: AES_GCM_LENGTH
+        name: encryptionConfig.algorithm,
+        length: encryptionConfig.algorithmLength
     }, false, [
         'encrypt',
         'decrypt'
     ]);
 };
-const encryptData = async ({ data, password })=>{
+/**
+ * Encrypts data using the specified encryption version.
+ * Always uses the latest encryption configuration for new encryptions by default.
+ */ const encryptData = async ({ data, password, version = ENCRYPTION_VERSION_CURRENT })=>{
+    const encryptionConfig = ENCRYPTION_VERSIONS[version];
+    if (!encryptionConfig) {
+        throw new Error(`Unsupported encryption version: ${version}`);
+    }
     try {
         // Generate a random salt and IV
         const salt = crypto.getRandomValues(new Uint8Array(16));
         const iv = crypto.getRandomValues(new Uint8Array(12)); // AES-GCM requires 12 bytes
         const key = await getKey({
             password,
-            salt
+            salt,
+            encryptionConfig
         });
         // Convert the input string to bytes
         const dataBytes = new TextEncoder().encode(data);
@@ -171,25 +239,39 @@ const encryptData = async ({ data, password })=>{
         return {
             salt: bytesToBase64(salt),
             iv: bytesToBase64(iv),
-            cipher: bytesToBase64(new Uint8Array(encryptedData))
+            cipher: bytesToBase64(new Uint8Array(encryptedData)),
+            version
         };
-    } catch (error) {
+    } catch (e) {
         throw new Error('Error encrypting data');
     }
 };
-const decryptData = async ({ data, password })=>{
+/**
+ * Decrypts data with version-based configuration.
+ * Uses the version field from the data to determine encryption parameters.
+ * Falls back to legacy version for backward compatibility if no version is specified.
+ */ const decryptData = async ({ data, password })=>{
+    const { salt, iv, cipher, version } = data;
+    // Ensure proper base64 padding for all values
+    const paddedSalt = ensureBase64Padding(salt);
+    const paddedIv = ensureBase64Padding(iv);
+    const paddedCipher = ensureBase64Padding(cipher);
+    const saltBytes = base64ToBytes(paddedSalt);
+    const ivBytes = base64ToBytes(paddedIv);
+    const cipherBytes = base64ToBytes(paddedCipher);
+    let encryptionConfig;
+    // Use version-based configuration if available, otherwise fallback to legacy
+    if (version && ENCRYPTION_VERSIONS[version]) {
+        encryptionConfig = ENCRYPTION_VERSIONS[version];
+    } else {
+        // Fallback to legacy version for backward compatibility
+        encryptionConfig = ENCRYPTION_VERSIONS[ENCRYPTION_VERSION_LEGACY];
+    }
     try {
-        const { salt, iv, cipher } = data;
-        // Ensure proper base64 padding for all values
-        const paddedSalt = ensureBase64Padding(salt);
-        const paddedIv = ensureBase64Padding(iv);
-        const paddedCipher = ensureBase64Padding(cipher);
-        const saltBytes = base64ToBytes(paddedSalt);
-        const ivBytes = base64ToBytes(paddedIv);
-        const cipherBytes = base64ToBytes(paddedCipher);
         const key = await getKey({
             password,
-            salt: saltBytes
+            salt: saltBytes,
+            encryptionConfig
         });
         const decryptedData = await crypto.subtle.decrypt({
             name: AES_GCM_ALGORITHM,
@@ -197,13 +279,23 @@ const decryptData = async ({ data, password })=>{
         }, key, cipherBytes);
         return new TextDecoder().decode(decryptedData);
     } catch (error) {
-        throw new Error('Decryption failed');
+        throw new Error('Decryption failed: ' + error);
     }
 };
 
 const DEFAULT_LOG_LEVEL = 'INFO';
 
 class DynamicWalletClient {
+    async initializeForwardMPCClient() {
+        try {
+            await this.apiClient.forwardMPCClient.ensureWsConnection();
+        } catch (error) {
+            this.logger.error('Error connecting to ForwardMPC enclave websocket. Environment: ' + this.environmentId, {
+                error,
+                environmentId: this.environmentId
+            });
+        }
+    }
     ensureApiClientAuthenticated() {
         if (!this.isApiClientAuthenticated) {
             throw new Error('Client must be authenticated before making API calls. Call authenticateApiToken first.');
@@ -227,13 +319,15 @@ class DynamicWalletClient {
         });
         this.isApiClientAuthenticated = true;
     }
-    async dynamicServerInitializeKeyGen({ chainName, externalServerKeygenIds, thresholdSignatureScheme, onError, onCeremonyComplete }) {
+    async dynamicServerInitializeKeyGen({ chainName, externalServerKeygenIds, thresholdSignatureScheme, dynamicRequestId, skipLock, onError, onCeremonyComplete }) {
         this.ensureApiClientAuthenticated();
         try {
             const data = await this.apiClient.createWalletAccount({
                 chainName,
                 clientKeygenIds: externalServerKeygenIds,
                 thresholdSignatureScheme,
+                dynamicRequestId,
+                skipLock,
                 onError,
                 onCeremonyComplete
             });
@@ -267,8 +361,8 @@ class DynamicWalletClient {
             let publicKey;
             if (mpcSigner instanceof node.Ecdsa) {
                 publicKey = await mpcSigner.derivePubkey(keyShare, derivationPath);
-            } else if (mpcSigner instanceof node.Ed25519) {
-                publicKey = await mpcSigner.derivePubkey(keyShare, derivationPath);
+            } else if (mpcSigner instanceof node.ExportableEd25519) {
+                publicKey = await mpcSigner.getPubkey(keyShare);
             }
             return publicKey;
         } catch (error) {
@@ -294,7 +388,13 @@ class DynamicWalletClient {
                     ...dynamicServerKeygenIds,
                     ...otherExternalServerKeygenIds
                 ];
-                return mpcSigner.keygen(roomId, mpcConfig.numberOfParties, mpcConfig.threshold, currentInit, allOtherKeygenIds);
+                if (!(mpcSigner instanceof node.ExportableEd25519)) {
+                    return mpcSigner.keygen(roomId, mpcConfig.numberOfParties, mpcConfig.threshold, currentInit, allOtherKeygenIds);
+                } else {
+                    // One party joins the keygen room using acting as the sampler: (wallet-service)
+                    // The remaining parties join the key sampling ceremony using: (browser)
+                    return mpcSigner.receiveKey(roomId, mpcConfig.numberOfParties, mpcConfig.threshold, currentInit, allOtherKeygenIds);
+                }
             }));
             // only need one client keygen result to derive the public key
             const [serverKeygenResult] = serverKeygenResults;
@@ -314,7 +414,8 @@ class DynamicWalletClient {
             throw new Error('Error deriving public key in externalServerKeyGen');
         }
     }
-    async keyGen({ chainName, thresholdSignatureScheme, onError, onCeremonyComplete }) {
+    async keyGen({ chainName, thresholdSignatureScheme, skipLock, onError, onCeremonyComplete }) {
+        const dynamicRequestId = uuid.v4();
         try {
             const externalServerInitKeygenResults = await this.externalServerInitializeKeyGen({
                 chainName,
@@ -324,7 +425,9 @@ class DynamicWalletClient {
             const { roomId, serverKeygenIds: dynamicServerKeygenIds } = await this.dynamicServerInitializeKeyGen({
                 chainName,
                 externalServerKeygenIds,
+                dynamicRequestId,
                 thresholdSignatureScheme,
+                skipLock,
                 onCeremonyComplete
             });
             const { rawPublicKey, externalServerKeyGenResults } = await this.externalServerKeyGen({
@@ -345,6 +448,7 @@ class DynamicWalletClient {
     }
     async importRawPrivateKey({ chainName, privateKey, thresholdSignatureScheme, onError, onCeremonyComplete }) {
         this.ensureApiClientAuthenticated();
+        const dynamicRequestId = uuid.v4();
         const mpcSigner = getMPCSigner({
             chainName,
             baseRelayUrl: this.baseMPCRelayApiUrl
