@zama-fhe/relayer-sdk 0.2.0-5 → 0.2.0

package/lib/node.cjs

@@ -57,6 +57,32 @@ const bytesToBigInt = function (byteArray) {
     return BigInt(`0x${hex}`);
 };
 
+function setAuth(init, auth) {
+    if (auth) {
+        switch (auth.__type) {
+            case 'BearerToken':
+                init.headers['Authorization'] =
+                    `Bearer ${auth.token}`;
+                break;
+            case 'ApiKeyHeader':
+                init.headers[auth.header || 'x-api-key'] =
+                    auth.value;
+                break;
+            case 'ApiKeyCookie':
+                if (typeof window !== 'undefined') {
+                    document.cookie = `${auth.cookie || 'x-api-key'}=${auth.value}; path=/; SameSite=Lax; Secure; HttpOnly;`;
+                    init.credentials = 'include';
+                }
+                else {
+                    let cookie = `${auth.cookie || 'x-api-key'}=${auth.value};`;
+                    init.headers['Cookie'] = cookie;
+                }
+                break;
+        }
+    }
+    return init;
+}
+
 function getErrorCause(e) {
     if (e instanceof Error && typeof e.cause === 'object' && e.cause !== null) {
         return e.cause;
@@ -238,14 +264,13 @@ function assertIsRelayerFetchResponseJson(json) {
     }
 }
 async function fetchRelayerJsonRpcPost(relayerOperation, url, payload, options) {
-    const init = {
+    const init = setAuth({
         method: 'POST',
         headers: {
             'Content-Type': 'application/json',
-            ...(options?.apiKey && { 'x-api-key': options.apiKey }),
         },
         body: JSON.stringify(payload),
-    };
+    }, options?.auth);
     let response;
     let json;
     try {
@@ -615,7 +640,7 @@ function checkDeadlineValidity(startTimestamp, durationDays) {
         throw Error('User decrypt request has expired');
     }
 }
-const userDecryptRequest = (kmsSigners, gatewayChainId, chainId, verifyingContractAddress, aclContractAddress, relayerUrl, provider, options) => async (_handles, privateKey, publicKey, signature, contractAddresses, userAddress, startTimestamp, durationDays) => {
+const userDecryptRequest = (kmsSigners, gatewayChainId, chainId, verifyingContractAddress, aclContractAddress, relayerUrl, provider, instanceOptions) => async (_handles, privateKey, publicKey, signature, contractAddresses, userAddress, startTimestamp, durationDays, options) => {
     const extraData = '0x00';
     let pubKey;
     let privKey;
@@ -674,7 +699,7 @@ const userDecryptRequest = (kmsSigners, gatewayChainId, chainId, verifyingContra
         publicKey: publicKeySanitized,
         extraData,
     };
-    const json = await fetchRelayerJsonRpcPost('USER_DECRYPT', `${relayerUrl}/v1/user-decrypt`, payloadForRequest, options);
+    const json = await fetchRelayerJsonRpcPost('USER_DECRYPT', `${relayerUrl}/v1/user-decrypt`, payloadForRequest, instanceOptions ?? options);
     // assume the KMS Signers have the correct order
     let indexedKmsSigners = kmsSigners.map((signer, index) => {
         return TKMS.new_server_id_addr(index + 1, signer);
@@ -956,7 +981,7 @@ function isFhevmRelayerInputProofResponse(json) {
     return (response.signatures.every((s) => typeof s === 'string') &&
         response.handles.every((h) => typeof h === 'string'));
 }
-const createRelayerEncryptedInput = (aclContractAddress, verifyingContractAddressInputVerification, chainId, gatewayChainId, relayerUrl, tfheCompactPublicKey, publicParams, coprocessorSigners, thresholdCoprocessorSigners) => (contractAddress, userAddress) => {
+const createRelayerEncryptedInput = (aclContractAddress, verifyingContractAddressInputVerification, chainId, gatewayChainId, relayerUrl, tfheCompactPublicKey, publicParams, coprocessorSigners, thresholdCoprocessorSigners, instanceOptions) => (contractAddress, userAddress) => {
     if (!ethers.isAddress(contractAddress)) {
         throw new Error('Contract address is not a valid address.');
     }
@@ -1019,7 +1044,7 @@ const createRelayerEncryptedInput = (aclContractAddress, verifyingContractAddres
                 contractChainId: ('0x' + chainId.toString(16)),
                 extraData,
             };
-            const json = await fetchRelayerJsonRpcPost('INPUT_PROOF', `${relayerUrl}/v1/input-proof`, payload, options);
