@worldcoin/idkit-core 4.0.1-dev.fe98789 → 4.0.2-dev.a907be3

package/dist/index.cjs

@@ -1,5 +1,11 @@
 'use strict';
 
+var sha3 = require('@noble/hashes/sha3');
+var utils = require('@noble/hashes/utils');
+var hmac = require('@noble/hashes/hmac');
+var sha2 = require('@noble/hashes/sha2');
+var secp256k1 = require('@noble/secp256k1');
+
 var _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;
 var __defProp = Object.defineProperty;
 var __export = (target, all2) => {
@@ -388,12 +394,12 @@ function hashSignal(signal) {
     wasm.__wbindgen_export4(deferred2_0, deferred2_1, 1);
   }
 }
-function __wasm_bindgen_func_elem_597(arg0, arg1) {
-  wasm.__wasm_bindgen_func_elem_597(arg0, arg1);
-}
 function __wasm_bindgen_func_elem_960(arg0, arg1, arg2) {
   wasm.__wasm_bindgen_func_elem_960(arg0, arg1, addHeapObject(arg2));
 }
+function __wasm_bindgen_func_elem_597(arg0, arg1) {
+  wasm.__wasm_bindgen_func_elem_597(arg0, arg1);
+}
 function __wasm_bindgen_func_elem_1345(arg0, arg1, arg2, arg3) {
   wasm.__wasm_bindgen_func_elem_1345(arg0, arg1, addHeapObject(arg2), addHeapObject(arg3));
 }
@@ -772,6 +778,34 @@ var IDKitBuilder = class _IDKitBuilder {
     const ret = wasm.idkitbuilder_constraints(ptr, addHeapObject(constraints_json));
     return takeObject(ret);
   }
+  /**
+   * Builds the native payload for constraints (synchronous, no bridge connection).
+   *
+   * Used by the native transport to get the same payload format as the bridge
+   * without creating a network connection.
+   *
+   * # Errors
+   *
+   * Returns an error if constraints are invalid or payload construction fails.
+   * @param {any} constraints_json
+   * @returns {any}
+   */
+  nativePayload(constraints_json) {
+    try {
+      const ptr = this.__destroy_into_raw();
+      const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
+      wasm.idkitbuilder_nativePayload(retptr, ptr, addHeapObject(constraints_json));
+      var r0 = getDataViewMemory0().getInt32(retptr + 4 * 0, true);
+      var r1 = getDataViewMemory0().getInt32(retptr + 4 * 1, true);
+      var r2 = getDataViewMemory0().getInt32(retptr + 4 * 2, true);
+      if (r2) {
+        throw takeObject(r1);
+      }
+      return takeObject(r0);
+    } finally {
+      wasm.__wbindgen_add_to_stack_pointer(16);
+    }
+  }
   /**
    * Creates a new builder for proving an existing session
    * @param {string} session_id
@@ -827,6 +861,34 @@ var IDKitBuilder = class _IDKitBuilder {
     const ret = wasm.createSession(ptr0, len0, ptr1, ptr2, len2, ptr3, len3, ptr4, len4, ptr5, len5);
     return _IDKitBuilder.__wrap(ret);
   }
+  /**
+   * Builds the native payload from a preset (synchronous, no bridge connection).
+   *
+   * Used by the native transport to get the same payload format as the bridge
+   * without creating a network connection.
+   *
+   * # Errors
+   *
+   * Returns an error if the preset is invalid or payload construction fails.
