npm - kentucky-signer-viem - Versions diffs - 0.1.1 → 0.1.3 - Mend

kentucky-signer-viem 0.1.1 → 0.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (24) hide show

package/dist/index.d.ts CHANGED Viewed

@@ -111,6 +111,8 @@ interface PasskeyAuthOptions {
     rpId?: string;
     /** Credential IDs to allow (if known) */
     allowCredentials?: string[];
+    /** Optional ephemeral public key for secure mode binding (base64url encoded) */
+    ephemeralPublicKey?: string;
 }
 /**
  * Token storage interface for custom token persistence
@@ -178,6 +180,8 @@ interface PasswordAuthOptions {
     accountId: string;
     /** Password for authentication */
     password: string;
+    /** Optional ephemeral public key for secure mode binding (base64url encoded) */
+    ephemeralPublicKey?: string;
 }
 /**
  * Options for creating an account with password
@@ -208,7 +212,588 @@ interface PasswordAuthRequest {
     /** Password */
     password: string;
 }
+/**
+ * Add password request
+ */
+interface AddPasswordRequest {
+    /** Password for the account (8-128 characters) */
+    password: string;
+    /** Password confirmation (must match password) */
+    confirmation: string;
+}
+/**
+ * Add password response
+ */
+interface AddPasswordResponse {
+    success: boolean;
+    message: string;
+}
+/**
+ * Add passkey request (using attestation object - simpler)
+ */
+interface AddPasskeyRequest {
+    /** WebAuthn attestation object (base64url) - server extracts COSE key automatically */
+    attestation_object: string;
+    /** User-friendly label for the passkey */
+    label?: string;
+}
+/**
+ * Add passkey response
+ */
+interface AddPasskeyResponse {
+    success: boolean;
+    message: string;
+    label: string;
+}
+/**
+ * Remove passkey response
+ */
+interface RemovePasskeyResponse {
+    success: boolean;
+    message: string;
+    passkey_index: number;
+}
+/**
+ * Extended authentication response with ephemeral key binding
+ */
+interface AuthResponseWithEphemeral extends AuthResponse {
+    /** Whether ephemeral key was bound to the token */
+    ephemeral_bound: boolean;
+}
+/**
+ * Auth configuration from account info
+ */
+interface AuthConfig {
+    passkey: boolean;
+    password: boolean;
+    pin_4: boolean;
+    pin_6: boolean;
+    totp: boolean;
+}
+/**
+ * Extended account info response with auth config
+ */
+interface AccountInfoExtendedResponse {
+    success: boolean;
+    account_id: string;
+    addresses: {
+        evm: string;
+        bitcoin: string;
+        solana: string;
+    };
+    auth_config: AuthConfig;
+    passkey_count: number;
+    guardian_count?: number;
+    recovery_active?: boolean;
+}
+/**
+ * Guardian info
+ */
+interface GuardianInfo {
+    index: number;
+    label: string;
+}
+/**
+ * Add guardian request
+ */
+interface AddGuardianRequest {
+    /** WebAuthn attestation object (base64url) */
+    attestation_object: string;
+    /** User-friendly label for the guardian */
+    label?: string;
+}
+/**
+ * Add guardian response
+ */
+interface AddGuardianResponse {
+    success: boolean;
+    guardian_index: number;
+    guardian_count: number;
+}
+/**
+ * Remove guardian response
+ */
+interface RemoveGuardianResponse {
+    success: boolean;
+    guardian_count: number;
+}
+/**
+ * Get guardians response
+ */
+interface GetGuardiansResponse {
+    success: boolean;
+    guardian_count: number;
+    guardians: GuardianInfo[];
+}
+/**
+ * Initiate recovery request
+ */
+interface InitiateRecoveryRequest {
+    /** Account ID to recover */
+    account_id: string;
+    /** WebAuthn attestation object for new owner passkey (base64url) */
+    attestation_object: string;
+    /** Label for new owner passkey */
+    label?: string;
+}
+/**
+ * Initiate recovery response
+ */
+interface InitiateRecoveryResponse {
+    success: boolean;
+    /** Challenges for each guardian to sign (base64url) */
+    challenges: string[];
+    /** Number of guardians registered */
+    guardian_count: number;
+    /** Number of guardian signatures required */