+            const json = await fetchRelayerJsonRpcPost('INPUT_PROOF', `${relayerUrl}/v1/input-proof`, payload, options ?? instanceOptions);
             if (!isFhevmRelayerInputProofResponse(json)) {
                 throwRelayerInternalError('INPUT_PROOF', json);
             }
@@ -1141,7 +1166,7 @@ function deserializeDecryptedResult(handles, decryptedResult) {
     handles.forEach((handle, idx) => (results[handle] = rawValues[idx]));
     return results;
 }
-const publicDecryptRequest = (kmsSigners, thresholdSigners, gatewayChainId, verifyingContractAddress, aclContractAddress, relayerUrl, provider, options) => async (_handles) => {
+const publicDecryptRequest = (kmsSigners, thresholdSigners, gatewayChainId, verifyingContractAddress, aclContractAddress, relayerUrl, provider, instanceOptions) => async (_handles, options) => {
     const extraData = '0x00';
     const acl = new ethers.ethers.Contract(aclContractAddress, aclABI, provider);
     let handles;
@@ -1166,7 +1191,7 @@ const publicDecryptRequest = (kmsSigners, thresholdSigners, gatewayChainId, veri
         ciphertextHandles: handles,
         extraData,
     };
-    const json = await fetchRelayerJsonRpcPost('PUBLIC_DECRYPT', `${relayerUrl}/v1/public-decrypt`, payloadForRequest, options);
+    const json = await fetchRelayerJsonRpcPost('PUBLIC_DECRYPT', `${relayerUrl}/v1/public-decrypt`, payloadForRequest, options ?? instanceOptions);
     // verify signatures on decryption:
     const domain = {
         name: 'Decryption',
@@ -1186,9 +1211,10 @@ const publicDecryptRequest = (kmsSigners, thresholdSigners, gatewayChainId, veri
         ? result.decrypted_value
         : `0x${result.decrypted_value}`;
     const signatures = result.signatures;
+    const signedExtraData = '0x';
     const recoveredAddresses = signatures.map((signature) => {
         const sig = signature.startsWith('0x') ? signature : `0x${signature}`;
-        const recoveredAddress = ethers.ethers.verifyTypedData(domain, types, { ctHandles: handles, decryptedResult, extraData }, sig);
+        const recoveredAddress = ethers.ethers.verifyTypedData(domain, types, { ctHandles: handles, decryptedResult, extraData: signedExtraData }, sig);
         return recoveredAddress;
     });
     const thresholdReached = isThresholdReached(kmsSigners, recoveredAddresses, thresholdSigners);
@@ -1329,7 +1355,7 @@ const SepoliaConfig = {
     relayerUrl: 'https://relayer.testnet.zama.cloud',
 };
 const createInstance = async (config) => {
-    const { verifyingContractAddressDecryption, verifyingContractAddressInputVerification, publicKey, kmsContractAddress, aclContractAddress, gatewayChainId, } = config;
+    const { verifyingContractAddressDecryption, verifyingContractAddressInputVerification, publicKey, kmsContractAddress, aclContractAddress, gatewayChainId, auth, } = config;
     if (!kmsContractAddress || !ethers.isAddress(kmsContractAddress)) {
         throw new Error('KMS contract address is not valid or empty');
     }
@@ -1361,8 +1387,8 @@ const createInstance = async (config) => {
         createEncryptedInput: createRelayerEncryptedInput(aclContractAddress, verifyingContractAddressInputVerification, chainId, gatewayChainId, cleanURL(config.relayerUrl), publicKeyData.publicKey, publicParamsData, coprocessorSigners, thresholdCoprocessorSigners),
         generateKeypair,
         createEIP712: createEIP712(verifyingContractAddressDecryption, chainId),
-        publicDecrypt: publicDecryptRequest(kmsSigners, thresholdKMSSigners, gatewayChainId, verifyingContractAddressDecryption, aclContractAddress, cleanURL(config.relayerUrl), provider),
-        userDecrypt: userDecryptRequest(kmsSigners, gatewayChainId, chainId, verifyingContractAddressDecryption, aclContractAddress, cleanURL(config.relayerUrl), provider),
+        publicDecrypt: publicDecryptRequest(kmsSigners, thresholdKMSSigners, gatewayChainId, verifyingContractAddressDecryption, aclContractAddress, cleanURL(config.relayerUrl), provider, auth && { auth }),
+        userDecrypt: userDecryptRequest(kmsSigners, gatewayChainId, chainId, verifyingContractAddressDecryption, aclContractAddress, cleanURL(config.relayerUrl), provider, auth && { auth }),
         getPublicKey: () => publicKeyData.publicKey
             ? {
                 publicKey: publicKeyData.publicKey.safe_serialize(SERIALIZED_SIZE_LIMIT_PK),