+   * @param {any} preset_json
+   * @returns {any}
+   */
+  nativePayloadFromPreset(preset_json) {
+    try {
+      const ptr = this.__destroy_into_raw();
+      const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
+      wasm.idkitbuilder_nativePayloadFromPreset(retptr, ptr, addHeapObject(preset_json));
+      var r0 = getDataViewMemory0().getInt32(retptr + 4 * 0, true);
+      var r1 = getDataViewMemory0().getInt32(retptr + 4 * 1, true);
+      var r2 = getDataViewMemory0().getInt32(retptr + 4 * 2, true);
+      if (r2) {
+        throw takeObject(r1);
+      }
+      return takeObject(r0);
+    } finally {
+      wasm.__wbindgen_add_to_stack_pointer(16);
+    }
+  }
   /**
    * Creates a new builder for uniqueness requests
    * @param {string} app_id
@@ -1796,10 +1858,6 @@ var idkit_wasm_default = __wbg_init;
 // src/lib/wasm.ts
 var wasmInitialized = false;
 var wasmInitPromise = null;
-async function importNodeModule(specifier) {
-  const dynamicImport = Function("moduleName", "return import(moduleName)");
-  return dynamicImport(specifier);
-}
 async function initIDKit() {
   if (wasmInitialized) {
     return;
@@ -1818,35 +1876,230 @@ async function initIDKit() {
   })();
   return wasmInitPromise;
 }
-async function initIDKitServer() {
-  if (wasmInitialized) {
-    return;
+
+// src/transports/native.ts
+var MINIAPP_VERIFY_ACTION = "miniapp-verify-action";
+function isInWorldApp() {
+  return typeof window !== "undefined" && Boolean(window.WorldApp);
+}
+var _requestCounter = 0;
+var _activeNativeRequest = null;
+function createNativeRequest(wasmPayload, config) {
+  if (_activeNativeRequest?.isPending()) {
+    console.warn(
+      "IDKit native request already in flight. Reusing active request."
+    );
+    return _activeNativeRequest;
   }
-  if (wasmInitPromise) {
-    return wasmInitPromise;
+  const request2 = new NativeIDKitRequest(wasmPayload, config);
+  _activeNativeRequest = request2;
+  return request2;
+}
+var NativeIDKitRequest = class {
+  constructor(wasmPayload, config) {
+    this.connectorURI = "";
+    this.resolved = false;
+    this.cancelled = false;
+    this.settled = false;
+    this.resolvedResult = null;
+    this.messageHandler = null;
+    this.miniKitHandler = null;
+    this.rejectFn = null;
+    this.requestId = crypto.randomUUID?.() ?? `native-${Date.now()}-${++_requestCounter}`;
+    this.resultPromise = new Promise((resolve, reject) => {
+      this.rejectFn = reject;
+      const handleIncomingPayload = (responsePayload) => {
+        if (this.cancelled || this.resolved || this.settled) return;
+        if (responsePayload?.status === "error") {
+          this.cleanup();
+          reject(
+            new NativeVerifyError(
+              responsePayload.error_code ?? "generic_error" /* GenericError */
+            )
+          );
+          return;
+        }
+        this.resolved = true;
+        const result = nativeResultToIDKitResult(responsePayload, config);
+        this.resolvedResult = result;
+        this.cleanup();
+        resolve(result);
+      };
+      const handler = (event) => {
+        const data = event.data;
+        if (data?.type === MINIAPP_VERIFY_ACTION || data?.command === MINIAPP_VERIFY_ACTION) {
+          handleIncomingPayload(data.payload ?? data);
+        }
+      };
+      this.messageHandler = handler;
+      window.addEventListener("message", handler);
+      try {
+        const miniKit = window.MiniKit;
+        if (typeof miniKit?.subscribe === "function") {
+          const miniKitHandler = (payload) => {
+            handleIncomingPayload(payload?.payload ?? payload);
+          };
+          this.miniKitHandler = miniKitHandler;
+          miniKit.subscribe(MINIAPP_VERIFY_ACTION, miniKitHandler);
+        }
+      } catch {
+      }
+      const sendPayload = {
+        command: "verify",
+        version: 2,
+        payload: wasmPayload
+      };
+      const w = window;
+      if (w.webkit?.messageHandlers?.minikit) {
+        w.webkit.messageHandlers.minikit.postMessage(sendPayload);
+      } else if (w.Android) {
+        w.Android.postMessage(JSON.stringify(sendPayload));
+      } else {
+        this.cleanup();
+        reject(new Error("No WebView bridge available"));
+      }
+    });
+    this.resultPromise.catch(() => {
+    }).finally(() => {
+      this.settled = true;
+      this.cleanup();
+      if (_activeNativeRequest === this) {
+        _activeNativeRequest = null;
+      }
+    });
   }
-  wasmInitPromise = (async () => {
+  /**
+   * Cancel this request. Removes the message listener so it cannot consume
+   * a response meant for a later request, and rejects the pending promise.
