@zerodev/wallet-core 0.0.1-alpha.18 → 0.0.1-alpha.20

package/src/core/createZeroDevWallet.ts

@@ -1,4 +1,3 @@
-import { getWebAuthnAttestation } from '@turnkey/http'
 import type { LocalAccount } from 'viem/accounts'
 import type {
   EmailCustomization,
@@ -6,6 +5,7 @@ import type {
 } from '../actions/auth/index.js'
 import { toViemAccount } from '../adapters/viem.js'
 import {
+  type CreateTransportOptions,
   createAuthProxyClient,
   createClient,
   type ZeroDevWalletClient,
@@ -17,6 +17,7 @@ import {
   KMS_SERVER_URL,
 } from '../constants.js'
 import { createIndexedDbStamper } from '../stampers/indexedDbStamper.js'
+import type { ApiKeyStamper, PasskeyStamper } from '../stampers/types.js'
 import { createWebauthnStamper } from '../stampers/webauthnStamper.js'
 import { createWebStorageAdapter } from '../storage/adapters.js'
 import {
@@ -26,19 +27,16 @@ import {
 import { SessionType, type ZeroDevWalletSession } from '../types/session.js'
 import { buildClientSignature } from '../utils/buildClientSignature.js'
 import { encryptOtpAttempt } from '../utils/encryptOtpAttempt.js'
-import {
-  base64UrlEncode,
-  generateCompressedPublicKeyFromKeyPair,
-  generateRandomBuffer,
-  humanReadableDateTime,
-  parseSession,
-} from '../utils/utils.js'
+import { humanReadableDateTime, parseSession } from '../utils/utils.js'
 export interface ZeroDevWalletConfig {
   organizationId?: string
   proxyBaseUrl?: string
   projectId: string
   sessionStorage?: StorageAdapter
   rpId?: string
+  apiKeyStamper?: ApiKeyStamper
+  passkeyStamper?: PasskeyStamper
+  fetchOptions?: CreateTransportOptions['fetchOptions']
 }
 
 // Re-export EmailCustomization for convenience
@@ -134,15 +132,17 @@ export async function createZeroDevWallet(
     sessionStorage || createWebStorageAdapter(),
   )
 
-  const indexedDbStamper = await createIndexedDbStamper()
+  const apiKeyStamper = config.apiKeyStamper ?? (await createIndexedDbStamper())
 
-  const webauthnStamper = await createWebauthnStamper({ rpId })
+  const passkeyStamper =
+    config.passkeyStamper ?? (await createWebauthnStamper({ rpId }))
 
   const client = createClient({
-    indexedDbStamper,
-    webauthnStamper,
+    apiKeyStamper,
+    passkeyStamper,
     transport: zeroDevWalletTransport({
       baseUrl: config.proxyBaseUrl || `${KMS_SERVER_URL}/api/v1`,
+      ...(config.fetchOptions && { fetchOptions: config.fetchOptions }),
     }),
   })
 
@@ -151,8 +151,8 @@ export async function createZeroDevWallet(
   return {
     client,
     async getPublicKey() {
-      await client.indexedDbStamper.resetKeyPair()
-      const compressedPublicKey = await client.indexedDbStamper.getPublicKey()
+      await client.apiKeyStamper.resetKeyPair()
+      const compressedPublicKey = await client.apiKeyStamper.getPublicKey()
       return compressedPublicKey
     },
 