package/lib/node.d.ts

@@ -3,6 +3,56 @@ import { Eip1193Provider } from 'ethers';
 import { TfheClientKey } from 'node-tfhe';
 import { TfheCompactPublicKey } from 'node-tfhe';
 
+/**
+ * Custom cookie authentication
+ */
+declare type ApiKeyCookie = {
+    __type: 'ApiKeyCookie';
+    /**
+     * The cookie name. The default value is `x-api-key`.
+     */
+    cookie?: string;
+    /**
+     * The API key.
+     */
+    value: string;
+};
+
+/**
+ * Custom header authentication
+ */
+declare type ApiKeyHeader = {
+    __type: 'ApiKeyHeader';
+    /**
+     * The header name. The default value is `x-api-key`.
+     */
+    header?: string;
+    /**
+     * The API key.
+     */
+    value: string;
+};
+
+/**
+ * Set the authentication method for the request. The default is no authentication.
+ * It supports:
+ * - Bearer Token
+ * - Custom header
+ * - Custom cookie
+ */
+declare type Auth = BearerToken | ApiKeyHeader | ApiKeyCookie;
+
+/**
+ * Bearer Token Authentication
+ */
+declare type BearerToken = {
+    __type: 'BearerToken';
+    /**
+     * The Bearer token.
+     */
+    token: string;
+};
+
 /**
  * Creates an EIP712 structure specifically for user decrypt requests
  *
@@ -99,6 +149,7 @@ export declare type FhevmInstanceConfig = {
         data: Uint8Array | null;
         id: string | null;
     };
+    auth?: Auth;
 };
 
 export declare const generateKeypair: () => {
@@ -133,7 +184,7 @@ export declare type RelayerEncryptedInput = {
     addAddress: (value: string) => RelayerEncryptedInput;
     getBits: () => EncryptionTypes[];
     encrypt: (options?: {
-        apiKey?: string;
+        auth?: Auth;
     }) => Promise<{
         handles: Uint8Array[];
         inputProof: Uint8Array;

package/lib/node.js

@@ -36,6 +36,32 @@ const bytesToBigInt = function (byteArray) {
     return BigInt(`0x${hex}`);
 };
 