+   */
+  cancel() {
+    if (this.resolved || this.cancelled) return;
+    this.cancelled = true;
+    this.cleanup();
+    this.rejectFn?.(new NativeVerifyError("cancelled" /* Cancelled */));
+    if (_activeNativeRequest === this) {
+      _activeNativeRequest = null;
+    }
+  }
+  cleanup() {
+    if (this.messageHandler) {
+      window.removeEventListener("message", this.messageHandler);
+      this.messageHandler = null;
+    }
+    if (this.miniKitHandler) {
+      try {
+        const miniKit = window.MiniKit;
+        miniKit?.unsubscribe?.(MINIAPP_VERIFY_ACTION);
+      } catch {
+      }
+      this.miniKitHandler = null;
+    }
+  }
+  isPending() {
+    return !this.settled && !this.cancelled;
+  }
+  async pollOnce() {
+    if (this.resolved && this.resolvedResult) {
+      return { type: "confirmed", result: this.resolvedResult };
+    }
+    return { type: "awaiting_confirmation" };
+  }
+  async pollUntilCompletion(options) {
+    const timeout = options?.timeout ?? 3e5;
+    let timeoutId;
+    let abortHandler = null;
+    let waiterTerminationCode = null;
     try {
-      const { readFile } = await importNodeModule(
-        "node:fs/promises"
-      );
-      const { fileURLToPath } = await importNodeModule(
-        "node:url"
-      );
-      const { dirname, join } = await importNodeModule(
-        "node:path"
-      );
-      const modulePath = fileURLToPath((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('index.cjs', document.baseURI).href)));
-      const wasmPath = join(dirname(modulePath), "idkit_wasm_bg.wasm");
-      const wasmBuffer = await readFile(wasmPath);
-      await idkit_wasm_default({ module_or_path: wasmBuffer });
-      wasmInitialized = true;
+      const result = await Promise.race([
+        this.resultPromise,
+        new Promise((_, reject) => {
+          if (options?.signal) {
+            abortHandler = () => {
+              waiterTerminationCode = "cancelled" /* Cancelled */;
+              reject(new NativeVerifyError("cancelled" /* Cancelled */));
+            };
+            if (options.signal.aborted) {
+              abortHandler();
+              return;
+            }
+            options.signal.addEventListener("abort", abortHandler, {
+              once: true
+            });
+          }
+          timeoutId = setTimeout(() => {
+            waiterTerminationCode = "timeout" /* Timeout */;
+            reject(new NativeVerifyError("timeout" /* Timeout */));
+          }, timeout);
+        })
+      ]);
+      return { success: true, result };
     } catch (error) {
-      wasmInitPromise = null;
-      throw new Error(`Failed to initialize IDKit WASM for server: ${error}`);
+      if (error instanceof NativeVerifyError) {
+        if (waiterTerminationCode === error.code && this.isPending()) {
+          this.cancel();
+        }
+        return { success: false, error: error.code };
+      }
+      return { success: false, error: "generic_error" /* GenericError */ };
+    } finally {
+      if (timeoutId) {
+        clearTimeout(timeoutId);
+      }
+      if (options?.signal && abortHandler) {
+        options.signal.removeEventListener("abort", abortHandler);
+      }
     }
-  })();
-  return wasmInitPromise;
+  }
+};
+var NativeVerifyError = class extends Error {
+  constructor(code) {
+    super(code);
+    this.code = code;
+  }
+};
+function nativeResultToIDKitResult(payload, config) {
+  const rpNonce = config.rp_context?.nonce ?? "";
+  if ("responses" in payload && Array.isArray(payload.responses)) {
+    return {
+      protocol_version: payload.protocol_version ?? "4.0",
+      nonce: payload.nonce ?? rpNonce,
+      action: payload.action ?? config.action ?? "",
+      action_description: payload.action_description,
+      session_id: payload.session_id,
+      responses: payload.responses,
+      environment: payload.environment ?? config.environment ?? "production"
+    };
+  }
+  if ("verifications" in payload) {