+    threshold: number;
+    /** Seconds to wait after threshold reached before completion */
+    timelock_seconds: number;
+}
+/**
+ * Verify guardian signature request
+ */
+interface VerifyGuardianRequest {
+    /** Account ID being recovered */
+    account_id: string;
+    /** Index of guardian (1-3) */
+    guardian_index: number;
+    /** WebAuthn authenticator data (base64url) */
+    authenticator_data: string;
+    /** WebAuthn client data JSON (base64url) */
+    client_data_json: string;
+    /** WebAuthn signature (base64url) */
+    signature: string;
+}
+/**
+ * Verify guardian response
+ */
+interface VerifyGuardianResponse {
+    success: boolean;
+    /** Number of guardians who have verified */
+    verified_count: number;
+    /** Number of guardians required */
+    threshold: number;
+}
+/**
+ * Recovery status request
+ */
+interface RecoveryStatusRequest {
+    /** Account ID to check */
+    account_id: string;
+}
+/**
+ * Recovery status response
+ */
+interface RecoveryStatusResponse {
+    success: boolean;
+    /** Whether recovery is in progress */
+    recovery_active: boolean;
+    /** Number of guardians who have verified */
+    verified_count: number;
+    /** Number of guardians required */
+    threshold: number;
+    /** Whether recovery can be completed now */
+    can_complete: boolean;
+    /** Seconds remaining until timelock expires (0 if expired) */
+    timelock_remaining: number;
+    /** Number of guardians on this account */
+    guardian_count: number;
+    /** Challenge for each guardian to sign (base64url encoded) */
+    guardian_challenges: string[];
+    /** Indices of guardians who have verified */
+    verified_guardians: number[];
+}
+/**
+ * Complete recovery request
+ */
+interface CompleteRecoveryRequest {
+    /** Account ID to complete recovery for */
+    account_id: string;
+}
+/**
+ * Complete recovery response
+ */
+interface CompleteRecoveryResponse {
+    success: boolean;
+    message: string;
+}
+/**
+ * Cancel recovery response
+ */
+interface CancelRecoveryResponse {
+    success: boolean;
+    message: string;
+}
+/**
+ * 2FA status response
+ */
+interface TwoFactorStatusResponse {
+    success: boolean;
+    /** Whether TOTP is enabled */
+    totp_enabled: boolean;
+    /** Whether PIN is enabled */
+    pin_enabled: boolean;
+    /** PIN length if enabled (4 or 6), 0 if not enabled */
+    pin_length: number;
+}
+/**
+ * TOTP setup response
+ */
+interface TotpSetupResponse {
+    success: boolean;
+    /** otpauth:// URI for QR code generation */
+    uri: string;
+    /** Base32 encoded secret for manual entry */
+    secret: string;
+    /** Instructions for the user */
+    message: string;
+}
+/**
+ * TOTP enable request
+ */
+interface TotpEnableRequest {
+    /** 6-digit TOTP code from authenticator app */
+    code: string;
+}
+/**
+ * Generic 2FA response
+ */
+interface TwoFactorResponse {
+    success: boolean;
+    message: string;
+}
+/**
+ * TOTP/PIN verify response
+ */
+interface TwoFactorVerifyResponse {
+    success: boolean;
+    /** Whether the code/pin was valid */
+    valid: boolean;
+    /** Optional message if invalid */
+    message?: string;
+}
+/**
+ * PIN setup request
+ */
+interface PinSetupRequest {
+    /** PIN (4 or 6 digits) */
+    pin: string;
+}
+/**
+ * PIN setup response
+ */
+interface PinSetupResponse {
+    success: boolean;
+    message: string;
+    /** Length of the PIN that was set */
+    pin_length: number;
+}
+/**
+ * Sign request with optional 2FA codes
+ */
+interface SignEvmRequestWith2FA extends SignEvmRequest {
+    /** TOTP code (required if TOTP is enabled) */
+    totp_code?: string;
+    /** PIN (required if PIN is enabled) */
+    pin?: string;
+}
+/**
+ * Ephemeral Key Management for Kentucky Signer
+ *
+ * Implements ephemeral ECDSA keys for request signing.
+ * The ephemeral public key is bound to the JWT token during authentication,
+ * and the private key is used to sign all subsequent request payloads.