+function setAuth(init, auth) {
+    if (auth) {
+        switch (auth.__type) {
+            case 'BearerToken':
+                init.headers['Authorization'] =
+                    `Bearer ${auth.token}`;
+                break;
+            case 'ApiKeyHeader':
+                init.headers[auth.header || 'x-api-key'] =
+                    auth.value;
+                break;
+            case 'ApiKeyCookie':
+                if (typeof window !== 'undefined') {
+                    document.cookie = `${auth.cookie || 'x-api-key'}=${auth.value}; path=/; SameSite=Lax; Secure; HttpOnly;`;
+                    init.credentials = 'include';
+                }
+                else {
+                    let cookie = `${auth.cookie || 'x-api-key'}=${auth.value};`;
+                    init.headers['Cookie'] = cookie;
+                }
+                break;
+        }
+    }
+    return init;
+}
+
 function getErrorCause(e) {
     if (e instanceof Error && typeof e.cause === 'object' && e.cause !== null) {
         return e.cause;
@@ -217,14 +243,13 @@ function assertIsRelayerFetchResponseJson(json) {
     }
 }
 async function fetchRelayerJsonRpcPost(relayerOperation, url, payload, options) {
-    const init = {
+    const init = setAuth({
         method: 'POST',
         headers: {
             'Content-Type': 'application/json',
-            ...(options?.apiKey && { 'x-api-key': options.apiKey }),
         },
         body: JSON.stringify(payload),
-    };
+    }, options?.auth);
     let response;
     let json;
     try {
@@ -594,7 +619,7 @@ function checkDeadlineValidity(startTimestamp, durationDays) {
         throw Error('User decrypt request has expired');
     }
 }
-const userDecryptRequest = (kmsSigners, gatewayChainId, chainId, verifyingContractAddress, aclContractAddress, relayerUrl, provider, options) => async (_handles, privateKey, publicKey, signature, contractAddresses, userAddress, startTimestamp, durationDays) => {
+const userDecryptRequest = (kmsSigners, gatewayChainId, chainId, verifyingContractAddress, aclContractAddress, relayerUrl, provider, instanceOptions) => async (_handles, privateKey, publicKey, signature, contractAddresses, userAddress, startTimestamp, durationDays, options) => {
     const extraData = '0x00';
     let pubKey;
     let privKey;
@@ -653,7 +678,7 @@ const userDecryptRequest = (kmsSigners, gatewayChainId, chainId, verifyingContra
         publicKey: publicKeySanitized,
         extraData,
     };
-    const json = await fetchRelayerJsonRpcPost('USER_DECRYPT', `${relayerUrl}/v1/user-decrypt`, payloadForRequest, options);
+    const json = await fetchRelayerJsonRpcPost('USER_DECRYPT', `${relayerUrl}/v1/user-decrypt`, payloadForRequest, instanceOptions ?? options);
     // assume the KMS Signers have the correct order
     let indexedKmsSigners = kmsSigners.map((signer, index) => {
         return TKMS.new_server_id_addr(index + 1, signer);
@@ -935,7 +960,7 @@ function isFhevmRelayerInputProofResponse(json) {
     return (response.signatures.every((s) => typeof s === 'string') &&
         response.handles.every((h) => typeof h === 'string'));
 }
-const createRelayerEncryptedInput = (aclContractAddress, verifyingContractAddressInputVerification, chainId, gatewayChainId, relayerUrl, tfheCompactPublicKey, publicParams, coprocessorSigners, thresholdCoprocessorSigners) => (contractAddress, userAddress) => {
+const createRelayerEncryptedInput = (aclContractAddress, verifyingContractAddressInputVerification, chainId, gatewayChainId, relayerUrl, tfheCompactPublicKey, publicParams, coprocessorSigners, thresholdCoprocessorSigners, instanceOptions) => (contractAddress, userAddress) => {
     if (!isAddress(contractAddress)) {
         throw new Error('Contract address is not a valid address.');
     }
@@ -998,7 +1023,7 @@ const createRelayerEncryptedInput = (aclContractAddress, verifyingContractAddres
                 contractChainId: ('0x' + chainId.toString(16)),
                 extraData,
             };
-            const json = await fetchRelayerJsonRpcPost('INPUT_PROOF', `${relayerUrl}/v1/input-proof`, payload, options);
+            const json = await fetchRelayerJsonRpcPost('INPUT_PROOF', `${relayerUrl}/v1/input-proof`, payload, options ?? instanceOptions);
