@zerodev/wallet-core 0.0.1-alpha.5 → 0.0.1-alpha.7

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zerodev/wallet-core",
-  "version": "0.0.1-alpha.5",
+  "version": "0.0.1-alpha.7",
   "description": "ZeroDev Wallet SDK built on Turnkey",
   "main": "./dist/_cjs/index.js",
   "module": "./dist/_esm/index.js",
@@ -52,7 +52,8 @@
     "@turnkey/http": "^3.12.1",
     "@turnkey/iframe-stamper": "^2.5.0",
     "@turnkey/indexed-db-stamper": "^1.1.1",
-    "@turnkey/webauthn-stamper": "^0.6.0"
+    "@turnkey/webauthn-stamper": "^0.6.0",
+    "json-canonicalize": "^2.0.0"
   },
   "peerDependencies": {
     "viem": "^2.38.0"

package/src/actions/auth/authenticateWithOAuth.ts

@@ -1,14 +1,10 @@
 import type { Client } from '../../client/types.js'
 
 export type AuthenticateWithOAuthParameters = {
-  /** The OAuth credential/token */
-  oidcToken: string
   /** The OAuth provider (e.g., 'google') */
   provider: string
   /** The project ID for the request */
   projectId: string
-  /** Target public key for authentication */
-  targetPublicKey: string
 }
 
 export type AuthenticateWithOAuthReturnType = {
@@ -19,11 +15,15 @@ export type AuthenticateWithOAuthReturnType = {
   /** The sub-organization ID */
   subOrganizationId?: string
   /** The Turnkey session */
-  turnkeySession?: string
+  session?: string
 }
 
 /**
- * Authenticates a user with OAuth credentials
+ * Authenticates a user with OAuth using cookie-based backend flow
+ *
+ * The backend reads the OAuth session from a cookie set during the OAuth flow.
+ * This requires the OAuth popup flow to complete first via the backend's
+ * /oauth/google/login endpoint.
  *
  * @param client - The ZeroDev Wallet client
  * @param params - The parameters for OAuth authentication
@@ -32,10 +32,8 @@ export type AuthenticateWithOAuthReturnType = {
  * @example
  * ```ts
  * const result = await authenticateWithOAuth(client, {
- *   oidcToken: 'oauth_token_here',
  *   provider: 'google',
  *   projectId: 'proj_456',
- *   targetPublicKey: '0x...'
  * });
  * ```
  */
@@ -43,16 +41,12 @@ export async function authenticateWithOAuth(
   client: Client,
   params: AuthenticateWithOAuthParameters,
 ): Promise<AuthenticateWithOAuthReturnType> {
-  const { oidcToken, provider, projectId, targetPublicKey } = params
+  const { projectId } = params
 
   return await client.request({
     path: `${projectId}/auth/oauth`,
     method: 'POST',
-    body: {
-      oidcToken,
-      provider,
-      targetPublicKey,
-      projectId,
-    },
+    body: null,
+    credentials: 'include',
   })
 }

package/src/actions/auth/getUserEmail.ts

@@ -0,0 +1,45 @@
+import type { Client } from '../../client/types.js'
+
+export type GetUserEmailParameters = {
+  /** The organization ID to query */
+  organizationId: string
+  /** The project ID for the request */
+  projectId: string
+}
+
+export type GetUserEmailReturnType = {
+  /** The user's email address */
+  email: string
+}
+
+/**
+ * Gets the user's email address
+ *
+ * @param client - The ZeroDev Wallet client
+ * @param params - The parameters for the user email request
+ * @returns The user's email address
+ *
+ * @example
+ * ```ts
+ * const userEmail = await getUserEmail(client, {
+ *   organizationId: 'org_123',
+ *   projectId: 'proj_456'
+ * });
+ * console.log(userEmail.email); // 'user@example.com'
+ * ```
+ */
+export async function getUserEmail(
+  client: Client,
+  params: GetUserEmailParameters,
+): Promise<GetUserEmailReturnType> {
+  const { organizationId, projectId } = params
+
+  return await client.request({
+    path: `${projectId}/user-email`,
+    method: 'POST',
+    body: {
+      organizationId,
+    },
+    stamp: true,
+  })
+}