+ *
+ * Security Properties:
+ * - Ephemeral keys are generated fresh for each session
+ * - Private keys never leave the client
+ * - SGX verifies payload signatures before processing
+ * - Prevents replay attacks and token theft
+ */
+/**
+ * Ephemeral key pair for request signing
+ */
+interface EphemeralKeyPair {
+    /** Public key in SPKI format (base64url encoded) */
+    publicKey: string;
+    /** Private CryptoKey for signing (not exportable) */
+    privateKey: CryptoKey;
+    /** Algorithm used (ES256 = P-256 with SHA-256) */
+    algorithm: 'ES256';
+    /** Creation timestamp */
+    createdAt: number;
+}
+/**
+ * Signed request payload
+ */
+interface SignedPayload {
+    /** Original payload (JSON string) */
+    payload: string;
+    /** Signature (base64url encoded) */
+    signature: string;
+    /** Timestamp when signature was created */
+    timestamp: number;
+}
+/**
+ * Check if WebCrypto is available
+ */
+declare function isWebCryptoAvailable(): boolean;
+/**
+ * Generate an ephemeral ECDSA key pair using WebCrypto
+ *
+ * Uses P-256 curve (secp256r1) with SHA-256 for ES256 signatures.
+ *
+ * @returns Generated key pair
+ * @throws Error if WebCrypto is not available
+ */
+declare function generateEphemeralKeyPair(): Promise<EphemeralKeyPair>;
+/**
+ * Sign a request payload with the ephemeral private key
+ *
+ * The signature covers:
+ * - The JSON payload string
+ * - A timestamp to prevent replay attacks
+ *
+ * @param payload - Request payload (will be JSON stringified if object)
+ * @param keyPair - Ephemeral key pair
+ * @returns Signed payload with signature
+ */
+declare function signPayload(payload: string | object, keyPair: EphemeralKeyPair): Promise<SignedPayload>;
+/**
+ * Verify a signed payload (for testing purposes)
+ *
+ * @param signedPayload - The signed payload to verify
+ * @param publicKeyBase64 - Public key in SPKI format (base64url)
+ * @returns True if signature is valid
+ */
+declare function verifyPayload(signedPayload: SignedPayload, publicKeyBase64: string): Promise<boolean>;
+/**
+ * Ephemeral key storage interface
+ */
+interface EphemeralKeyStorage {
+    save(keyPair: EphemeralKeyPair): Promise<void>;
+    load(): Promise<EphemeralKeyPair | null>;
+    clear(): Promise<void>;
+}
+/**
+ * In-memory ephemeral key storage
+ *
+ * Keys are lost when the page is refreshed.
+ */
+declare class MemoryEphemeralKeyStorage implements EphemeralKeyStorage {
+    private keyPair;
+    save(keyPair: EphemeralKeyPair): Promise<void>;
+    load(): Promise<EphemeralKeyPair | null>;
+    clear(): Promise<void>;
+}
+/**
+ * IndexedDB ephemeral key storage
+ *
+ * Persists keys across page refreshes but not browser restarts.
+ * Uses non-extractable keys for security.
+ */
+declare class IndexedDBEphemeralKeyStorage implements EphemeralKeyStorage {
+    private dbName;
+    private storeName;
+    private getDB;
+    save(keyPair: EphemeralKeyPair): Promise<void>;
+    load(): Promise<EphemeralKeyPair | null>;
+    clear(): Promise<void>;
+}
+/**
+ * Create an ephemeral key manager for a session
+ *
+ * The manager handles:
+ * - Key generation on first use
+ * - Key storage and retrieval
+ * - Automatic key rotation (optional)
+ * - Storage migration (switching between IndexedDB and memory)
+ */
+declare class EphemeralKeyManager {
+    private keyPair;
+    private storage;
+    constructor(storage?: EphemeralKeyStorage);
+    /**
+     * Get or generate ephemeral key pair
+     */
+    getKeyPair(): Promise<EphemeralKeyPair>;
+    /**
+     * Get the public key for authentication
+     */
+    getPublicKey(): Promise<string>;
+    /**
+     * Sign a request payload
+     */
+    signPayload(payload: string | object): Promise<SignedPayload>;
+    /**
+     * Rotate the key pair (generate new keys)
+     */
+    rotate(): Promise<EphemeralKeyPair>;
+    /**
+     * Clear the key pair (logout)
+     */
+    clear(): Promise<void>;
+    /**
+     * Check if a key pair exists
+     */
+    hasKeyPair(): Promise<boolean>;
+    /**
+     * Migrate key pair to a new storage backend
+     *
+     * This preserves the existing key pair while switching storage.