@@ -358,6 +462,7 @@ class DynamicWalletClient {
             chainName,
             clientKeygenIds: externalServerKeygenIds,
             thresholdSignatureScheme,
+            dynamicRequestId,
             onError,
             onCeremonyComplete
         });
@@ -390,7 +495,8 @@ class DynamicWalletClient {
             externalServerKeyShares: externalServerKeygenResults
         };
     }
-    async dynamicServerSign({ walletId, message }) {
+    async dynamicServerSign({ walletId, message, isFormatted, context, onError }) {
+        const dynamicRequestId = uuid.v4();
         this.ensureApiClientAuthenticated();
         // Create the room and sign the message
         if (typeof message !== 'string') {
@@ -398,35 +504,22 @@ class DynamicWalletClient {
         }
         const data = await this.apiClient.signMessage({
             walletId,
-            message
+            message,
+            isFormatted,
+            dynamicRequestId,
+            context: context ? JSON.parse(JSON.stringify(context, (_key, value)=>typeof value === 'bigint' ? value.toString() : value)) : undefined,
+            onError,
+            forwardMPCClientEnabled: this.forwardMPCEnabled
         });
         return data;
     }
-    async externalServerSign({ chainName, message, roomId, keyShare, derivationPath }) {
+    async externalServerSign({ chainName, message, roomId, keyShare, derivationPath, isFormatted }) {
         try {
             const mpcSigner = getMPCSigner({
                 chainName,
                 baseRelayUrl: this.baseMPCRelayApiUrl
             });
-            let formattedMessage;
-            //note: Ecdsa can also be used by bitcoin, but only keccak256 is used by ethereum
-            if (mpcSigner instanceof node.Ecdsa) {
-                formattedMessage = node.MessageHash.keccak256(message);
-            } else if (mpcSigner instanceof node.Ed25519) {
-                if (typeof message === 'string') {
-                    if (!isHexString(message)) {
-                        formattedMessage = Buffer.from(message).toString('hex');
-                    } else {
-                        formattedMessage = Buffer.from(message, 'hex');
-                    }
-                } else {
-                    formattedMessage = message;
-                }
-            } else if (mpcSigner instanceof node.BIP340 && typeof message === 'string') {
-                formattedMessage = new TextEncoder().encode(message);
-            } else {
-                throw new Error('Unsupported signer type');
-            }
+            const formattedMessage = isFormatted ? new node.MessageHash(message) : formatMessage(chainName, message);
             const signature = await mpcSigner.sign(roomId, keyShare, formattedMessage, derivationPath);
             return signature;
         } catch (error) {
@@ -434,35 +527,104 @@ class DynamicWalletClient {
             throw error;
         }
     }
-    //todo: need to modify with imported flag
-    async sign({ accountAddress, message, chainName, password = undefined }) {
-        await this.verifyPassword({
-            accountAddress,
-            password,
-            walletOperation: core.WalletOperation.SIGN_MESSAGE
-        });
-        const wallet = await this.getWallet({
-            accountAddress,
-            walletOperation: core.WalletOperation.SIGN_MESSAGE,
-            password
-        });
-        // Perform the dynamic server sign
-        const data = await this.dynamicServerSign({
-            walletId: wallet.walletId,
-            message
-        });
-        const derivationPath = wallet.derivationPath && wallet.derivationPath != '' ? new Uint32Array(Object.values(JSON.parse(wallet.derivationPath))) : undefined;
-        // Perform the external server sign and return the signature
-        const signature = await this.externalServerSign({
-            chainName,
-            message,
-            roomId: data.roomId,
-            keyShare: wallet.externalServerKeyShares[0],
-            derivationPath
-        });
-        return signature;
+    async forwardMPCClientSign({ chainName, message, roomId, keyShare, derivationPath, formattedMessage, dynamicRequestId, isFormatted }) {
+        try {
+            if (!this.apiClient.forwardMPCClient.connected) {
+                await this.initializeForwardMPCClient();
+            }
+            const messageForForwardMPC = core.serializeMessageForForwardMPC({
+                message,
+                isFormatted,
+                chainName
+            });
+            this.logger.info('Forward MPC enabled, signing message with forward MPC');
+            const environment = core.getEnvironmentFromUrl(this.baseApiUrl);
+            const defaultRelayUrl = core.MPC_RELAY_URL_MAP[environment];
+            const signature = await this.apiClient.forwardMPCClient.signMessage({
+                keyshare: keyShare,
+                message: chainName === 'SVM' ? formattedMessage : messageForForwardMPC,
+                relayDomain: this.baseMPCRelayApiUrl || defaultRelayUrl,
+                signingAlgo: chainName === 'EVM' ? 'ECDSA' : 'ED25519',
+                hashAlgo: chainName === 'EVM' && !isFormatted ? 'keccak256' : undefined,
+                derivationPath: derivationPath,
+                roomUuid: roomId
+            });
+            const signatureBytes = signature.data.signature;
+            if (!(signatureBytes instanceof Uint8Array)) {
+                throw new TypeError(`Invalid signature format: expected Uint8Array, got ${typeof signatureBytes}`);
+            }
+            // Convert to EcdsaSignature
+            if (chainName === 'EVM') {
+                const ecdsaSignature = node.EcdsaSignature.fromBuffer(signatureBytes);
+                return ecdsaSignature;
+            } else {
+                return signatureBytes;
+            }
+        } catch (error) {
+            this.logger.error('Error signing message with forward MPC client', {
+                error,
+                environmentId: this.environmentId,
+                dynamicRequestId
+            });
+            throw error;
+        }
+    }
+    async sign({ accountAddress, externalServerKeyShares, message, chainName, password = undefined, isFormatted = false, context, onError }) {
+        try {
+            await this.verifyPassword({
+                accountAddress,
+                password,
+                walletOperation: core.WalletOperation.SIGN_MESSAGE
+            });
+            const wallet = await this.getWallet({
+                accountAddress,
+                walletOperation: core.WalletOperation.SIGN_MESSAGE,
+                password
+            });
+            externalServerKeyShares = externalServerKeyShares != null ? externalServerKeyShares : wallet.externalServerKeyShares;
+            if (!externalServerKeyShares) {
+                throw new Error('External server key shares are required to sign a message');
+            }
+            // Perform the dynamic server sign
+            const data = await this.dynamicServerSign({
+                walletId: wallet.walletId,
+                message,
+                isFormatted,
+                context,
+                onError
+            });
+            const derivationPath = wallet.derivationPath && wallet.derivationPath != '' ? new Uint32Array(Object.values(JSON.parse(wallet.derivationPath))) : undefined;
+            // Perform the external server sign and return the signature
+            if (this.forwardMPCEnabled) {
+                const formattedMessage = isFormatted ? new node.MessageHash(message) : formatMessage(chainName, message);
+                const signature = await this.forwardMPCClientSign({
+                    chainName,
+                    message,
+                    roomId: data.roomId,
+                    keyShare: externalServerKeyShares[0],
+                    derivationPath,
+                    formattedMessage,
+                    dynamicRequestId: uuid.v4(),
+                    isFormatted
+                });
+                return signature;
+            } else {