package/src/actions/auth/index.ts

@@ -10,7 +10,11 @@ export {
   type AuthenticateWithOAuthReturnType,
   authenticateWithOAuth,
 } from './authenticateWithOAuth.js'
-
+export {
+  type GetUserEmailParameters,
+  type GetUserEmailReturnType,
+  getUserEmail,
+} from './getUserEmail.js'
 export {
   type GetWhoamiParameters,
   type GetWhoamiReturnType,
@@ -26,7 +30,6 @@ export {
   type LoginWithStampReturnType,
   loginWithStamp,
 } from './loginWithStamp.js'
-
 export {
   type OtpContact,
   type RegisterWithOTPParameters,

package/src/actions/auth/loginWithOTP.ts

@@ -1,14 +1,10 @@
 import type { Client } from '../../client/types.js'
 
 export type LoginWithOTPParameters = {
-  /** The OTP ID received from registration */
-  otpId: string
-  /** The OTP code received via email/sms */
-  otpCode: string
-  /** The sub-organization ID from registration */
-  subOrganizationId: string
-  /** The encoded public key for authentication */
-  encodedPublicKey: string
+  /** The verification token JWT from Auth Proxy's verifyOtp */
+  verificationToken: string
+  /** The raw r||s signature hex (64 bytes = 128 chars) */
+  clientSignature: string
   /** The project ID for the request */
   projectId: string
 }
@@ -19,8 +15,14 @@ export type LoginWithOTPReturnType = {
 }
 