+    return {
+      protocol_version: "4.0",
+      nonce: rpNonce,
+      action: config.action ?? "",
+      responses: payload.verifications.map((v) => ({
+        identifier: v.verification_level,
+        proof: [v.proof],
+        nullifier: v.nullifier_hash,
+        merkle_root: v.merkle_root,
+        issuer_schema_id: 0,
+        expires_at_min: 0
+      })),
+      environment: "production"
+    };
+  }
+  return {
+    protocol_version: "3.0",
+    nonce: rpNonce,
+    action: config.action ?? "",
+    responses: [
+      {
+        identifier: payload.verification_level,
+        proof: payload.proof,
+        merkle_root: payload.merkle_root,
+        nullifier: payload.nullifier_hash
+      }
+    ],
+    environment: "production"
+  };
 }
 
 // src/request.ts
@@ -1913,9 +2166,52 @@ function secureDocumentLegacy(opts = {}) {
 function documentLegacy(opts = {}) {
   return { type: "DocumentLegacy", signal: opts.signal };
 }
+function createWasmBuilderFromConfig(config) {
+  if (!config.rp_context) {
+    throw new Error("rp_context is required for WASM bridge transport");
+  }
+  const rpContext = new idkit_wasm_exports.RpContextWasm(
+    config.rp_context.rp_id,
+    config.rp_context.nonce,
+    BigInt(config.rp_context.created_at),
+    BigInt(config.rp_context.expires_at),
+    config.rp_context.signature
+  );
+  if (config.type === "request") {
+    return idkit_wasm_exports.request(
+      config.app_id,
+      String(config.action ?? ""),
+      rpContext,
+      config.action_description ?? null,
+      config.bridge_url ?? null,
+      config.allow_legacy_proofs ?? false,
+      config.override_connect_base_url ?? null,
+      config.environment ?? null
+    );
+  }
+  if (config.type === "proveSession") {
+    return idkit_wasm_exports.proveSession(
+      config.session_id,
+      config.app_id,
+      rpContext,
+      config.action_description ?? null,
+      config.bridge_url ?? null,
+      config.override_connect_base_url ?? null,
+      config.environment ?? null
+    );
+  }
+  return idkit_wasm_exports.createSession(
+    config.app_id,
+    rpContext,
+    config.action_description ?? null,
+    config.bridge_url ?? null,
+    config.override_connect_base_url ?? null,
+    config.environment ?? null
+  );
+}
 var IDKitBuilder2 = class {
-  constructor(wasmBuilder) {
-    this.wasmBuilder = wasmBuilder;
+  constructor(config) {
+    this.config = config;
   }
   /**
    * Creates an IDKit request with the given constraints
@@ -1925,36 +2221,45 @@ var IDKitBuilder2 = class {
    *
    * @example
    * ```typescript
-   * const builder = await IDKit.request({ app_id, action, rp_context });
-   * const request = await builder.constraints(any(CredentialRequest('orb'), CredentialRequest('face')));
+   * const request = await IDKit.request({ app_id, action, rp_context, allow_legacy_proofs: false })
+   *   .constraints(any(CredentialRequest('orb'), CredentialRequest('face')));
    * ```
    */
-  //TODO: re-enable once this is supported and World ID 4.0 is rolled out live
-  // async constraints(constraints: ConstraintNode): Promise<IDKitRequest> {
-  //   await initIDKit();
-  //   const wasmRequest = (await this.wasmBuilder.constraints(
-  //     constraints,
-  //   )) as unknown as WasmModule.IDKitRequest;
-  //   return new IDKitRequestImpl(wasmRequest);
-  // }
+  async constraints(constraints) {
+    await initIDKit();
+    const wasmBuilder = createWasmBuilderFromConfig(this.config);
+    if (isInWorldApp()) {
+      const payload = wasmBuilder.nativePayload(constraints);
+      return createNativeRequest(payload, this.config);
+    }
+    const wasmRequest = await wasmBuilder.constraints(
+      constraints
+    );
+    return new IDKitRequestImpl(wasmRequest);
+  }
   /**
    * Creates an IDKit request from a preset (works for all request types)
    *
    * Presets provide a simplified way to create requests with predefined
    * credential configurations.