@@ -191,30 +191,22 @@ export async function createZeroDevWallet(
       if (!activeSession) {
         throw new Error('No active session')
       }
-      if (activeSession.stamperType === 'indexedDb') {
-        const newKeyPair = await crypto.subtle.generateKey(
-          {
-            name: 'ECDSA',
-            namedCurve: 'P-256',
-          },
-          false,
-          ['sign', 'verify'],
-        )
+      if (activeSession.stamperType === 'apiKey') {
         const compressedPublicKeyHex =
-          await generateCompressedPublicKeyFromKeyPair(newKeyPair)
+          await client.apiKeyStamper.prepareKeyRotation()
         const data = await client.loginWithStamp({
           targetPublicKey: compressedPublicKeyHex,
           projectId,
           organizationId: activeSession.organizationId,
-          stampWith: 'indexedDb',
+          stampWith: 'apiKey',
         })
-        await client.indexedDbStamper.resetKeyPair(newKeyPair)
+        await client.apiKeyStamper.commitKeyRotation()
         const parsedSession = parseSession(data.session)
         const session: ZeroDevWalletSession = {
           id: `session_indexedDb_${Date.now()}`,
           userId: parsedSession.userId,
           organizationId: parsedSession.organizationId,
-          stamperType: 'indexedDb',
+          stamperType: 'apiKey',
           sessionType: SessionType.READ_WRITE,
           token: data.session,
           expiry: parsedSession.expiry,
@@ -231,26 +223,26 @@ export async function createZeroDevWallet(
     async auth(params: AuthParams) {
       switch (params.type) {
         case 'oauth': {
+          const popSignature = await client.apiKeyStamper.sign(params.sessionId)
           const data = await client.authenticateWithOAuth({
             provider: params.provider,
             projectId,
             sessionId: params.sessionId,
+            popSignature,
           })
 
           if (data.session) {
             // Parse the JWT to get session data
             const parsedSession = parseSession(data.session)
-            const publicKey = await client.indexedDbStamper.getPublicKey()
             const session: ZeroDevWalletSession = {
               id: `session_oauth_${Date.now()}`,
               userId: parsedSession.userId,
               organizationId: parsedSession.organizationId,
-              stamperType: 'indexedDb',
+              stamperType: 'apiKey',
               sessionType: parsedSession.sessionType || SessionType.READ_WRITE,
               token: data.session,
               expiry: parsedSession.expiry,
               createdAt: Date.now(),
-              publicKey: publicKey || '',
             }
             await sessionStorageManager.storeSession(session, session.id)
           }
@@ -263,62 +255,35 @@ export async function createZeroDevWallet(
             'mode' in params &&
             params.mode === 'register'
           ) {
-            await client.indexedDbStamper.resetKeyPair()
-            const tempPublicKey = await client.indexedDbStamper.getPublicKey()
+            await client.apiKeyStamper.resetKeyPair()
+            const tempPublicKey = await client.apiKeyStamper.getPublicKey()
             if (!tempPublicKey) {
               throw new Error('Failed to get public key')
             }
-            const challenge = generateRandomBuffer()
-            const encodedChallenge = base64UrlEncode(challenge)
-            const authenticatorUserId = generateRandomBuffer()
             const name = `ZeroDevWallet-${humanReadableDateTime()}`
-            const attestation = await getWebAuthnAttestation({
-              publicKey: {
+            const { attestation, encodedChallenge } =
+              await passkeyStamper.register({
                 rp: { id: rpId, name: '' },
-                challenge,
-                pubKeyCredParams: [
-                  {
-                    type: 'public-key',
-                    alg: -7,
-                  },
-                  {
-                    type: 'public-key',
-                    alg: -257,
-                  },
-                ],
-                user: {
-                  id: authenticatorUserId,
-                  name,
-                  displayName: name,
-                },
-              },
-            })
+                userName: name,
+              })
             const data = await client.registerWithPasskey({
               attestation,
               challenge: encodedChallenge,
               projectId,
               encodedPublicKey: tempPublicKey,
             })
-            const newKeyPair = await crypto.subtle.generateKey(
-              {
-                name: 'ECDSA',
-                namedCurve: 'P-256',
-              },
-              false,
-              ['sign', 'verify'],
-            )
             const compressedPublicKeyHex =
-              await generateCompressedPublicKeyFromKeyPair(newKeyPair)
+              await client.apiKeyStamper.prepareKeyRotation()
             const loginData = await client.loginWithStamp({
               projectId,
               targetPublicKey: compressedPublicKeyHex,
               organizationId: data.subOrganizationId,
             })
-            await client.indexedDbStamper.resetKeyPair(newKeyPair)
+            await client.apiKeyStamper.commitKeyRotation()
             const parsedSession = parseSession(loginData.session)
             const session: ZeroDevWalletSession = {
               id: `session_indexedDb_${Date.now()}`,
-              stamperType: 'indexedDb',
+              stamperType: 'apiKey',
               createdAt: Date.now(),
               sessionType: SessionType.READ_WRITE,
               userId: parsedSession.userId,
@@ -336,9 +301,8 @@ export async function createZeroDevWallet(
             'mode' in params &&
             params.mode === 'login'
           ) {
-            await client.indexedDbStamper.resetKeyPair()
-            const generatedPublicKey =
-              await client.indexedDbStamper.getPublicKey()
+            await client.apiKeyStamper.resetKeyPair()
+            const generatedPublicKey = await client.apiKeyStamper.getPublicKey()
             if (!generatedPublicKey) {
               throw new Error('Failed to get public key')
             }
@@ -346,12 +310,12 @@ export async function createZeroDevWallet(
               targetPublicKey: generatedPublicKey,
               projectId,
               organizationId,
-              stampWith: 'webauthn',
+              stampWith: 'passkey',
             })
             const parsedSession = parseSession(loginData.session)
             const session: ZeroDevWalletSession = {
               id: `session_indexedDb_${Date.now()}`,
-              stamperType: 'indexedDb',
+              stamperType: 'apiKey',
               createdAt: Date.now(),
               sessionType: SessionType.READ_WRITE,
               userId: parsedSession.userId,
@@ -416,8 +380,8 @@ export async function createZeroDevWallet(
             const { otpId, otpCode, otpEncryptionTargetBundle } = otpParams
 