 /**
- * Logs in a user with OTP (One-Time Password) authentication
- * This verifies the OTP code and returns a session token
+ * Logs in a user with OTP (One-Time Password) authentication via the backend.
+ *
+ * The backend handles:
+ * 1. Parsing the verificationToken JWT to extract email and publicKey
+ * 2. Creating/retrieving sub-organization for (projectId, email)
+ * 3. Reconstructing the message for signature verification
+ * 4. Calling Turnkey.OtpLogin with the appropriate parameters
+ * 5. Returning the session to the SDK
  *
  * @param client - The ZeroDev Wallet client
  * @param params - The parameters for OTP login
@@ -28,12 +30,10 @@ export type LoginWithOTPReturnType = {
  *
  * @example
  * ```ts
- * // After receiving OTP code via email
+ * // After verifying OTP via Auth Proxy and building client signature
  * const result = await loginWithOTP(client, {
- *   otpId: 'otp_123456',
- *   otpCode: '123456',
- *   subOrganizationId: 'org_abc',
- *   encodedPublicKey: '0x...',
+ *   verificationToken: '<jwt-from-auth-proxy>',
+ *   clientSignature: '<raw-signature-hex>',
  *   projectId: 'proj_456'
  * });
  *
@@ -44,17 +44,14 @@ export async function loginWithOTP(
   client: Client,
   params: LoginWithOTPParameters,
 ): Promise<LoginWithOTPReturnType> {
-  const { otpId, otpCode, subOrganizationId, encodedPublicKey, projectId } =
-    params
+  const { verificationToken, clientSignature, projectId } = params
 
   return await client.request({
     path: `${projectId}/auth/login/otp`,
     method: 'POST',
     body: {
-      otpId,
-      otpCode,
-      subOrganizationId,
-      encodedPublicKey,
+      verificationToken,
+      clientSignature,
     },
   })
 }

package/src/actions/auth/loginWithStamp.ts

@@ -1,3 +1,4 @@
+import { canonicalizeEx } from 'json-canonicalize'
 import type { Client } from '../../client/types.js'
 import type { Stamp } from '../../stampers/types.js'
 
@@ -48,14 +49,14 @@ export async function loginWithStamp(
   const timestampMsString = timestampMs.toString()
   const timestampIso = new Date(timestampMs).toISOString()
 
-  const stampPayload = `${JSON.stringify({
+  const stampPayload = canonicalizeEx({
     organizationId,
     parameters: {
       publicKey: targetPublicKey,
     },
     timestampMs: timestampMsString,
     type: 'ACTIVITY_TYPE_STAMP_LOGIN',
-  })}\n`
+  })
   let stamp: Stamp
   if (stampWith === 'indexedDb') {
     stamp = await client.indexedDbStamper.stamp(stampPayload)
@@ -66,7 +67,7 @@ export async function loginWithStamp(
   }
 
   return client.request({
-    path: `${projectId}/auth/login/passkey`,
+    path: `${projectId}/auth/login/stamp`,
     method: 'POST',
     body: {
       subOrganizationId: organizationId,

package/src/actions/auth/registerWithOTP.ts

@@ -20,23 +20,17 @@ export type RegisterWithOTPParameters = {
 }
 
 export type RegisterWithOTPReturnType = {
-  /** The user ID */
-  userId: string
-  /** The wallet address */
-  walletAddress: string
-  /** The sub-organization ID */
-  subOrganizationId: string
-  /** The OTP ID needed for login */
+  /** The OTP ID needed for verification */
   otpId: string
 }
 
 /**
- * Registers a user with OTP (One-Time Password) authentication
+ * Initiates OTP (One-Time Password) authentication
  * This will send an OTP code to the specified contact method
  *
  * @param client - The ZeroDev Wallet client
- * @param params - The parameters for OTP registration
- * @returns The registration result including otpId needed for login
+ * @param params - The parameters for OTP initiation
+ * @returns The result including otpId needed for verification
  *
  * @example
  * ```ts
@@ -49,7 +43,7 @@ export type RegisterWithOTPReturnType = {
  *   projectId: 'proj_456'
  * });
  *
- * // Use result.otpId for the login step
+ * // Use result.otpId for the verification step
  * ```
  */
 export async function registerWithOTP(
@@ -59,12 +53,11 @@ export async function registerWithOTP(
   const { email, contact, projectId, emailCustomization } = params
 
   return await client.request({
-    path: `${projectId}/auth/register/otp`,
+    path: `${projectId}/auth/init/otp`,
     method: 'POST',
     body: {
       email,
       contact,
-      projectId,
       emailCustomization,
     },
   })

package/src/actions/index.ts

@@ -7,8 +7,11 @@ export {
   authenticateWithEmail,
   authenticateWithOAuth,
   type EmailCustomization,
+  type GetUserEmailParameters,
+  type GetUserEmailReturnType,
   type GetWhoamiParameters,
   type GetWhoamiReturnType,
+  getUserEmail,
   getWhoami,
   type LoginWithOTPParameters,
   type LoginWithOTPReturnType,