    *
-   * @param preset - A preset object from orbLegacy()
+   * @param preset - A preset object from orbLegacy(), secureDocumentLegacy(), or documentLegacy()
    * @returns A new IDKitRequest instance
    *
    * @example
    * ```typescript
-   * const builder = await IDKit.request({ app_id, action, rp_context });
-   * const request = await builder.preset(orbLegacy({ signal: 'user-123' }));
+   * const request = await IDKit.request({ app_id, action, rp_context, allow_legacy_proofs: true })
+   *   .preset(orbLegacy({ signal: 'user-123' }));
    * ```
    */
   async preset(preset) {
     await initIDKit();
-    const wasmRequest = await this.wasmBuilder.preset(
+    const wasmBuilder = createWasmBuilderFromConfig(this.config);
+    if (isInWorldApp()) {
+      const payload = wasmBuilder.nativePayloadFromPreset(preset);
+      return createNativeRequest(payload, this.config);
+    }
+    const wasmRequest = await wasmBuilder.preset(
       preset
     );
     return new IDKitRequestImpl(wasmRequest);
@@ -1968,55 +2273,45 @@ function createRequest(config) {
     throw new Error("action is required");
   }
   if (!config.rp_context) {
-    throw new Error("rp_context is required");
+    throw new Error(
+      "rp_context is required. Generate it on your backend using signRequest()."
+    );
   }
   if (typeof config.allow_legacy_proofs !== "boolean") {
     throw new Error(
       "allow_legacy_proofs is required. Set to true to accept v3 proofs during migration, or false to only accept v4 proofs."
     );
   }
-  const rpContext = new idkit_wasm_exports.RpContextWasm(
-    config.rp_context.rp_id,
-    config.rp_context.nonce,
-    BigInt(config.rp_context.created_at),
-    BigInt(config.rp_context.expires_at),
-    config.rp_context.signature
-  );
-  const wasmBuilder = idkit_wasm_exports.request(
-    config.app_id,
-    String(config.action),
-    rpContext,
-    config.action_description ?? null,
-    config.bridge_url ?? null,
-    config.allow_legacy_proofs,
-    config.override_connect_base_url ?? null,
-    config.environment ?? null
-  );
-  return new IDKitBuilder2(wasmBuilder);
+  return new IDKitBuilder2({
+    type: "request",
+    app_id: config.app_id,
+    action: String(config.action),
+    rp_context: config.rp_context,
+    action_description: config.action_description,
+    bridge_url: config.bridge_url,
+    allow_legacy_proofs: config.allow_legacy_proofs,
+    override_connect_base_url: config.override_connect_base_url,
+    environment: config.environment
+  });
 }
 function createSession2(config) {
   if (!config.app_id) {
     throw new Error("app_id is required");
   }
   if (!config.rp_context) {
-    throw new Error("rp_context is required");
+    throw new Error(
+      "rp_context is required. Generate it on your backend using signRequest()."
+    );
   }
-  const rpContext = new idkit_wasm_exports.RpContextWasm(
-    config.rp_context.rp_id,
-    config.rp_context.nonce,
-    BigInt(config.rp_context.created_at),
-    BigInt(config.rp_context.expires_at),
-    config.rp_context.signature
-  );
-  const wasmBuilder = idkit_wasm_exports.createSession(
-    config.app_id,
-    rpContext,
-    config.action_description ?? null,
-    config.bridge_url ?? null,
-    config.override_connect_base_url ?? null,
-    config.environment ?? null
-  );
-  return new IDKitBuilder2(wasmBuilder);
+  return new IDKitBuilder2({
+    type: "session",
+    app_id: config.app_id,
+    rp_context: config.rp_context,
+    action_description: config.action_description,
+    bridge_url: config.bridge_url,
+    override_connect_base_url: config.override_connect_base_url,
+    environment: config.environment
+  });
 }
 function proveSession2(sessionId, config) {
   if (!sessionId) {
@@ -2026,31 +2321,22 @@ function proveSession2(sessionId, config) {
     throw new Error("app_id is required");
   }
   if (!config.rp_context) {
-    throw new Error("rp_context is required");
+    throw new Error(
+      "rp_context is required. Generate it on your backend using signRequest()."