             // Step 1: Generate new key pair
-            await client.indexedDbStamper.resetKeyPair()
-            const targetPublicKey = await client.indexedDbStamper.getPublicKey()
+            await client.apiKeyStamper.resetKeyPair()
+            const targetPublicKey = await client.apiKeyStamper.getPublicKey()
 
             if (!targetPublicKey) {
               throw new Error('Failed to get public key')
@@ -449,7 +413,7 @@ export async function createZeroDevWallet(
             const clientSignature = await buildClientSignature({
               verificationToken,
               publicKey: targetPublicKey,
-              stamper: client.indexedDbStamper,
+              stamper: client.apiKeyStamper,
             })
 
             // Step 4: Login via backend (not Auth Proxy!)
@@ -466,13 +430,12 @@ export async function createZeroDevWallet(
                 id: `session_otp_${Date.now()}`,
                 userId: parsedSession.userId,
                 organizationId: parsedSession.organizationId,
-                stamperType: 'indexedDb',
+                stamperType: 'apiKey',
                 sessionType:
                   parsedSession.sessionType || SessionType.READ_WRITE,
                 token: data.session,
                 expiry: parsedSession.expiry,
                 createdAt: Date.now(),
-                publicKey: targetPublicKey,
               }
               await sessionStorageManager.storeSession(session, session.id)
             }
@@ -488,7 +451,7 @@ export async function createZeroDevWallet(
 
     async logout() {
       await sessionStorageManager.clearAllSessions()
-      await client.indexedDbStamper.resetKeyPair()
+      await client.apiKeyStamper.resetKeyPair()
       return true
     },
 

package/src/index.ts

@@ -56,7 +56,12 @@ export { toViemAccount } from './adapters/viem.js'
 export type { ZeroDevWalletActions } from './client/decorators/client.js'
 // Client decorators
 export { zeroDevWalletActions } from './client/decorators/client.js'
-export type { Client, ClientConfig, Transport } from './client/index.js'
+export type {
+  Client,
+  ClientConfig,
+  CreateTransportOptions,
+  Transport,
+} from './client/index.js'
 // Client
 export {
   createBaseClient,
@@ -80,9 +85,12 @@ export {
   createWebauthnStamper,
 } from './stampers/index.js'
 export type {
+  ApiKeyStamper,
+  Attestation,
   IframeStamper,
-  IndexedDbStamper,
-  WebauthnStamper,
+  PasskeyRegistrationOptions,
+  PasskeyRegistrationResult,
+  PasskeyStamper,
 } from './stampers/types.js'
 // Storage
 export type { StorageAdapter, StorageManager } from './storage/manager.js'

package/src/stampers/index.ts

@@ -1,8 +1,8 @@
 export { createIframeStamper } from './iframeStamper.js'
 export { createIndexedDbStamper } from './indexedDbStamper.js'
 export type {
+  ApiKeyStamper,
   IframeStamper,
-  IndexedDbStamper,
-  WebauthnStamper,
+  PasskeyStamper,
 } from './types.js'
 export { createWebauthnStamper } from './webauthnStamper.js'

package/src/stampers/indexedDbStamper.ts

@@ -1,10 +1,13 @@
 import { IndexedDbStamper as TurnkeyIndexedDbStamper } from '@turnkey/indexed-db-stamper'
-import type { IndexedDbStamper } from './types.js'
+import { generateCompressedPublicKeyFromKeyPair } from '../utils/utils.js'
+import type { ApiKeyStamper } from './types.js'
 