+     * The key is saved to the new storage and removed from the old storage.
+     *
+     * @param newStorage - The new storage backend to migrate to
+     */
+    migrateStorage(newStorage: EphemeralKeyStorage): Promise<void>;
+    /**
+     * Get the current storage backend
+     */
+    getStorage(): EphemeralKeyStorage;
+}
+/**
+ * Secure Kentucky Signer Client with Ephemeral Key Signing
+ *
+ * This client automatically:
+ * - Generates an ephemeral key pair on initialization
+ * - Sends the public key during authentication
+ * - Signs all request payloads with the ephemeral private key
+ */
+/**
+ * Options for the secure client
+ */
+interface SecureClientOptions extends ClientOptions {
+    /** Custom ephemeral key storage (defaults to memory storage) */
+    ephemeralKeyStorage?: EphemeralKeyStorage;
+    /** Shared ephemeral key manager (takes precedence over storage) */
+    ephemeralKeyManager?: EphemeralKeyManager;
+    /** Whether to require ephemeral key verification (default: true) */
+    requireEphemeralSigning?: boolean;
+}
+/**
+ * Secure Kentucky Signer API client with ephemeral key signing
+ *
+ * All requests to authenticated endpoints are automatically signed
+ * with the ephemeral private key bound during authentication.
+ */
+declare class SecureKentuckySignerClient {
+    private baseUrl;
+    private fetchImpl;
+    private timeout;
+    private keyManager;
+    private requireSigning;
+    constructor(options: SecureClientOptions);
+    /**
+     * Get the ephemeral key manager for advanced usage
+     */
+    getKeyManager(): EphemeralKeyManager;
+    /**
+     * Make a signed request to the API
+     */
+    private request;
+    /**
+     * Get a challenge for passkey authentication
+     */
+    getChallenge(accountId: string): Promise<ChallengeResponse>;
+    /**
+     * Authenticate with a passkey credential
+     *
+     * Automatically sends the ephemeral public key for binding.
+     */
+    authenticatePasskey(accountId: string, credential: PasskeyCredential): Promise<AuthResponseWithEphemeral>;
+    /**
+     * Authenticate with password
+     *
+     * Automatically sends the ephemeral public key for binding.
+     */
+    authenticatePassword(request: PasswordAuthRequest): Promise<AuthResponseWithEphemeral>;
+    /**
+     * Refresh an authentication token
+     *
+     * Generates a new ephemeral key pair and binds it to the new token.
+     */
+    refreshToken(token: string): Promise<AuthResponseWithEphemeral>;
+    /**
+     * Logout and invalidate token
+     *
+     * Clears the ephemeral key pair.