+                const signature = await this.externalServerSign({
+                    chainName,
+                    message,
+                    roomId: data.roomId,
+                    keyShare: externalServerKeyShares[0],
+                    derivationPath,
+                    isFormatted
+                });
+                return signature;
+            }
+        } catch (error) {
+            this.logger.error('Error in sign', error);
+            throw error;
+        }
     }
-    async refreshWalletAccountShares({ accountAddress, chainName, password = undefined }) {
+    async refreshWalletAccountShares({ accountAddress, chainName, password = undefined, externalServerKeyShares, backUpToClientShareService = false }) {
         this.ensureApiClientAuthenticated();
         await this.verifyPassword({
             accountAddress,
@@ -483,14 +645,19 @@ class DynamicWalletClient {
             walletId: wallet.walletId
         });
         const roomId = data.roomId;
-        const refreshResults = await Promise.all(wallet.externalServerKeyShares.map((serverKeyShare)=>mpcSigner.refresh(roomId, serverKeyShare)));
+        externalServerKeyShares = externalServerKeyShares != null ? externalServerKeyShares : wallet.externalServerKeyShares;
+        if (!externalServerKeyShares) {
+            throw new Error('External server key shares are required to refresh');
+        }
+        const refreshResults = await Promise.all(externalServerKeyShares.map((serverKeyShare)=>mpcSigner.refresh(roomId, serverKeyShare)));
         this.walletMap[accountAddress] = _extends({}, this.walletMap[accountAddress], {
             externalServerKeyShares: refreshResults,
             externalServerKeySharesBackupInfo: getExternalServerKeyShareBackupInfo()
         });
         await this.storeEncryptedBackupByWallet({
             accountAddress,
-            password: password != null ? password : this.environmentId
+            password: password != null ? password : this.environmentId,
+            backUpToClientShareService
         });
         return refreshResults;
     }
@@ -543,7 +710,7 @@ class DynamicWalletClient {
             existingExternalServerKeyShares
         };
     }
-    async reshare({ chainName, accountAddress, oldThresholdSignatureScheme, newThresholdSignatureScheme, password = undefined }) {
+    async reshare({ chainName, accountAddress, oldThresholdSignatureScheme, newThresholdSignatureScheme, password = undefined, externalServerKeyShares, backUpToClientShareService = false }) {
         this.ensureApiClientAuthenticated();
         await this.verifyPassword({
             accountAddress,
@@ -560,9 +727,15 @@ class DynamicWalletClient {
             shareCount: existingExternalServerShareCount,
             password
         });
+        externalServerKeyShares = externalServerKeyShares != null ? externalServerKeyShares : wallet.externalServerKeyShares;
+        if (!externalServerKeyShares) {
+            throw new Error('External server key shares are required to reshare');
+        }
         const { newExternalServerInitKeygenResults, newExternalServerKeygenIds, existingExternalServerKeygenIds, existingExternalServerKeyShares } = await this.reshareStrategy({
             chainName,
-            wallet,
+            wallet: _extends({}, wallet, {
+                externalServerKeyShares
+            }),
             oldThresholdSignatureScheme,
             newThresholdSignatureScheme
         });
@@ -600,11 +773,12 @@ class DynamicWalletClient {
         });
         await this.storeEncryptedBackupByWallet({
             accountAddress,
-            password
+            password,
+            backUpToClientShareService
         });
         return reshareResults;
     }
-    async exportKey({ accountAddress, chainName, password = undefined }) {
+    async exportKey({ accountAddress, chainName, password = undefined, externalServerKeyShares }) {
         this.ensureApiClientAuthenticated();
         await this.verifyPassword({
             accountAddress,
@@ -616,19 +790,23 @@ class DynamicWalletClient {
             password,
             walletOperation: core.WalletOperation.EXPORT_PRIVATE_KEY
         });
+        externalServerKeyShares = externalServerKeyShares != null ? externalServerKeyShares : wallet.externalServerKeyShares;
+        if (!externalServerKeyShares) {
+            throw new Error('External server key shares are required to export a private key');
+        }
         const mpcSigner = getMPCSigner({
             chainName,
             baseRelayUrl: this.baseMPCRelayApiUrl
         });
         const exportId = await this.getExportId({
             chainName,
-            serverKeyShare: wallet.externalServerKeyShares[0]
+            serverKeyShare: externalServerKeyShares[0]
         });
         const data = await this.apiClient.exportKey({
             walletId: wallet.walletId,
             exportId
         });
-        const keyExportRaw = await mpcSigner.exportFullPrivateKey(data.roomId, wallet.externalServerKeyShares[0], exportId);
+        const keyExportRaw = await mpcSigner.exportFullPrivateKey(data.roomId, externalServerKeyShares[0], exportId);
         if (!keyExportRaw) {
             throw new Error('Error exporting private key');
         }
@@ -636,7 +814,7 @@ class DynamicWalletClient {
         let derivedPrivateKey;
         if (mpcSigner instanceof node.Ecdsa) {
             derivedPrivateKey = await mpcSigner.derivePrivateKeyFromXpriv(keyExportRaw, derivationPath);
-        } else if (mpcSigner instanceof node.Ed25519) {
+        } else if (mpcSigner instanceof node.ExportableEd25519) {
             derivedPrivateKey = keyExportRaw;
         } else if (mpcSigner instanceof node.BIP340) {
             derivedPrivateKey = await mpcSigner.derivePrivateKeyFromXpriv(keyExportRaw, derivationPath);
@@ -655,7 +833,7 @@ class DynamicWalletClient {
                 baseRelayUrl: this.baseMPCRelayApiUrl
             });
             const walletKeyShares = keyShares.map((keyShare)=>{
-                return mpcSigner instanceof node.Ecdsa ? new node.EcdsaKeygenResult(keyShare.pubkey, keyShare.secretShare) : mpcSigner instanceof node.Ed25519 ? new node.Ed25519KeygenResult(keyShare.pubkey, keyShare.secretShare) : new node.BIP340KeygenResult(keyShare.pubkey, keyShare.secretShare);
+                return mpcSigner instanceof node.Ecdsa ? new node.EcdsaKeygenResult(keyShare.pubkey, keyShare.secretShare) : mpcSigner instanceof node.ExportableEd25519 ? new node.ExportableEd25519KeygenResult(keyShare.pubkey, keyShare.secretShare) : new node.BIP340KeygenResult(keyShare.pubkey, keyShare.secretShare);
             });
             const keyExportRaw = await mpcSigner.offlineExportFullPrivateKey(walletKeyShares);
             if (!keyExportRaw) {
@@ -666,7 +844,7 @@ class DynamicWalletClient {
             let derivedPrivateKey;
             if (mpcSigner instanceof node.Ecdsa) {
                 derivedPrivateKey = await mpcSigner.derivePrivateKeyFromXpriv(keyExportRaw, walletDerivationPath);
-            } else if (mpcSigner instanceof node.Ed25519) {
+            } else if (mpcSigner instanceof node.ExportableEd25519) {
                 derivedPrivateKey = keyExportRaw;
             } else if (mpcSigner instanceof node.BIP340) {
                 derivedPrivateKey = await mpcSigner.derivePrivateKeyFromXpriv(keyExportRaw, walletDerivationPath);
@@ -700,15 +878,17 @@ class DynamicWalletClient {
             throw new Error('Ceremony completion timeout');
         }
     }
-    async storeEncryptedBackupByWallet({ accountAddress, externalServerKeyShares = undefined, password = undefined }) {
+    async storeEncryptedBackupByWallet({ accountAddress, externalServerKeyShares = undefined, password = undefined, backUpToClientShareService }) {
         this.ensureApiClientAuthenticated();
         //add retry logic for ceremony completion to prevent race condition
         await this.ensureCeremonyCompletionBeforeBackup({
             accountAddress
         });
+        const dynamicRequestId = uuid.v4();
         try {
             const keySharesToBackup = externalServerKeyShares != null ? externalServerKeyShares : await this.getExternalServerKeyShares({