package/src/actions/wallet/signRawPayload.ts

@@ -6,6 +6,8 @@ export type SignRawPayloadParameters = {
   organizationId: string
   /** The project ID for the request */
   projectId: string
+  /** The session token for authorization */
+  token: string
   /** The address to sign with */
   address: Hex
   /** The payload hash to sign (without 0x prefix) */
@@ -43,6 +45,7 @@ export async function signRawPayload(
   const {
     organizationId,
     projectId,
+    token,
     address,
     payload,
     encoding = 'PAYLOAD_ENCODING_HEXADECIMAL',
@@ -52,20 +55,21 @@ export async function signRawPayload(
   const { signature } = await client.request({
     path: `${projectId}/sign/raw-payload`,
     body: {
-      body: {
-        type: 'ACTIVITY_TYPE_SIGN_RAW_PAYLOAD_V2',
-        timestampMs: Date.now().toString(),
-        organizationId,
-        parameters: {
-          signWith: address,
-          payload,
-          encoding,
-          hashFunction,
-        },
+      type: 'ACTIVITY_TYPE_SIGN_RAW_PAYLOAD_V2',
+      timestampMs: Date.now().toString(),
+      organizationId,
+      parameters: {
+        signWith: address,
+        payload,
+        encoding,
+        hashFunction,
       },
-      apiUrl: 'https://api.turnkey.com/public/v1/submit/sign_raw_payload',
+    },
+    headers: {
+      Authorization: `Bearer ${token}`,
     },
     stamp: true,
+    stampPostion: 'headers',
   })
   return signature as Hex
 }

package/src/actions/wallet/signTransaction.ts

@@ -6,6 +6,8 @@ export type SignTransactionParameters = {
   organizationId: string
   /** The project ID for the request */
   projectId: string
+  /** The session token for authorization */
+  token: string
   /** The address to sign with */
   address: Hex
   /** The unsigned transaction to sign */
@@ -36,24 +38,26 @@ export async function signTransaction(
   client: Client,
   params: SignTransactionParameters,
 ): Promise<SignTransactionReturnType> {
-  const { organizationId, projectId, address, unsignedTransaction } = params
+  const { organizationId, projectId, token, address, unsignedTransaction } =
+    params
 
   const { signature } = await client.request({
     path: `${projectId}/sign/transaction`,
     body: {
-      body: {
-        type: 'ACTIVITY_TYPE_SIGN_TRANSACTION_V2',
-        timestampMs: Date.now().toString(),
-        organizationId,
-        parameters: {
-          signWith: address,
-          type: 'TRANSACTION_TYPE_ETHEREUM',
-          unsignedTransaction,
-        },
+      type: 'ACTIVITY_TYPE_SIGN_TRANSACTION_V2',
+      timestampMs: Date.now().toString(),
+      organizationId,
+      parameters: {
+        signWith: address,
+        type: 'TRANSACTION_TYPE_ETHEREUM',
+        unsignedTransaction,
       },
-      apiUrl: 'https://api.turnkey.com/public/v1/submit/sign_transaction',
+    },
+    headers: {
+      Authorization: `Bearer ${token}`,
     },
     stamp: true,
+    stampPostion: 'headers',
   })
 
   return `0x${signature}` as Hex

package/src/adapters/viem.ts

@@ -53,6 +53,7 @@ export async function toViemAccount(
     return await client.signRawPayload({
       organizationId,
       projectId,
+      token,
       address,
       payload,
       encoding,
@@ -78,6 +79,7 @@ export async function toViemAccount(
     const signature = await client.signTransaction({
       organizationId,
       projectId,
+      token,
       address,
       unsignedTransaction: nonHexPrefixedSerializedTx,
     })

package/src/client/authProxy.ts

@@ -0,0 +1,78 @@
+const AUTH_PROXY_BASE_URL = 'https://authproxy.turnkey.com'
+
+export type AuthProxyClientConfig = {
+  /** The Auth Proxy Config ID from the backend */
+  authProxyConfigId: string
+  /** Optional base URL override (for testing) */
+  baseUrl?: string
+}
+
+export type AuthProxyVerifyOtpRequest = {
+  /** The OTP ID from registration */
+  otpId: string
+  /** The OTP code entered by the user */
+  otpCode: string
+  /** The public key to associate with the verification */
+  public_key: string
+}
+
+export type AuthProxyVerifyOtpResponse = {
+  /** The verification token to use for login */
+  verificationToken: string
+}
+
+/**
+ * Creates an Auth Proxy client for making requests to Turnkey's Auth Proxy
+ *
+ * Note: This client only handles OTP verification. The actual OTP login
+ * is handled by the backend (/auth/login/otp) which manages sub-organization
+ * creation and session handling.
+ */
+export function createAuthProxyClient(config: AuthProxyClientConfig) {
+  const { authProxyConfigId, baseUrl = AUTH_PROXY_BASE_URL } = config
+
+  async function request<T>(