-export async function createIndexedDbStamper(): Promise<IndexedDbStamper> {
+export async function createIndexedDbStamper(): Promise<ApiKeyStamper> {
   const inner = new TurnkeyIndexedDbStamper()
   await inner.init()
 
+  let pendingKeyPair: CryptoKeyPair | null = null
+
   return {
     async getPublicKey() {
       return await inner.getPublicKey()
@@ -12,11 +15,31 @@ export async function createIndexedDbStamper(): Promise<IndexedDbStamper> {
     async stamp(payload: string) {
       return await inner.stamp(payload)
     },
+    async sign(payload: string) {
+      return await inner.sign(payload)
+    },
     async clear() {
       await inner.clear()
     },
-    async resetKeyPair(externalKeyPair?: CryptoKeyPair) {
-      await inner.resetKeyPair(externalKeyPair)
+    async resetKeyPair() {
+      pendingKeyPair = null
+      await inner.resetKeyPair()
+    },
+    async prepareKeyRotation() {
+      const keyPair = await crypto.subtle.generateKey(
+        { name: 'ECDSA', namedCurve: 'P-256' },
+        false,
+        ['sign', 'verify'],
+      )
+      pendingKeyPair = keyPair
+      return await generateCompressedPublicKeyFromKeyPair(keyPair)
+    },
+    async commitKeyRotation() {
+      if (!pendingKeyPair) {
+        throw new Error('No pending key rotation to commit')
+      }
+      await inner.resetKeyPair(pendingKeyPair)
+      pendingKeyPair = null
     },
   }
 }

package/src/stampers/types.ts

@@ -5,8 +5,6 @@ export type Stamp = {
 }
 
 export type Stamper = {
-  /** retrieve public key compressed or otherwise as per the stamper */
-  getPublicKey: () => Promise<string | null>
   /** produce Turnkey header value for a given request body */
   stamp: (payload: string) => Promise<Stamp>
   /** clear local state (embedded key, IDB keypair, etc.) */
@@ -16,6 +14,8 @@ export type Stamper = {
 export type KeyFormat = 'Hexadecimal' | 'Solana'
 
 export type IframeStamper = Stamper & {
+  /** retrieve public key compressed or otherwise as per the stamper */
+  getPublicKey: () => Promise<string | null>
   init(): Promise<string>
   injectCredentialBundle(bundle: string): Promise<boolean>
   injectWalletExportBundle(
@@ -30,7 +30,40 @@ export type IframeStamper = Stamper & {
   applySettings(settings: { styles?: Record<string, string> }): Promise<boolean>
 }
 
-export type IndexedDbStamper = Stamper & {
-  resetKeyPair: (externalKeyPair?: CryptoKeyPair) => Promise<void>
+export type ApiKeyStamper = Stamper & {
+  /** retrieve public key compressed or otherwise as per the stamper */
+  getPublicKey: () => Promise<string | null>
+  /** Generate + activate a new key pair immediately (simple cases: login init, logout). */
+  resetKeyPair: () => Promise<void>
+  /** Generate a new key pair internally, return its compressed public key, but keep the OLD key active for stamp(). */
+  prepareKeyRotation: () => Promise<string>
+  /** Promote the pending key to active. Call after the server accepts the new key. */
+  commitKeyRotation: () => Promise<void>
+  /**
+   * Sign `payload` with the currently active key. Returns a hex-encoded
+   * ECDSA-P256 / SHA-256 signature in ASN.1 DER form.
+   */
+  sign: (payload: string) => Promise<string>
+}
+export type Attestation = {
+  attestationObject: string
+  clientDataJson: string
+  credentialId: string
+}
+
+export type PasskeyRegistrationOptions = {
+  rp: { id: string; name: string }
+  userName: string
+}
+
+export type PasskeyRegistrationResult = {
+  attestation: Attestation
+  encodedChallenge: string
+}
+
+export type PasskeyStamper = Stamper & {
+  /** Create a new passkey credential. Owns challenge and user ID generation internally. */
+  register: (
+    options: PasskeyRegistrationOptions,
+  ) => Promise<PasskeyRegistrationResult>
 }
-export type WebauthnStamper = Stamper