             if (!isFhevmRelayerInputProofResponse(json)) {
                 throwRelayerInternalError('INPUT_PROOF', json);
             }
@@ -1120,7 +1145,7 @@ function deserializeDecryptedResult(handles, decryptedResult) {
     handles.forEach((handle, idx) => (results[handle] = rawValues[idx]));
     return results;
 }
-const publicDecryptRequest = (kmsSigners, thresholdSigners, gatewayChainId, verifyingContractAddress, aclContractAddress, relayerUrl, provider, options) => async (_handles) => {
+const publicDecryptRequest = (kmsSigners, thresholdSigners, gatewayChainId, verifyingContractAddress, aclContractAddress, relayerUrl, provider, instanceOptions) => async (_handles, options) => {
     const extraData = '0x00';
     const acl = new ethers.Contract(aclContractAddress, aclABI, provider);
     let handles;
@@ -1145,7 +1170,7 @@ const publicDecryptRequest = (kmsSigners, thresholdSigners, gatewayChainId, veri
         ciphertextHandles: handles,
         extraData,
     };
-    const json = await fetchRelayerJsonRpcPost('PUBLIC_DECRYPT', `${relayerUrl}/v1/public-decrypt`, payloadForRequest, options);
+    const json = await fetchRelayerJsonRpcPost('PUBLIC_DECRYPT', `${relayerUrl}/v1/public-decrypt`, payloadForRequest, options ?? instanceOptions);
     // verify signatures on decryption:
     const domain = {
         name: 'Decryption',
@@ -1165,9 +1190,10 @@ const publicDecryptRequest = (kmsSigners, thresholdSigners, gatewayChainId, veri
         ? result.decrypted_value
         : `0x${result.decrypted_value}`;
     const signatures = result.signatures;
+    const signedExtraData = '0x';
     const recoveredAddresses = signatures.map((signature) => {
         const sig = signature.startsWith('0x') ? signature : `0x${signature}`;
-        const recoveredAddress = ethers.verifyTypedData(domain, types, { ctHandles: handles, decryptedResult, extraData }, sig);
+        const recoveredAddress = ethers.verifyTypedData(domain, types, { ctHandles: handles, decryptedResult, extraData: signedExtraData }, sig);
         return recoveredAddress;
     });
     const thresholdReached = isThresholdReached(kmsSigners, recoveredAddresses, thresholdSigners);
@@ -1308,7 +1334,7 @@ const SepoliaConfig = {
     relayerUrl: 'https://relayer.testnet.zama.cloud',
 };
 const createInstance = async (config) => {
-    const { verifyingContractAddressDecryption, verifyingContractAddressInputVerification, publicKey, kmsContractAddress, aclContractAddress, gatewayChainId, } = config;
+    const { verifyingContractAddressDecryption, verifyingContractAddressInputVerification, publicKey, kmsContractAddress, aclContractAddress, gatewayChainId, auth, } = config;
     if (!kmsContractAddress || !isAddress(kmsContractAddress)) {
         throw new Error('KMS contract address is not valid or empty');
     }
@@ -1340,8 +1366,8 @@ const createInstance = async (config) => {
         createEncryptedInput: createRelayerEncryptedInput(aclContractAddress, verifyingContractAddressInputVerification, chainId, gatewayChainId, cleanURL(config.relayerUrl), publicKeyData.publicKey, publicParamsData, coprocessorSigners, thresholdCoprocessorSigners),
         generateKeypair,
         createEIP712: createEIP712(verifyingContractAddressDecryption, chainId),
-        publicDecrypt: publicDecryptRequest(kmsSigners, thresholdKMSSigners, gatewayChainId, verifyingContractAddressDecryption, aclContractAddress, cleanURL(config.relayerUrl), provider),
-        userDecrypt: userDecryptRequest(kmsSigners, gatewayChainId, chainId, verifyingContractAddressDecryption, aclContractAddress, cleanURL(config.relayerUrl), provider),
+        publicDecrypt: publicDecryptRequest(kmsSigners, thresholdKMSSigners, gatewayChainId, verifyingContractAddressDecryption, aclContractAddress, cleanURL(config.relayerUrl), provider, auth && { auth }),
+        userDecrypt: userDecryptRequest(kmsSigners, gatewayChainId, chainId, verifyingContractAddressDecryption, aclContractAddress, cleanURL(config.relayerUrl), provider, auth && { auth }),
         getPublicKey: () => publicKeyData.publicKey
             ? {
                 publicKey: publicKeyData.publicKey.safe_serialize(SERIALIZED_SIZE_LIMIT_PK),