-                accountAddress
+                accountAddress,
+                password
             });
             if (!keySharesToBackup || keySharesToBackup.length === 0) {
                 throw new Error(`Key shares not found for accountAddress: ${accountAddress}`);
@@ -720,51 +900,92 @@ class DynamicWalletClient {
             if (!this.walletMap[accountAddress] || !this.walletMap[accountAddress].walletId) {
                 throw new Error(`WalletId not found for accountAddress: ${accountAddress}`);
             }
-            const data = await this.apiClient.storeEncryptedBackupByWallet({
+            const passwordEncryptedFlag = Boolean(password) && password !== this.environmentId;
+            const locations = [];
+            if (backUpToClientShareService) {
+                const data = await this.apiClient.storeEncryptedBackupByWallet({
+                    walletId: this.walletMap[accountAddress].walletId,
+                    encryptedKeyShares: encryptedKeyShares,
+                    passwordEncrypted: passwordEncryptedFlag,
+                    encryptionVersion: ENCRYPTION_VERSION_CURRENT,
+                    requiresSignedSessionId: false,
+                    dynamicRequestId
+                });
+                locations.push({
+                    location: core.BackupLocation.DYNAMIC,
+                    externalKeyShareId: data.keyShareIds[0],
+                    passwordEncrypted: passwordEncryptedFlag
+                });
+            } else {
+                locations.push({
+                    location: core.BackupLocation.EXTERNAL
+                });
+            }
+            const backupData = await this.apiClient.markKeySharesAsBackedUp({
                 walletId: this.walletMap[accountAddress].walletId,
-                encryptedKeyShares,
-                passwordEncrypted: Boolean(password) && password !== this.environmentId
+                locations,
+                dynamicRequestId
+            });
+            const updatedBackupInfo = getExternalServerKeyShareBackupInfo({
+                walletProperties: {
+                    derivationPath: this.walletMap[accountAddress].derivationPath,
+                    keyShares: backupData.locationsWithKeyShares.map((ks)=>({
+                            id: ks.keyShareId,
+                            backupLocation: ks.location,
+                            externalKeyShareId: ks.externalKeyShareId,
+                            passwordEncrypted: passwordEncryptedFlag
+                        })),
+                    thresholdSignatureScheme: this.walletMap[accountAddress].thresholdSignatureScheme
+                }
             });
             this.walletMap[accountAddress] = _extends({}, this.walletMap[accountAddress], {
-                externalServerKeySharesBackupInfo: getExternalServerKeyShareBackupInfo({
-                    walletProperties: {
-                        derivationPath: this.walletMap[accountAddress].derivationPath,
-                        keyShares: data.keyShares,
-                        thresholdSignatureScheme: this.walletMap[accountAddress].thresholdSignatureScheme
-                    }
-                })
+                externalServerKeySharesBackupInfo: updatedBackupInfo
             });
-            return data;
+            return encryptedKeyShares;
         } catch (error) {
-            this.logger.error('Error in storeEncryptedBackupByWallet:', error);
+            this.logger.error('Error in storeEncryptedBackupByWallet:', {
+                accountAddress,
+                error,
+                dynamicRequestId
+            });
             throw error;
         }
     }
-    async storeEncryptedBackupByWalletWithRetry({ accountAddress, externalServerKeyShares, password }) {
+    async storeEncryptedBackupByWalletWithRetry({ accountAddress, externalServerKeyShares, password, backUpToClientShareService }) {
         await retryPromise(()=>this.storeEncryptedBackupByWallet({
                 accountAddress,
                 externalServerKeyShares,
-                password
+                password,
+                backUpToClientShareService
             }), {
             operationName: 'store encrypted backup',
             logContext: {
-                walletAddress: accountAddress,
-                keyShares: externalServerKeyShares == null ? void 0 : externalServerKeyShares.map((keyShare)=>this.encryptKeyShare({
-                        keyShare,
-                        password
-                    }))
+                walletAddress: accountAddress
             }
         });
     }
     async getExternalServerKeyShares({ accountAddress, password }) {
+        var _wallet_externalServerKeySharesBackupInfo_backups, _wallet_externalServerKeySharesBackupInfo;
         const wallet = await this.getWallet({
             accountAddress,
             password,
             walletOperation: core.WalletOperation.REACH_THRESHOLD
         });
-        return wallet.externalServerKeyShares;
+        // Check if the wallet has a dynamic backup and derive password encryption status from the first dynamic share
+        const dynamicBackups = (wallet == null ? void 0 : (_wallet_externalServerKeySharesBackupInfo = wallet.externalServerKeySharesBackupInfo) == null ? void 0 : (_wallet_externalServerKeySharesBackupInfo_backups = _wallet_externalServerKeySharesBackupInfo.backups) == null ? void 0 : _wallet_externalServerKeySharesBackupInfo_backups.dynamic) || [];
+        const passwordEncrypted = dynamicBackups.length > 0 ? Boolean(dynamicBackups[0].passwordEncrypted) : false;
+        if (passwordEncrypted && !password) {
+            throw new Error('Password is required for decryption but not provided. This backup was encrypted with a password.');
+        }
+        // recover the shares
+        const recoveredShares = await this.recoverEncryptedBackupByWallet({
+            accountAddress,
+            password,
+            walletOperation: core.WalletOperation.REACH_THRESHOLD
+        });
+        return recoveredShares;
     }
-    async updatePassword({ accountAddress, existingPassword, newPassword }) {
+    async updatePassword({ accountAddress, existingPassword, newPassword, backUpToClientShareService }) {
         await this.getWallet({
             accountAddress,
             password: existingPassword,
@@ -772,7 +993,8 @@ class DynamicWalletClient {
         });
         await this.storeEncryptedBackupByWallet({
             accountAddress,
-            password: newPassword
+            password: newPassword,
+            backUpToClientShareService
         });
     }
     async decryptKeyShare({ keyShare, password }) {
@@ -803,17 +1025,57 @@ class DynamicWalletClient {
         if (shareCount !== undefined) {
             requiredShareCount = shareCount;
         }
-        const dynamicShares = backups[core.BackupLocation.DYNAMIC].slice(0, requiredShareCount);
+        const dynamicShares = (backups[core.BackupLocation.DYNAMIC] || []).slice(0, requiredShareCount);
+        const externalShares = (backups[core.BackupLocation.EXTERNAL] || []).slice(0, requiredShareCount);
+        // If we have DYNAMIC shares, use those; otherwise use EXTERNAL shares
+        const sharesToUse = dynamicShares.length > 0 ? dynamicShares : externalShares;
+        const backupLocation = dynamicShares.length > 0 ? core.BackupLocation.DYNAMIC : core.BackupLocation.EXTERNAL;
         return {
             shares: {
-                [core.BackupLocation.DYNAMIC]: dynamicShares
+                [backupLocation]: sharesToUse.map((ks)=>{
+                    var _ks_externalKeyShareId, _ref;
+                    return (_ref = (_ks_externalKeyShareId = ks.externalKeyShareId) != null ? _ks_externalKeyShareId : ks.keyShareId) != null ? _ref : '';
+                })
             },
             requiredShareCount
         };
     }
+    /**
+   * Attempts to recover key shares from backup if they are not provided.
+   * The recovered shares will be stored in the wallet map for use in signing operations.