+    );
   }
-  const rpContext = new idkit_wasm_exports.RpContextWasm(
-    config.rp_context.rp_id,
-    config.rp_context.nonce,
-    BigInt(config.rp_context.created_at),
-    BigInt(config.rp_context.expires_at),
-    config.rp_context.signature
-  );
-  const wasmBuilder = idkit_wasm_exports.proveSession(
-    sessionId,
-    config.app_id,
-    rpContext,
-    config.action_description ?? null,
-    config.bridge_url ?? null,
-    config.override_connect_base_url ?? null,
-    config.environment ?? null
-  );
-  return new IDKitBuilder2(wasmBuilder);
+  return new IDKitBuilder2({
+    type: "proveSession",
+    session_id: sessionId,
+    app_id: config.app_id,
+    rp_context: config.rp_context,
+    action_description: config.action_description,
+    bridge_url: config.bridge_url,
+    override_connect_base_url: config.override_connect_base_url,
+    environment: config.environment
+  });
 }
 var IDKit = {
-  /** Initialize WASM for browser environments */
-  init: initIDKit,
-  /** Initialize WASM for Node.js/server environments */
-  initServer: initIDKitServer,
   /** Create a new verification request */
   request: createRequest,
   /** Create a new session (no action, no existing session_id) */
@@ -2093,21 +2379,71 @@ var isServerEnvironment = () => {
   }
   return false;
 };
+function hashToField(input) {
+  const hash = BigInt("0x" + utils.bytesToHex(sha3.keccak_256(input))) >> 8n;
+  return utils.hexToBytes(hash.toString(16).padStart(64, "0"));
+}
+function hashSignal2(signal) {
+  let input;
+  if (signal instanceof Uint8Array) {
+    input = signal;
+  } else if (signal.startsWith("0x") && isValidHex(signal.slice(2))) {
+    input = utils.hexToBytes(signal.slice(2));
+  } else {
+    input = new TextEncoder().encode(signal);
+  }
+  return "0x" + utils.bytesToHex(hashToField(input));
+}
+function isValidHex(s) {
+  if (s.length === 0) return false;
+  if (s.length % 2 !== 0) return false;
+  return /^[0-9a-fA-F]+$/.test(s);
+}
 
-// src/lib/rp-signature.ts
-function signRequest2(action, signingKeyHex, ttlSeconds) {
+// src/lib/signing.ts
+secp256k1.etc.hmacSha256Sync = (key, ...msgs) => hmac.hmac(sha2.sha256, key, secp256k1.etc.concatBytes(...msgs));
+var DEFAULT_TTL_SEC = 300;
+function computeRpSignatureMessage(nonceBytes, createdAt, expiresAt) {
+  const message = new Uint8Array(48);
+  message.set(nonceBytes, 0);
+  const view = new DataView(message.buffer);
+  view.setBigUint64(32, BigInt(createdAt), false);
+  view.setBigUint64(40, BigInt(expiresAt), false);
+  return message;
+}
+function signRequest2(_action, signingKeyHex, ttl = DEFAULT_TTL_SEC) {
   if (!isServerEnvironment()) {
     throw new Error(
       "signRequest can only be used in Node.js environments. This function requires access to signing keys and should never be called from browser/client-side code."
     );
   }
-  const ttlBigInt = ttlSeconds !== void 0 ? BigInt(ttlSeconds) : void 0;
-  return idkit_wasm_exports.signRequest(action, signingKeyHex, ttlBigInt);
-}
-
-// src/lib/hashing.ts
-function hashSignal2(signal) {
-  return idkit_wasm_exports.hashSignal(signal);
+  const keyHex = signingKeyHex.startsWith("0x") ? signingKeyHex.slice(2) : signingKeyHex;
+  if (!/^[0-9a-fA-F]+$/.test(keyHex)) {
+    throw new Error("Invalid signing key: contains non-hex characters");
+  }
+  if (keyHex.length !== 64) {
+    throw new Error(
+      `Invalid signing key: expected 32 bytes (64 hex chars), got ${keyHex.length / 2} bytes`
+    );
+  }
+  const privKey = secp256k1.etc.hexToBytes(keyHex);
+  const randomBytes = crypto.getRandomValues(new Uint8Array(32));
+  const nonceBytes = hashToField(randomBytes);
+  const createdAt = Math.floor(Date.now() / 1e3);
+  const expiresAt = createdAt + ttl;
+  const message = computeRpSignatureMessage(nonceBytes, createdAt, expiresAt);
+  const msgHash = sha3.keccak_256(message);
+  const recSig = secp256k1.sign(msgHash, privKey);
+  const compact = recSig.toCompactRawBytes();
+  const sig65 = new Uint8Array(65);
+  sig65.set(compact, 0);
+  sig65[64] = recSig.recovery + 27;
+  return {
+    sig: "0x" + utils.bytesToHex(sig65),
+    nonce: "0x" + utils.bytesToHex(nonceBytes),
+    createdAt,
+    expiresAt
+  };
 }
 
 exports.CredentialRequest = CredentialRequest;