package/src/stampers/webauthnStamper.ts

@@ -1,21 +1,42 @@
+import { getWebAuthnAttestation } from '@turnkey/http'
 import { WebauthnStamper as TurnkeyWebauthnStamper } from '@turnkey/webauthn-stamper'
-import type { WebauthnStamper } from './types.js'
+import { base64UrlEncode, generateRandomBuffer } from '../utils/utils.js'
+import type { PasskeyRegistrationOptions, PasskeyStamper } from './types.js'
 
 export async function createWebauthnStamper({
   rpId,
 }: {
   rpId: string
-}): Promise<WebauthnStamper> {
+}): Promise<PasskeyStamper> {
   const inner = new TurnkeyWebauthnStamper({ rpId })
 
   return {
-    async getPublicKey() {
-      //   return await inner.();
-      return null
-    },
     async stamp(payload: string) {
       return await inner.stamp(payload)
     },
     async clear() {},
+    async register(options: PasskeyRegistrationOptions) {
+      const challenge = generateRandomBuffer()
+      const encodedChallenge = base64UrlEncode(challenge)
+      const authenticatorUserId = generateRandomBuffer()
+
+      const attestation = await getWebAuthnAttestation({
+        publicKey: {
+          rp: options.rp,
+          challenge,
+          pubKeyCredParams: [
+            { type: 'public-key', alg: -7 },
+            { type: 'public-key', alg: -257 },
+          ],
+          user: {
+            id: authenticatorUserId,
+            name: options.userName,
+            displayName: options.userName,
+          },
+        },
+      })
+
+      return { attestation, encodedChallenge }
+    },
   }
 }

package/src/types/session.ts

@@ -3,7 +3,7 @@ export enum SessionType {
   READ_WRITE = 'SESSION_TYPE_READ_WRITE',
 }
 
-export type StamperType = 'iframe' | 'indexedDb' | 'passkey'
+export type StamperType = 'apiKey' | 'passkey'
 
 export type ZeroDevWalletSession = {
   id: string
@@ -11,8 +11,7 @@ export type ZeroDevWalletSession = {
   organizationId: string
   stamperType: StamperType
   sessionType?: SessionType
-  token?: string
-  publicKey?: string
+  token: string
   expiry: number
   createdAt: number
 }

package/src/utils/buildClientSignature.ts

@@ -1,4 +1,4 @@
-import type { IndexedDbStamper } from '../stampers/types.js'
+import type { ApiKeyStamper } from '../stampers/types.js'
 import { derToRawSignature } from './derToRawSignature.js'
 
 export type BuildClientSignatureParams = {
@@ -6,8 +6,8 @@ export type BuildClientSignatureParams = {
   verificationToken: string
   /** The compressed public key hex */
   publicKey: string
-  /** The IndexedDB stamper for signing */
-  stamper: IndexedDbStamper
+  /** The API key stamper for signing */
+  stamper: ApiKeyStamper
 }
 
 /**

package/src/utils/exportPrivateKey.ts

@@ -72,7 +72,7 @@ export async function exportPrivateKey(
   })
 
   const stamperKey =
-    session.stamperType === 'indexedDb' ? 'indexedDbStamper' : 'webauthnStamper'
+    session.stamperType === 'apiKey' ? 'apiKeyStamper' : 'passkeyStamper'
   const stamper = wallet.client[stamperKey]
   if (!stamper) {
     throw new Error(`Stamper '${stamperKey}' not found on wallet.client`)