+   * @param accountAddress - The account address to recover shares for
+   * @param password - The password to decrypt the shares
+   * @param walletOperation - The wallet operation being performed
+   * @param externalServerKeyShares - The provided key shares (if any)
+   * @param errorMessage - The error message to throw if recovery fails
+   * @throws Error if recovery is needed but fails
+   */ async ensureKeySharesRecovered({ accountAddress, password, walletOperation, externalServerKeyShares, errorMessage }) {
+        if (!externalServerKeyShares || externalServerKeyShares.length === 0) {
+            // attempt to recover dynamic keyshares if no key shares are provided
+            // the shares will be used for signing in the node SDK if successful
+            const recoveredShares = await this.recoverEncryptedBackupByWallet({
+                accountAddress,
+                password,
+                walletOperation,
+                storeRecoveredShares: true
+            });
+            // If recovery returned empty and no shares were provided, throw error
+            if (!recoveredShares || recoveredShares.length === 0) {
+                throw new Error(errorMessage);
+            }
+        }
+    }
     async recoverEncryptedBackupByWallet({ accountAddress, password, walletOperation, shareCount = undefined, storeRecoveredShares = true }) {
+        var _wallet_externalServerKeySharesBackupInfo;
         this.ensureApiClientAuthenticated();
-        const wallet = this.walletMap[accountAddress];
+        let wallet = this.walletMap[accountAddress];
+        if (!wallet) {
+            const fetchedWallet = await this.getWalletByAddress(accountAddress);
+            if (!fetchedWallet) {
+                throw new Error(`Wallet not found for address 1: ${accountAddress}`);
+            }
+            wallet = fetchedWallet;
+        }
         this.logger.debug(`recoverEncryptedBackupByWallet wallet: ${walletOperation}`, wallet);
         const { shares } = this.recoverStrategy({
             externalServerKeySharesBackupInfo: wallet.externalServerKeySharesBackupInfo,
@@ -821,12 +1083,30 @@ class DynamicWalletClient {
             walletOperation,
             shareCount
         });
-        const { dynamic: dynamicKeyShareIds } = shares;
-        const data = await this.apiClient.recoverEncryptedBackupByWallet({
-            walletId: wallet.walletId,
-            keyShareIds: dynamicKeyShareIds
-        });
+        // Get the key share IDs from whichever backup location has shares
+        const dynamicKeyShareIds = shares[core.BackupLocation.DYNAMIC] || [];
+        const externalKeyShareIds = shares[core.BackupLocation.EXTERNAL] || [];
+        // Only attempt recovery if we have DYNAMIC shares (the API doesn't support EXTERNAL shares)
+        let data;
+        if (dynamicKeyShareIds.length > 0) {
+            data = await this.apiClient.recoverEncryptedBackupByWallet({
+                walletId: wallet.walletId,
+                keyShareIds: dynamicKeyShareIds,
+                requiresSignedSessionId: false
+            });
+        } else if (externalKeyShareIds.length > 0) {
+            this.logger.debug('Skipping recovery - only EXTERNAL shares available (backUpToClientShareService: false)');
+            return []; // Return empty array since we can't recover EXTERNAL shares via API
+        } else {
+            this.logger.debug('No shares available for recovery');
+            return []; // Return empty array if no shares are available
+        }
         const dynamicKeyShares = data.keyShares.filter((keyShare)=>keyShare.encryptedAccountCredential !== null && keyShare.backupLocation === core.BackupLocation.DYNAMIC);
+        var _wallet_externalServerKeySharesBackupInfo_passwordEncrypted;
+        const isPasswordEncrypted = (_wallet_externalServerKeySharesBackupInfo_passwordEncrypted = (_wallet_externalServerKeySharesBackupInfo = wallet.externalServerKeySharesBackupInfo) == null ? void 0 : _wallet_externalServerKeySharesBackupInfo.passwordEncrypted) != null ? _wallet_externalServerKeySharesBackupInfo_passwordEncrypted : false;
+        if (isPasswordEncrypted && !password) {
+            throw new Error('Password is required for decryption but not provided. This backup was encrypted with a password.');
+        }
         const decryptedKeyShares = await Promise.all(dynamicKeyShares.map((keyShare)=>this.decryptKeyShare({
                 keyShare: keyShare.encryptedAccountCredential,
                 password: password != null ? password : this.environmentId
@@ -856,6 +1136,7 @@ class DynamicWalletClient {
    * @param walletOperation - The wallet operation that determines required fields
    * @returns boolean indicating if wallet needs to be re-fetched and restored from server
    */ async checkWalletFields({ accountAddress, walletOperation = core.WalletOperation.REACH_THRESHOLD, shareCount }) {
+        var _existingWallet_externalServerKeyShares;
         let keyshareCheck = false;
         let walletCheck = false;
         let thresholdSignatureSchemeCheck = false;
@@ -875,7 +1156,7 @@ class DynamicWalletClient {
         }
         // check if wallet already exists with sufficient keyshares
         if (existingWallet) {
-            var _existingWallet_externalServerKeyShares;
+            var _existingWallet_externalServerKeyShares1;
             const { shares } = this.recoverStrategy({
                 externalServerKeySharesBackupInfo: existingWallet.externalServerKeySharesBackupInfo || {
                     backups: getExternalServerKeyShareBackupInfo()
@@ -885,11 +1166,35 @@ class DynamicWalletClient {
                 shareCount
             });
             const { dynamic: requiredDynamicKeyShareIds = [] } = shares;
-            if (requiredDynamicKeyShareIds.length <= (((_existingWallet_externalServerKeyShares = existingWallet.externalServerKeyShares) == null ? void 0 : _existingWallet_externalServerKeyShares.length) || 0)) {
+            const { external: requiredExternalKeyShareIds = [] } = shares;
+            // Check if we have enough shares from any backup location
+            const totalRequiredShares = requiredDynamicKeyShareIds.length + requiredExternalKeyShareIds.length;
+            // Check if we have the required shares either loaded OR available in backup
+            const hasLoadedShares = totalRequiredShares <= (((_existingWallet_externalServerKeyShares1 = existingWallet.externalServerKeyShares) == null ? void 0 : _existingWallet_externalServerKeyShares1.length) || 0);
+            // Check if backup contains the specific required share IDs
+            const hasBackupShares = existingWallet.externalServerKeySharesBackupInfo && (()=>{
+                const backupShares = existingWallet.externalServerKeySharesBackupInfo.backups.dynamic;
+                const allRequiredIds = [
+                    ...requiredDynamicKeyShareIds,
+                    ...requiredExternalKeyShareIds
+                ];
+                return allRequiredIds.every((requiredId)=>backupShares.some((backupShare)=>backupShare.externalKeyShareId === requiredId || backupShare.keyShareId === requiredId));
+            })();
+            if (hasLoadedShares || hasBackupShares) {
                 keyshareCheck = true;
             }
         }
-        return walletCheck && thresholdSignatureSchemeCheck && keyshareCheck && derivationPathCheck;
+        const result = walletCheck && thresholdSignatureSchemeCheck && keyshareCheck && derivationPathCheck;
+        this.logger.debug('Wallet checks:', {
+            walletCheck,
+            thresholdSignatureSchemeCheck,
+            keyshareCheck,
+            derivationPathCheck,
+            existingWallet: !!existingWallet,
+            keySharesLength: existingWallet == null ? void 0 : (_existingWallet_externalServerKeyShares = existingWallet.externalServerKeyShares) == null ? void 0 : _existingWallet_externalServerKeyShares.length,
+            result
+        });
+        return result;
     }
     /**
    * verifyPassword attempts to recover and decrypt a single client key share using the provided password.