package/lib/web.d.ts

@@ -2,6 +2,56 @@ import { Eip1193Provider } from 'ethers';
 import { InitInput as KMSInput } from 'tkms';
 import { InitInput as TFHEInput } from 'tfhe';
 
+/**
+ * Custom cookie authentication
+ */
+declare type ApiKeyCookie = {
+    __type: 'ApiKeyCookie';
+    /**
+     * The cookie name. The default value is `x-api-key`.
+     */
+    cookie?: string;
+    /**
+     * The API key.
+     */
+    value: string;
+};
+
+/**
+ * Custom header authentication
+ */
+declare type ApiKeyHeader = {
+    __type: 'ApiKeyHeader';
+    /**
+     * The header name. The default value is `x-api-key`.
+     */
+    header?: string;
+    /**
+     * The API key.
+     */
+    value: string;
+};
+
+/**
+ * Set the authentication method for the request. The default is no authentication.
+ * It supports:
+ * - Bearer Token
+ * - Custom header
+ * - Custom cookie
+ */
+declare type Auth = BearerToken | ApiKeyHeader | ApiKeyCookie;
+
+/**
+ * Bearer Token Authentication
+ */
+declare type BearerToken = {
+    __type: 'BearerToken';
+    /**
+     * The Bearer token.
+     */
+    token: string;
+};
+
 /**
  * Creates an EIP712 structure specifically for user decrypt requests
  *
@@ -90,6 +140,7 @@ export declare type FhevmInstanceConfig = {
         data: Uint8Array | null;
         id: string | null;
     };
+    auth?: Auth;
 };
 
 export declare const generateKeypair: () => {
@@ -132,7 +183,7 @@ export declare type RelayerEncryptedInput = {
     addAddress: (value: string) => RelayerEncryptedInput;
     getBits: () => EncryptionTypes[];
     encrypt: (options?: {
-        apiKey?: string;
+        auth?: Auth;
     }) => Promise<{
         handles: Uint8Array[];
         inputProof: Uint8Array;

package/lib/web.js

@@ -16167,6 +16167,32 @@ const bytesToBigInt = function (byteArray) {
     return BigInt(`0x${hex}`);
 };
 