+    path: string,
+    body: unknown,
+    method: 'POST' | 'GET' = 'POST',
+  ): Promise<T> {
+    const fetchOptions: RequestInit = {
+      method,
+      headers: {
+        'Content-Type': 'application/json',
+        'X-Auth-Proxy-Config-Id': authProxyConfigId,
+      },
+    }
+
+    if (method !== 'GET') {
+      fetchOptions.body = JSON.stringify(body)
+    }
+
+    const response = await fetch(`${baseUrl}${path}`, fetchOptions)
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      throw new Error(
+        `Auth Proxy request failed: ${response.status} ${response.statusText} - ${errorText}`,
+      )
+    }
+
+    return response.json()
+  }
+
+  return {
+    /**
+     * Verifies an OTP code with Turnkey's Auth Proxy
+     *
+     * Returns a verificationToken that should be passed to the backend's
+     * /auth/login/otp endpoint along with a client signature.
+     */
+    async verifyOtp(
+      params: AuthProxyVerifyOtpRequest,
+    ): Promise<AuthProxyVerifyOtpResponse> {
+      return request<AuthProxyVerifyOtpResponse>('/v1/otp_verify', params)
+    },
+  }
+}
+
+export type AuthProxyClient = ReturnType<typeof createAuthProxyClient>

package/src/client/decorators/client.ts

@@ -10,10 +10,13 @@ import {
   type AuthenticateWithOAuthReturnType,
   authenticateWithEmail,
   authenticateWithOAuth,
+  type GetUserEmailParameters,
+  type GetUserEmailReturnType,
   type GetUserWalletParameters,
   type GetUserWalletReturnType,
   type GetWhoamiParameters,
   type GetWhoamiReturnType,
+  getUserEmail,
   getUserWallet,
   getWhoami,
   type LoginWithOTPParameters,
@@ -60,6 +63,13 @@ export type ZeroDevWalletActions = {
    */
   getWhoami: (params: GetWhoamiParameters) => Promise<GetWhoamiReturnType>
 
+  /**
+   * Gets the user's email address
+   */
+  getUserEmail: (
+    params: GetUserEmailParameters,
+  ) => Promise<GetUserEmailReturnType>
+
   // Wallet actions
   /**
    * Gets the user's wallet information
@@ -139,6 +149,7 @@ export function zeroDevWalletActions(client: Client): ZeroDevWalletActions {
     authenticateWithEmail: (params) => authenticateWithEmail(client, params),
     authenticateWithOAuth: (params) => authenticateWithOAuth(client, params),
     getWhoami: (params) => getWhoami(client, params),
+    getUserEmail: (params) => getUserEmail(client, params),
 
     // Wallet actions
     getUserWallet: (params) => getUserWallet(client, params),

package/src/client/index.ts

@@ -1,3 +1,10 @@
+export {
+  type AuthProxyClient,
+  type AuthProxyClientConfig,
+  type AuthProxyVerifyOtpRequest,
+  type AuthProxyVerifyOtpResponse,
+  createAuthProxyClient,
+} from './authProxy.js'
 export {
   createBaseClient,
   createClient,

package/src/client/transports/rest.ts

@@ -1,3 +1,4 @@
+import { canonicalizeEx } from 'json-canonicalize'
 import { RestRequestError, RestTimeoutError } from '../../errors/request.js'
 import type { IndexedDbStamper, WebauthnStamper } from '../../stampers/types.js'
 
@@ -9,6 +10,8 @@ export type RestRequestArgs = {
   stamp?: boolean
   stampWith?: 'indexedDb' | 'webAuthn'
   stampPostion?: 'body' | 'headers'
+  /** Include credentials (cookies) in the request */
+  credentials?: RequestCredentials
 }
 
 export type RestRequestFn = <T = any>(args: RestRequestArgs) => Promise<T>
@@ -62,7 +65,7 @@ export function rest(url: string, cfg: RestTransportConfig): RestTransport {
           stamper = cfg.indexedDbStamper
         }
         const { body, apiUrl } = args.body
-        const bodyString = `${JSON.stringify(body ?? args.body)}\n`
+        const bodyString = canonicalizeEx(body ?? args.body)
         const stamp = await stamper.stamp(bodyString)
 
         // Restructure request body to match backend expectation
@@ -97,6 +100,7 @@ export function rest(url: string, cfg: RestTransportConfig): RestTransport {
         headers: requestHeaders,
         body: requestBody != null ? JSON.stringify(requestBody) : null,
         signal: controller.signal,
+        ...(args.credentials && { credentials: args.credentials }),
       }
 
       const finalInit = (await cfg.onRequest?.(fullUrl, init)) ?? init

package/src/constants.ts

@@ -2,4 +2,6 @@ export const DEFAULT_SESSION_EXPIRATION_IN_SECONDS = '900' // default to 15 minu
 export const DEFAULT_IFRAME_CONTAINER_ID = 'turnkey-auth-iframe-container-id'
 export const DEFAULT_IFRAME_ELEMENT_ID = 'turnkey-default-iframe-element-id'
 export const DEFAULT_ORGANIZATION_ID = '6254bb1d-0d0d-4f7e-96b8-77c94fe0b0c1'
+export const DEFAULT_AUTH_PROXY_CONFIG_ID =
+  'f69f6246-a814-43c6-90e6-2a8d947853d3'
 export const KMS_SERVER_URL = 'https://kms.dev.zerodev.app'