@@ -915,8 +1220,10 @@ class DynamicWalletClient {
             accountAddress
         });
         const { dynamic: dynamicKeyShareIds = [] } = backups;
-        if (!dynamicKeyShareIds || dynamicKeyShareIds.length === 0) {
-            throw new Error('No dynamic key shares found');
+        const { external: externalKeyShareIds = [] } = backups;
+        // Check if we have any shares available (DYNAMIC or EXTERNAL)
+        if (dynamicKeyShareIds.length === 0 && externalKeyShareIds.length === 0) {
+            throw new Error('No key shares found');
         }
         try {
             await this.recoverEncryptedBackupByWallet({
@@ -961,88 +1268,164 @@ class DynamicWalletClient {
         if (walletOperation === core.WalletOperation.REACH_ALL_PARTIES || walletOperation === core.WalletOperation.REFRESH || walletOperation === core.WalletOperation.RESHARE) {
             return true;
         }
-        const { requiredShareCount } = this.recoverStrategy({
+        const { shares, requiredShareCount } = this.recoverStrategy({
             externalServerKeySharesBackupInfo,
             thresholdSignatureScheme: this.walletMap[accountAddress].thresholdSignatureScheme,
             walletOperation
         });
-        if (externalServerKeyShares.length >= requiredShareCount) {
+        const dynamicKeyShareIds = shares[core.BackupLocation.DYNAMIC] || [];
+        const externalKeyShareIds = shares[core.BackupLocation.EXTERNAL] || [];
+        // Check if we have enough shares from either location
+        const totalAvailableShares = externalServerKeyShares.length + dynamicKeyShareIds.length + externalKeyShareIds.length;
+        if (totalAvailableShares >= requiredShareCount) {
             return false;
         }
         return true;
     }
     async getWalletExternalServerKeyShareBackupInfo({ accountAddress }) {
-        var _this_walletMap_accountAddress_externalServerKeySharesBackupInfo_backups_BackupLocation_DYNAMIC, _this_walletMap_accountAddress_externalServerKeySharesBackupInfo_backups, _this_walletMap_accountAddress_externalServerKeySharesBackupInfo, _this_walletMap_accountAddress, _user_verifiedCredentials;
+        var _wallet_externalServerKeySharesBackupInfo_backups_BackupLocation_DYNAMIC, _wallet_externalServerKeySharesBackupInfo_backups, _wallet_externalServerKeySharesBackupInfo, _user_verifiedCredentials;
         this.ensureApiClientAuthenticated();
+        let wallet = this.walletMap[accountAddress];
+        if (!wallet) {
+            const fetchedWallet = await this.getWalletByAddress(accountAddress);
+            if (!fetchedWallet) {
+                throw new Error(`Wallet not found for address 2: ${accountAddress}`);
+            }
+            wallet = fetchedWallet;
+        }
         // Return existing backup info if it exists
-        if (((_this_walletMap_accountAddress = this.walletMap[accountAddress]) == null ? void 0 : (_this_walletMap_accountAddress_externalServerKeySharesBackupInfo = _this_walletMap_accountAddress.externalServerKeySharesBackupInfo) == null ? void 0 : (_this_walletMap_accountAddress_externalServerKeySharesBackupInfo_backups = _this_walletMap_accountAddress_externalServerKeySharesBackupInfo.backups) == null ? void 0 : (_this_walletMap_accountAddress_externalServerKeySharesBackupInfo_backups_BackupLocation_DYNAMIC = _this_walletMap_accountAddress_externalServerKeySharesBackupInfo_backups[core.BackupLocation.DYNAMIC]) == null ? void 0 : _this_walletMap_accountAddress_externalServerKeySharesBackupInfo_backups_BackupLocation_DYNAMIC.length) > 0) {
-            return this.walletMap[accountAddress].externalServerKeySharesBackupInfo;
+        if (((_wallet_externalServerKeySharesBackupInfo = wallet.externalServerKeySharesBackupInfo) == null ? void 0 : (_wallet_externalServerKeySharesBackupInfo_backups = _wallet_externalServerKeySharesBackupInfo.backups) == null ? void 0 : (_wallet_externalServerKeySharesBackupInfo_backups_BackupLocation_DYNAMIC = _wallet_externalServerKeySharesBackupInfo_backups[core.BackupLocation.DYNAMIC]) == null ? void 0 : _wallet_externalServerKeySharesBackupInfo_backups_BackupLocation_DYNAMIC.length) > 0) {
+            return wallet.externalServerKeySharesBackupInfo;
         }
         // Get backup info from server
-        const user = await this.apiClient.getUser();
-        const wallet = (_user_verifiedCredentials = user.verifiedCredentials) == null ? void 0 : _user_verifiedCredentials.find((vc)=>vc.address.toLowerCase() === accountAddress.toLowerCase());
+        const user = await this.apiClient.getUser(uuid.v4());
+        const walletData = (_user_verifiedCredentials = user.verifiedCredentials) == null ? void 0 : _user_verifiedCredentials.find((vc)=>vc.address.toLowerCase() === accountAddress.toLowerCase());
         return getExternalServerKeyShareBackupInfo({
-            walletProperties: wallet == null ? void 0 : wallet.walletProperties
+            walletProperties: walletData == null ? void 0 : walletData.walletProperties
         });
     }
     async getWallet({ accountAddress, walletOperation = core.WalletOperation.NO_OPERATION, shareCount = undefined, password = undefined }) {
-        var _user_verifiedCredentials;
-        this.ensureApiClientAuthenticated();
-        const existingWalletCheck = await this.checkWalletFields({
-            accountAddress,
-            walletOperation,
-            shareCount
-        });
-        if (existingWalletCheck) {
-            this.logger.debug(`Wallet ${accountAddress} already exists`);
-            return this.walletMap[accountAddress];
-        }
-        //todo: Question - why don't we just call getWallets here? so then all are preloaded
-        // Fetch and restore wallet from server
-        const user = await this.apiClient.getUser();
-        const wallet = (_user_verifiedCredentials = user.verifiedCredentials) == null ? void 0 : _user_verifiedCredentials.find((vc)=>vc.address.toLowerCase() === accountAddress.toLowerCase());
-        this.logger.debug('Restoring wallet', wallet);
-        const walletProperties = wallet.walletProperties;
-        this.walletMap[accountAddress] = _extends({}, this.walletMap[accountAddress], {
-            walletId: wallet.id,
-            chainName: wallet.chainName,
-            accountAddress,
-            thresholdSignatureScheme: walletProperties.thresholdSignatureScheme,
-            derivationPath: walletProperties.derivationPath,
-            externalServerKeySharesBackupInfo: getExternalServerKeyShareBackupInfo({
-                walletProperties
-            })
-        });
-        if (walletOperation !== core.WalletOperation.NO_OPERATION && await this.requiresRestoreBackupSharesForOperation({
-            accountAddress,
-            walletOperation
-        })) {
-            const decryptedKeyShares = await this.recoverEncryptedBackupByWallet({
+        try {
+            this.ensureApiClientAuthenticated();
+            const existingWalletCheck = await this.checkWalletFields({
                 accountAddress,
-                password: password != null ? password : this.environmentId,
-                walletOperation: walletOperation,
+                walletOperation,
                 shareCount
             });
-            this.logger.debug('Recovered backup', decryptedKeyShares);
+            if (existingWalletCheck) {
+                this.logger.debug(`Wallet ${accountAddress} already exists`);
+                return this.walletMap[accountAddress];
+            }
+            const wallet = await this.getWalletByAddress(accountAddress);
+            if (!wallet) {
+                throw new Error(`Wallet not found for address 3: ${accountAddress}`);
+            }
+            this.logger.debug('Restoring wallet', wallet);
+            // The wallet is already processed, so we can use it directly
+            this.walletMap[accountAddress] = wallet;
+            if (walletOperation !== core.WalletOperation.NO_OPERATION && await this.requiresRestoreBackupSharesForOperation({
+                accountAddress,
+                walletOperation
+            })) {
+                const decryptedKeyShares = await this.recoverEncryptedBackupByWallet({
+                    accountAddress,
+                    password: password != null ? password : this.environmentId,
+                    walletOperation: walletOperation,
+                    shareCount
+                });
+                this.logger.debug('[DynamicWaasWalletClient] Recovered backup', decryptedKeyShares);
+            }
+            // externalServerKeyShares
+            const walletCount = Object.keys(this.walletMap).length;
+            if (walletCount === 0) {
+                throw new Error('No wallets found');
+            }
+            // Return the only wallet if there's just one
+            if (walletCount === 1) {
+                return Object.values(this.walletMap)[0];
+            }
+            return this.walletMap[accountAddress];
+        } catch (error) {