+function setAuth(init, auth) {
+    if (auth) {
+        switch (auth.__type) {
+            case 'BearerToken':
+                init.headers['Authorization'] =
+                    `Bearer ${auth.token}`;
+                break;
+            case 'ApiKeyHeader':
+                init.headers[auth.header || 'x-api-key'] =
+                    auth.value;
+                break;
+            case 'ApiKeyCookie':
+                if (typeof window !== 'undefined') {
+                    document.cookie = `${auth.cookie || 'x-api-key'}=${auth.value}; path=/; SameSite=Lax; Secure; HttpOnly;`;
+                    init.credentials = 'include';
+                }
+                else {
+                    let cookie = `${auth.cookie || 'x-api-key'}=${auth.value};`;
+                    init.headers['Cookie'] = cookie;
+                }
+                break;
+        }
+    }
+    return init;
+}
+
 function getErrorCause(e) {
     if (e instanceof Error && typeof e.cause === 'object' && e.cause !== null) {
         return e.cause;
@@ -16348,14 +16374,13 @@ function assertIsRelayerFetchResponseJson(json) {
     }
 }
 async function fetchRelayerJsonRpcPost(relayerOperation, url, payload, options) {
-    const init = {
+    const init = setAuth({
         method: 'POST',
         headers: {
             'Content-Type': 'application/json',
-            ...(options?.apiKey && { 'x-api-key': options.apiKey }),
         },
         body: JSON.stringify(payload),
-    };
+    }, options?.auth);
     let response;
     let json;
     try {
@@ -16725,7 +16750,7 @@ function checkDeadlineValidity(startTimestamp, durationDays) {
         throw Error('User decrypt request has expired');
     }
 }
-const userDecryptRequest = (kmsSigners, gatewayChainId, chainId, verifyingContractAddress, aclContractAddress, relayerUrl, provider, options) => async (_handles, privateKey, publicKey, signature, contractAddresses, userAddress, startTimestamp, durationDays) => {
+const userDecryptRequest = (kmsSigners, gatewayChainId, chainId, verifyingContractAddress, aclContractAddress, relayerUrl, provider, instanceOptions) => async (_handles, privateKey, publicKey, signature, contractAddresses, userAddress, startTimestamp, durationDays, options) => {
     const extraData = '0x00';
     let pubKey;
     let privKey;
@@ -16784,7 +16809,7 @@ const userDecryptRequest = (kmsSigners, gatewayChainId, chainId, verifyingContra
         publicKey: publicKeySanitized,
         extraData,
     };
-    const json = await fetchRelayerJsonRpcPost('USER_DECRYPT', `${relayerUrl}/v1/user-decrypt`, payloadForRequest, options);
+    const json = await fetchRelayerJsonRpcPost('USER_DECRYPT', `${relayerUrl}/v1/user-decrypt`, payloadForRequest, instanceOptions ?? options);
     // assume the KMS Signers have the correct order
     let indexedKmsSigners = kmsSigners.map((signer, index) => {
         return TKMS.new_server_id_addr(index + 1, signer);
@@ -17066,7 +17091,7 @@ function isFhevmRelayerInputProofResponse(json) {
     return (response.signatures.every((s) => typeof s === 'string') &&
         response.handles.every((h) => typeof h === 'string'));
 }
-const createRelayerEncryptedInput = (aclContractAddress, verifyingContractAddressInputVerification, chainId, gatewayChainId, relayerUrl, tfheCompactPublicKey, publicParams, coprocessorSigners, thresholdCoprocessorSigners) => (contractAddress, userAddress) => {
+const createRelayerEncryptedInput = (aclContractAddress, verifyingContractAddressInputVerification, chainId, gatewayChainId, relayerUrl, tfheCompactPublicKey, publicParams, coprocessorSigners, thresholdCoprocessorSigners, instanceOptions) => (contractAddress, userAddress) => {
     if (!isAddress(contractAddress)) {
         throw new Error('Contract address is not a valid address.');
     }
@@ -17129,7 +17154,7 @@ const createRelayerEncryptedInput = (aclContractAddress, verifyingContractAddres
                 contractChainId: ('0x' + chainId.toString(16)),
                 extraData,
             };
-            const json = await fetchRelayerJsonRpcPost('INPUT_PROOF', `${relayerUrl}/v1/input-proof`, payload, options);
+            const json = await fetchRelayerJsonRpcPost('INPUT_PROOF', `${relayerUrl}/v1/input-proof`, payload, options ?? instanceOptions);
             if (!isFhevmRelayerInputProofResponse(json)) {
                 throwRelayerInternalError('INPUT_PROOF', json);
             }
@@ -17251,7 +17276,7 @@ function deserializeDecryptedResult(handles, decryptedResult) {
     handles.forEach((handle, idx) => (results[handle] = rawValues[idx]));
     return results;
 }
-const publicDecryptRequest = (kmsSigners, thresholdSigners, gatewayChainId, verifyingContractAddress, aclContractAddress, relayerUrl, provider, options) => async (_handles) => {