package/src/utils/exportWallet.ts

@@ -56,9 +56,7 @@ export async function exportWallet(
 
     const listWalletsStamp =
       await wallet.client[
-        session.stamperType === 'indexedDb'
-          ? 'indexedDbStamper'
-          : 'webauthnStamper'
+        session.stamperType === 'apiKey' ? 'apiKeyStamper' : 'passkeyStamper'
       ].stamp(listWalletsBody)
     if (!listWalletsStamp) {
       throw new Error('Failed to stamp list wallets body')
@@ -93,9 +91,7 @@ export async function exportWallet(
     })
     const exportWalletStamp =
       await wallet.client[
-        session.stamperType === 'indexedDb'
-          ? 'indexedDbStamper'
-          : 'webauthnStamper'
+        session.stamperType === 'apiKey' ? 'apiKeyStamper' : 'passkeyStamper'
       ].stamp(exportWalletBody)
     if (!exportWalletStamp) {
       throw new Error('Failed to stamp export wallet body')

package/src/utils/hpke.ts

@@ -15,6 +15,7 @@
  *   - tkhq/go-sdk/pkg/enclave_encrypt
  */
 
+import { gcm } from '@noble/ciphers/aes.js'
 import { p256 } from '@noble/curves/nist.js'
 import { expand, extract } from '@noble/hashes/hkdf.js'
 import { sha256 } from '@noble/hashes/sha2.js'
@@ -165,42 +166,15 @@ function keySchedule(
   return { key, baseNonce }
 }
 
-// Web Crypto's BufferSource type rejects `Uint8Array<ArrayBufferLike>` (which
-// noble/v2 returns) under strict TS lib settings because the underlying buffer
-// could in principle be a SharedArrayBuffer. Copy into a fresh ArrayBuffer to
-// satisfy the type.
-function toArrayBuffer(u8: Uint8Array): ArrayBuffer {
-  const out = new ArrayBuffer(u8.byteLength)
-  new Uint8Array(out).set(u8)
-  return out
-}
-
-async function aesGcmSeal(
+function aesGcmSeal(
   key: Uint8Array,
   nonce: Uint8Array,
   aad: Uint8Array,
   plaintext: Uint8Array,
-): Promise<Uint8Array> {
-  // Web Crypto returns ciphertext || tag (16 bytes appended). Matches the
-  // single-blob format Turnkey's `Sealer.Seal` produces.
-  const cryptoKey = await crypto.subtle.importKey(
-    'raw',
-    toArrayBuffer(key),
-    { name: 'AES-GCM' },
-    /* extractable */ false,
-    ['encrypt'],
-  )
-  const ct = await crypto.subtle.encrypt(
-    {
-      name: 'AES-GCM',
-      iv: toArrayBuffer(nonce),
-      additionalData: toArrayBuffer(aad),
-      tagLength: 128,
-    },
-    cryptoKey,
-    toArrayBuffer(plaintext),
-  )
-  return new Uint8Array(ct)
+): Uint8Array {
+  // Returns ciphertext || tag (16 bytes appended) — matches the single-blob
+  // format Turnkey's `Sealer.Seal` and Web Crypto's AES-GCM produce.
+  return gcm(key, nonce, aad).encrypt(plaintext)
 }
 
 export type HpkeSealResult = {
@@ -239,7 +213,7 @@ export async function hpkeSealP256({
 
   // First message of the context, sequence 0 → nonce = base_nonce.
   const aad = concat(enc, receiverPublicKey)
-  const ciphertext = await aesGcmSeal(key, baseNonce, aad, plaintext)
+  const ciphertext = aesGcmSeal(key, baseNonce, aad, plaintext)
 
   return { encappedPublic: enc, ciphertext }
 }

package/src/utils/utils.ts

@@ -18,7 +18,8 @@ export function parseSession(
     throw new Error('Invalid JWT: Missing payload')
   }
 
-  const decoded = JSON.parse(Buffer.from(payload, 'base64').toString())
+  const base64 = payload.replace(/-/g, '+').replace(/_/g, '/')
+  const decoded = JSON.parse(atob(base64))
   const {
     exp,
     public_key: publicKey,
@@ -68,11 +69,9 @@ export const generateRandomBuffer = (): ArrayBuffer => {
  * @returns {string} - The encoded challenge.
  */
 export const base64UrlEncode = (challenge: ArrayBuffer): string => {
-  return Buffer.from(challenge)
-    .toString('base64')
-    .replace(/\+/g, '-')
-    .replace(/\//g, '_')
-    .replace(/=/g, '')
+  const bytes = new Uint8Array(challenge)
+  const binary = String.fromCharCode(...bytes)
+  return btoa(binary).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '')
 }
 
 /**