+            this.logger.error('Error in getWallet', error);
+            throw error;
         }
-        const walletCount = Object.keys(this.walletMap).length;
-        if (walletCount === 0) {
-            throw new Error('No wallets found');
+    }
+    /**
+   * Get a single wallet by address
+   * First tries the efficient getWaasWalletByAddress endpoint, falls back to getUser() if not available
+   */ async getWalletByAddress(accountAddress) {
+        // Return cached wallet if available
+        if (this.walletMap[accountAddress]) {
+            return this.walletMap[accountAddress];
         }
-        // Return the only wallet if there's just one
-        if (walletCount === 1) {
-            return Object.values(this.walletMap)[0];
+        this.ensureApiClientAuthenticated();
+        // Try getting single wallet by address first
+        try {
+            var _walletResponse_wallet;
+            const walletResponse = await this.apiClient.getWaasWalletByAddress({
+                walletAddress: accountAddress
+            });
+            const walletProperties = {
+                walletId: walletResponse.wallet.walletId,
+                chainName: walletResponse.wallet.chainName,
+                accountAddress: walletResponse.wallet.accountAddress,
+                externalServerKeyShares: [],
+                derivationPath: walletResponse.wallet.derivationPath,
+                thresholdSignatureScheme: walletResponse.wallet.thresholdSignatureScheme,
+                externalServerKeySharesBackupInfo: getExternalServerKeyShareBackupInfo({
+                    walletProperties: {
+                        // @ts-expect-error TODO: update response to get key shares
+                        keyShares: ((_walletResponse_wallet = walletResponse.wallet) == null ? void 0 : _walletResponse_wallet.keyShares) || [],
+                        thresholdSignatureScheme: walletResponse.wallet.thresholdSignatureScheme,
+                        derivationPath: walletResponse.wallet.derivationPath
+                    }
+                })
+            };
+            // Cache the wallet
+            this.walletMap[accountAddress] = walletProperties;
+            return walletProperties;
+        } catch (error) {
+            var _error_response;
+            // If the new endpoint doesn't exist (404 or not implemented), fall back to getUser()
+            if ((error == null ? void 0 : (_error_response = error.response) == null ? void 0 : _error_response.status) === 404 || (error == null ? void 0 : error.code) === 'ERR_BAD_REQUEST') {
+                var _user_verifiedCredentials, _wallet_walletProperties, _wallet_walletProperties1;
+                this.logger.debug('getWaasWalletByAddress endpoint not available, falling back to getUser()');
+                // Fallback to getUser() approach
+                const user = await this.apiClient.getUser(uuid.v4());
+                const wallet = (_user_verifiedCredentials = user.verifiedCredentials) == null ? void 0 : _user_verifiedCredentials.find((vc)=>vc.walletName === 'dynamicwaas' && vc.address.toLowerCase() === accountAddress.toLowerCase());
+                if (!wallet) {
+                    return null;
+                }
+                var _wallet_walletProperties_derivationPath;
+                const walletProperties = {
+                    walletId: wallet.id,
+                    chainName: wallet.chain,
+                    accountAddress: wallet.address,
+                    externalServerKeyShares: [],
+                    derivationPath: (_wallet_walletProperties_derivationPath = (_wallet_walletProperties = wallet.walletProperties) == null ? void 0 : _wallet_walletProperties.derivationPath) != null ? _wallet_walletProperties_derivationPath : undefined,
+                    thresholdSignatureScheme: (_wallet_walletProperties1 = wallet.walletProperties) == null ? void 0 : _wallet_walletProperties1.thresholdSignatureScheme,
+                    externalServerKeySharesBackupInfo: getExternalServerKeyShareBackupInfo({
+                        walletProperties: wallet.walletProperties || {}
+                    })
+                };
+                // Cache the wallet
+                this.walletMap[accountAddress] = walletProperties;
+                return walletProperties;
+            }
+            throw error;
         }
-        return this.walletMap[accountAddress];
     }
-    async getWallets() {
+    /**
+   * Get all wallets (kept for backward compatibility but now uses lazy loading)
+   * @deprecated Consider using getWalletByAddress for better performance with large wallet counts
+   */ async getWallets() {
         var _user_verifiedCredentials;
         this.ensureApiClientAuthenticated();
-        const user = await this.apiClient.getUser();
+        const user = await this.apiClient.getUser(uuid.v4());
         const waasWallets = (_user_verifiedCredentials = user.verifiedCredentials) == null ? void 0 : _user_verifiedCredentials.filter((vc)=>vc.walletName === 'dynamicwaas');
         const wallets = waasWallets.map((vc)=>{
-            var _this_walletMap_vc_address, _this_walletMap_vc_address1, _vc_walletProperties;
-            var _this_walletMap_vc_address_derivationPath;
+            var _this_walletMap_vc_address, _vc_walletProperties, _vc_walletProperties1;
+            var _vc_walletProperties_derivationPath;
             return {
                 walletId: vc.id,
                 chainName: vc.chain,
@@ -1051,101 +1434,260 @@ class DynamicWalletClient {
                     walletProperties: vc.walletProperties || {}
                 }),
                 externalServerKeyShares: ((_this_walletMap_vc_address = this.walletMap[vc.address]) == null ? void 0 : _this_walletMap_vc_address.externalServerKeyShares) || [],
-                derivationPath: (_this_walletMap_vc_address_derivationPath = (_this_walletMap_vc_address1 = this.walletMap[vc.address]) == null ? void 0 : _this_walletMap_vc_address1.derivationPath) != null ? _this_walletMap_vc_address_derivationPath : undefined,
-                thresholdSignatureScheme: (_vc_walletProperties = vc.walletProperties) == null ? void 0 : _vc_walletProperties.thresholdSignatureScheme
+                derivationPath: (_vc_walletProperties_derivationPath = (_vc_walletProperties = vc.walletProperties) == null ? void 0 : _vc_walletProperties.derivationPath) != null ? _vc_walletProperties_derivationPath : undefined,
+                thresholdSignatureScheme: (_vc_walletProperties1 = vc.walletProperties) == null ? void 0 : _vc_walletProperties1.thresholdSignatureScheme
             };
         });
         this.walletMap = wallets.reduce((acc, wallet)=>{
-            var _acc_accountAddress;
-            const accountAddress = wallet.accountAddress;
             acc[wallet.accountAddress] = {
                 walletId: wallet.walletId,
                 chainName: wallet.chainName,
                 accountAddress: wallet.accountAddress,
                 externalServerKeyShares: wallet.externalServerKeyShares || [],
                 externalServerKeySharesBackupInfo: wallet.externalServerKeySharesBackupInfo,
-                derivationPath: ((_acc_accountAddress = acc[accountAddress]) == null ? void 0 : _acc_accountAddress.derivationPath) || undefined,
+                derivationPath: wallet.derivationPath,
                 thresholdSignatureScheme: wallet.thresholdSignatureScheme
             };
             return acc;
         }, {});
         return wallets;
     }
-    constructor({ environmentId, baseApiUrl, baseMPCRelayApiUrl, debug }){
+    constructor({ environmentId, baseApiUrl, baseMPCRelayApiUrl, debug, forwardMPCClient, enableMPCAccelerator = false }){
         this.logger = logger;
         this.walletMap = {} // todo: store in session storage
         ;
         this.isApiClientAuthenticated = false;
+        this.forwardMPCEnabled = false;
         this.environmentId = environmentId;
         this.baseMPCRelayApiUrl = baseMPCRelayApiUrl;
         this.baseApiUrl = baseApiUrl;
         this.debug = Boolean(debug);
         this.logger.setLogLevel(this.debug ? 'DEBUG' : DEFAULT_LOG_LEVEL);
+        this.forwardMPCEnabled = enableMPCAccelerator || Boolean(forwardMPCClient);
+        // Initialize API client with forwardMPCClient
+        this.apiClient = new core.DynamicApiClient({
+            environmentId,
+            baseApiUrl,
+            forwardMPCClient
+        });
+        if (this.forwardMPCEnabled) {
+            this.logger.info('Initializing ForwardMPC enclave websocket in node client. Environment: ' + this.environmentId);
+            this.initializeForwardMPCClient();
+        }
     }
 }
 
-Object.defineProperty(exports, "BIP340", {
-  enumerable: true,
-  get: function () { return node.BIP340; }
-});
-Object.defineProperty(exports, "BIP340InitKeygenResult", {
-  enumerable: true,
-  get: function () { return node.BIP340InitKeygenResult; }
-});
-Object.defineProperty(exports, "BIP340KeygenResult", {
-  enumerable: true,