+const publicDecryptRequest = (kmsSigners, thresholdSigners, gatewayChainId, verifyingContractAddress, aclContractAddress, relayerUrl, provider, instanceOptions) => async (_handles, options) => {
     const extraData = '0x00';
     const acl = new ethers.Contract(aclContractAddress, aclABI, provider);
     let handles;
@@ -17276,7 +17301,7 @@ const publicDecryptRequest = (kmsSigners, thresholdSigners, gatewayChainId, veri
         ciphertextHandles: handles,
         extraData,
     };
-    const json = await fetchRelayerJsonRpcPost('PUBLIC_DECRYPT', `${relayerUrl}/v1/public-decrypt`, payloadForRequest, options);
+    const json = await fetchRelayerJsonRpcPost('PUBLIC_DECRYPT', `${relayerUrl}/v1/public-decrypt`, payloadForRequest, options ?? instanceOptions);
     // verify signatures on decryption:
     const domain = {
         name: 'Decryption',
@@ -17296,9 +17321,10 @@ const publicDecryptRequest = (kmsSigners, thresholdSigners, gatewayChainId, veri
         ? result.decrypted_value
         : `0x${result.decrypted_value}`;
     const signatures = result.signatures;
+    const signedExtraData = '0x';
     const recoveredAddresses = signatures.map((signature) => {
         const sig = signature.startsWith('0x') ? signature : `0x${signature}`;
-        const recoveredAddress = ethers.verifyTypedData(domain, types, { ctHandles: handles, decryptedResult, extraData }, sig);
+        const recoveredAddress = ethers.verifyTypedData(domain, types, { ctHandles: handles, decryptedResult, extraData: signedExtraData }, sig);
         return recoveredAddress;
     });
     const thresholdReached = isThresholdReached(kmsSigners, recoveredAddresses, thresholdSigners);
@@ -17439,7 +17465,7 @@ const SepoliaConfig = {
     relayerUrl: 'https://relayer.testnet.zama.cloud',
 };
 const createInstance = async (config) => {
-    const { verifyingContractAddressDecryption, verifyingContractAddressInputVerification, publicKey, kmsContractAddress, aclContractAddress, gatewayChainId, } = config;
+    const { verifyingContractAddressDecryption, verifyingContractAddressInputVerification, publicKey, kmsContractAddress, aclContractAddress, gatewayChainId, auth, } = config;
     if (!kmsContractAddress || !isAddress(kmsContractAddress)) {
         throw new Error('KMS contract address is not valid or empty');
     }
@@ -17471,8 +17497,8 @@ const createInstance = async (config) => {
         createEncryptedInput: createRelayerEncryptedInput(aclContractAddress, verifyingContractAddressInputVerification, chainId, gatewayChainId, cleanURL(config.relayerUrl), publicKeyData.publicKey, publicParamsData, coprocessorSigners, thresholdCoprocessorSigners),
         generateKeypair,
         createEIP712: createEIP712(verifyingContractAddressDecryption, chainId),
-        publicDecrypt: publicDecryptRequest(kmsSigners, thresholdKMSSigners, gatewayChainId, verifyingContractAddressDecryption, aclContractAddress, cleanURL(config.relayerUrl), provider),
-        userDecrypt: userDecryptRequest(kmsSigners, gatewayChainId, chainId, verifyingContractAddressDecryption, aclContractAddress, cleanURL(config.relayerUrl), provider),
+        publicDecrypt: publicDecryptRequest(kmsSigners, thresholdKMSSigners, gatewayChainId, verifyingContractAddressDecryption, aclContractAddress, cleanURL(config.relayerUrl), provider, auth && { auth }),
+        userDecrypt: userDecryptRequest(kmsSigners, gatewayChainId, chainId, verifyingContractAddressDecryption, aclContractAddress, cleanURL(config.relayerUrl), provider, auth && { auth }),
         getPublicKey: () => publicKeyData.publicKey
             ? {
                 publicKey: publicKeyData.publicKey.safe_serialize(SERIALIZED_SIZE_LIMIT_PK),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zama-fhe/relayer-sdk",
-  "version": "0.2.0-5",
+  "version": "0.2.0",
   "description": "fhevm Relayer SDK",
   "main": "lib/node.js",
   "types": "lib/node.d.ts",
@@ -61,15 +61,15 @@
     "ethers": "^6.15.0",
     "fetch-retry": "^6.0.0",
     "keccak": "^3.0.4",
-    "wasm-feature-detect": "^1.8.0",
     "node-tfhe": "1.3.0",
+    "node-tkms": "^0.11.0",
     "tfhe": "1.3.0",
-    "node-tkms": "0.11.0-26",
-    "tkms": "0.11.0-26"
+    "tkms": "^0.11.0",
+    "wasm-feature-detect": "^1.8.0"
   },
   "devDependencies": {
-    "@fetch-mock/jest": "0.2.16",
     "@fetch-mock/core": "0.7.1",
+    "@fetch-mock/jest": "0.2.16",
     "@jest/globals": "30.0.4",
     "@microsoft/api-extractor": "7.52.8",
     "@rollup/plugin-alias": "5.1.1",
@@ -102,6 +102,6 @@
     "typescript": "5.8.3",
     "vite": "7.0.5",
     "vite-plugin-node-polyfills": "0.24.0",
-    "vite-plugin-static-copy": "3.1.1"
+    "vite-plugin-static-copy": "^3.1.2"
   }
 }