-  get: function () { return node.BIP340KeygenResult; }
-});
-Object.defineProperty(exports, "Ecdsa", {
-  enumerable: true,
-  get: function () { return node.Ecdsa; }
-});
-Object.defineProperty(exports, "EcdsaInitKeygenResult", {
-  enumerable: true,
-  get: function () { return node.EcdsaInitKeygenResult; }
-});
-Object.defineProperty(exports, "EcdsaKeygenResult", {
-  enumerable: true,
-  get: function () { return node.EcdsaKeygenResult; }
-});
-Object.defineProperty(exports, "EcdsaPublicKey", {
-  enumerable: true,
-  get: function () { return node.EcdsaPublicKey; }
-});
-Object.defineProperty(exports, "EcdsaSignature", {
-  enumerable: true,
-  get: function () { return node.EcdsaSignature; }
-});
-Object.defineProperty(exports, "Ed25519", {
+const createCore = ({ environmentId, baseApiUrl, baseMPCRelayApiUrl, debug = false })=>{
+    const coreLogger = logger;
+    coreLogger.setLogLevel(debug ? 'DEBUG' : DEFAULT_LOG_LEVEL);
+    const createApiClient = (options = {})=>{
+        return new core.DynamicApiClient(_extends({
+            environmentId,
+            baseApiUrl
+        }, options));
+    };
+    return {
+        environmentId,
+        createApiClient,
+        logger: coreLogger,
+        baseMPCRelayApiUrl,
+        baseApiUrl,
+        debug
+    };
+};
+
+// Helper function to create API client for delegated operations
+const createDelegatedApiClient = (client, options = {})=>{
+    return client.createApiClient(options);
+};
+// Helper function to create API client with wallet-specific headers
+const createDelegatedApiClientWithWalletKey = (client, walletApiKey)=>{
+    const apiClient = client.createApiClient();
+    // Add the wallet-specific API key header to all requests from this client
+    apiClient.apiClient.defaults.headers['x-dyn-wallet-api-key'] = walletApiKey;
+    return apiClient;
+};
+const createDelegatedWalletClient = ({ environmentId, baseApiUrl, baseMPCRelayApiUrl, apiKey, debug = false })=>{
+    const core = createCore({
+        environmentId,
+        baseApiUrl,
+        baseMPCRelayApiUrl,
+        debug
+    });
+    // Store the API key for use in delegated operations
+    core.apiKey = apiKey;
+    const walletMap = {};
+    const client = {
+        get environmentId () {
+            return core.environmentId;
+        },
+        get debug () {
+            return core.debug;
+        },
+        get apiUrl () {
+            var _core_baseApiUrl;
+            return (_core_baseApiUrl = core.baseApiUrl) != null ? _core_baseApiUrl : 'https://app.dynamicauth.com';
+        },
+        get wallets () {
+            return walletMap;
+        },
+        createApiClient: (options = {})=>{
+            return core.createApiClient(_extends({
+                authToken: apiKey
+            }, options));
+        },
+        logger: core.logger,
+        apiKey,
+        baseMPCRelayApiUrl: core.baseMPCRelayApiUrl
+    };
+    return client;
+};
+
+const dynamicDelegatedSign = async (client, { walletId, message, isFormatted, walletApiKey, onError, context })=>{
+    const dynamicRequestId = uuid.v4();
+    // Convert message to hex if it's a Uint8Array
+    if (typeof message !== 'string') {
+        message = '0x' + Buffer.from(message).toString('hex');
+    }
+    const apiClient = createDelegatedApiClientWithWalletKey(client, walletApiKey);
+    const data = await apiClient.delegatedSignMessage({
+        walletId,
+        message,
+        isFormatted,
+        dynamicRequestId,
+        onError,
+        context: context ? JSON.parse(JSON.stringify(context, (_key, value)=>typeof value === 'bigint' ? value.toString() : value)) : undefined
+    });
+    return data;
+};
+const delegatedSign = async (client, { chainName, message, roomId, keyShare, derivationPath, isFormatted })=>{
+    try {
+        const mpcSigner = getMPCSigner({
+            chainName,
+            baseRelayUrl: client.baseMPCRelayApiUrl
+        });
+        const formattedMessage = isFormatted ? new node.MessageHash(message) : formatMessage(chainName, message);
+        const signature = await mpcSigner.sign(roomId, keyShare, formattedMessage, derivationPath);
+        return signature;
+    } catch (error) {
+        client.logger.error('Error in delegatedSign', error);
+        throw error;
+    }
+};
+const delegatedSignMessage = async (client, { walletId, walletApiKey, keyShare, message, chainName, isFormatted = false, onError, context })=>{
+    // Validate required parameters
+    if (!keyShare) {
+        throw new Error('Delegated key share is required to sign a message');
+    }
+    const wallet = await getWallet(client, {
+        walletId
+    });
+    // Perform the dynamic server sign
+    const data = await dynamicDelegatedSign(client, {
+        walletId,
+        walletApiKey,
+        message,
+        isFormatted,
+        onError,
+        context
+    });
+    const derivationPath = wallet.derivationPath && wallet.derivationPath !== '' ? new Uint32Array(Object.values(JSON.parse(wallet.derivationPath))) : undefined;
+    // Perform the external server sign and return the signature
+    const signature = await delegatedSign(client, {
+        chainName,
+        message,
+        roomId: data.roomId,
+        keyShare,
+        derivationPath,
+        isFormatted
+    });
+    return signature;
+};
+// Helper function to get wallet (to be implemented in wallet module)
+const getWallet = async (client, { walletId })=>{
+    const wallets = client.wallets;
+    // Check if wallet is already cached
+    if (wallets[walletId]) {
+        return wallets[walletId];
+    }
+    // Fetch wallet from API
+    const apiClient = createDelegatedApiClient(client);
+    const { wallet } = await apiClient.getWaasWalletById({
+        walletId
+    });
+    const waasWallet = {
+        walletId,
+        chainName: wallet.chainName,
+        accountAddress: wallet.accountAddress,
+        externalServerKeyShares: [],
+        derivationPath: wallet.derivationPath,
+        thresholdSignatureScheme: wallet.thresholdSignatureScheme,
+        externalServerKeySharesBackupInfo: {
+            passwordEncrypted: false,
+            backups: {
+                dynamic: [],
+                googleDrive: [],
+                iCloud: [],
+                user: [],
+                external: [],
+                delegated: []
+            }
+        }
+    };
+    // Cache the wallet
+    wallets[walletId] = waasWallet;
+    return waasWallet;
+};
+
+const revokeDelegation = async (client, walletId)=>{
+    try {
+        // TODO: Uncomment when API method is implemented
+        // const apiClient = createDelegatedApiClient(client);
+        // await apiClient.revokeDelegation({
+        //   walletId,
+        // });
+        client.logger.info(`Delegation revoked for wallet: ${walletId}`);
+    } catch (error) {
+        client.logger.error('Error revoking delegation', error);
+        throw new Error('Failed to revoke delegation');
+    }
+};
+
+Object.defineProperty(exports, "SOLANA_RPC_URL", {
   enumerable: true,
-  get: function () { return node.Ed25519; }
+  get: function () { return core.SOLANA_RPC_URL; }
 });
-Object.defineProperty(exports, "Ed25519InitKeygenResult", {
+Object.defineProperty(exports, "ThresholdSignatureScheme", {
   enumerable: true,
-  get: function () { return node.Ed25519InitKeygenResult; }
+  get: function () { return core.ThresholdSignatureScheme; }
 });
-Object.defineProperty(exports, "Ed25519KeygenResult", {
+Object.defineProperty(exports, "WalletOperation", {
   enumerable: true,
-  get: function () { return node.Ed25519KeygenResult; }
+  get: function () { return core.WalletOperation; }
 });
-Object.defineProperty(exports, "MessageHash", {
+Object.defineProperty(exports, "getMPCChainConfig", {
   enumerable: true,
-  get: function () { return node.MessageHash; }
+  get: function () { return core.getMPCChainConfig; }
 });
 exports.DynamicWalletClient = DynamicWalletClient;
 exports.base64ToBytes = base64ToBytes;
 exports.bytesToBase64 = bytesToBase64;
+exports.createDelegatedWalletClient = createDelegatedWalletClient;
+exports.delegatedSignMessage = delegatedSignMessage;
 exports.ensureBase64Padding = ensureBase64Padding;
+exports.formatEvmMessage = formatEvmMessage;
+exports.formatMessage = formatMessage;
 exports.getExternalServerKeyShareBackupInfo = getExternalServerKeyShareBackupInfo;
 exports.getMPCSignatureScheme = getMPCSignatureScheme;
 exports.getMPCSigner = getMPCSigner;
 exports.isHexString = isHexString;
 exports.mergeUniqueKeyShares = mergeUniqueKeyShares;
 exports.retryPromise = retryPromise;
+exports.revokeDelegation = revokeDelegation;
 exports.stringToBytes = stringToBytes;
-Object.keys(core).forEach(function (k) {
+Object.keys(core$1).forEach(function (k) {
   if (k !== 'default' && !Object.prototype.hasOwnProperty.call(exports, k)) Object.defineProperty(exports, k, {
     enumerable: true,
-    get: function () { return core[k]; }
+    get: function () { return core$1[k]; }
   });
 });