+     */
+    logout(token: string): Promise<void>;
+    /**
+     * Get account information (signed request)
+     */
+    getAccountInfo(accountId: string, token: string): Promise<AccountInfoResponse>;
+    /**
+     * Get extended account information (signed request)
+     */
+    getAccountInfoExtended(accountId: string, token: string): Promise<AccountInfoExtendedResponse>;
+    /**
+     * Sign an EVM transaction hash (signed request)
+     */
+    signEvmTransaction(request: SignEvmRequest, token: string): Promise<EvmSignatureResponse>;
+    /**
+     * Sign an EVM transaction hash with 2FA (signed request)
+     */
+    signEvmTransactionWith2FA(request: SignEvmRequest & {
+        totp_code?: string;
+        pin?: string;
+    }, token: string): Promise<EvmSignatureResponse>;
+    /**
+     * Sign a raw hash for EVM (signed request)
+     */
+    signHash(hash: Hex, chainId: number, token: string): Promise<Hex>;
+    /**
+     * Add password to account (signed request)
+     */
+    addPassword(accountId: string, request: AddPasswordRequest, token: string): Promise<AddPasswordResponse>;
+    /**
+     * Add passkey to account (signed request)
+     */
+    addPasskey(accountId: string, request: AddPasskeyRequest, token: string): Promise<AddPasskeyResponse>;
+    /**
+     * Remove passkey from account (signed request)
+     */
+    removePasskey(accountId: string, passkeyIndex: number, token: string): Promise<RemovePasskeyResponse>;
+    /**
+     * Create account with passkey (public endpoint, no signing)
+     */
+    createAccountWithPasskey(attestationObject: string, label?: string): Promise<AccountCreationResponse>;
+    /**
+     * Create account with password (public endpoint, no signing)
+     */
+    createAccountWithPassword(request: CreatePasswordAccountRequest): Promise<AccountCreationResponse>;
+    /**
+     * Health check (public endpoint)
+     */
+    healthCheck(): Promise<boolean>;
+}
+/**
+ * Create a new secure Kentucky Signer client
+ */
+declare function createSecureClient(options: SecureClientOptions): SecureKentuckySignerClient;
+/**
+ * 2FA codes for signing operations
+ */
+interface TwoFactorCodes {
+    /** TOTP code from authenticator app */
+    totpCode?: string;
+    /** PIN code */
+    pin?: string;
+}
+/**
+ * Callback to request 2FA codes from the user
+ * Returns null/undefined if user cancels
+ */
+type TwoFactorCallback = (requirements: {
+    totpRequired: boolean;
+    pinRequired: boolean;
+    pinLength: number;
+}) => Promise<TwoFactorCodes | null | undefined>;
 /**
  * Options for creating a Kentucky Signer account
  */
@@ -221,6 +806,10 @@ interface KentuckySignerAccountOptions {
     defaultChainId?: number;
     /** Callback when session needs refresh */
     onSessionExpired?: () => Promise<AuthSession>;
+    /** Optional secure client for ephemeral key signing */
+    secureClient?: SecureKentuckySignerClient;
+    /** Callback to request 2FA codes when required */
+    on2FARequired?: TwoFactorCallback;
 }
 /**
  * Extended account type with Kentucky Signer specific properties
@@ -316,9 +905,10 @@ declare class KentuckySignerClient {
      *
      * @param accountId - Account ID to authenticate
      * @param credential - WebAuthn credential from navigator.credentials.get()
+     * @param ephemeralPublicKey - Optional ephemeral public key for secure mode binding
      * @returns Authentication response with JWT token
      */
-    authenticatePasskey(accountId: string, credential: PasskeyCredential): Promise<AuthResponse>;
+    authenticatePasskey(accountId: string, credential: PasskeyCredential, ephemeralPublicKey?: string): Promise<AuthResponse>;
     /**
      * Refresh an authentication token
      *
@@ -370,12 +960,11 @@ declare class KentuckySignerClient {
     /**
      * Create a new account with passkey authentication
      *
-     * @param credential - WebAuthn credential from navigator.credentials.create()
+     * @param attestationObject - Base64url encoded attestation object from WebAuthn
+     * @param label - Optional label for the passkey (defaults to "Owner Passkey")
      * @returns Account creation response with account ID and addresses
      */
-    createAccountWithPasskey(credential: PasskeyCredential & {
-        publicKey: string;
-    }): Promise<AccountCreationResponse>;
+    createAccountWithPasskey(attestationObject: string, label?: string): Promise<AccountCreationResponse>;
     /**
      * Create a new account with password authentication
      *
@@ -390,6 +979,46 @@ declare class KentuckySignerClient {
      * @returns Authentication response with JWT token
      */
     authenticatePassword(request: PasswordAuthRequest): Promise<AuthResponse>;
+    /**
+     * Add password authentication to an existing account
+     *
+     * Enables password-based authentication for an account that was created
+     * with passkey-only authentication.
+     *
+     * @param accountId - Account ID
+     * @param request - Password and confirmation
+     * @param token - JWT token
+     * @returns Success response
+     */
+    addPassword(accountId: string, request: AddPasswordRequest, token: string): Promise<AddPasswordResponse>;
+    /**
+     * Get extended account information including auth config
+     *
+     * @param accountId - Account ID
+     * @param token - JWT token
+     * @returns Extended account info with auth config and passkey count
+     */
+    getAccountInfoExtended(accountId: string, token: string): Promise<AccountInfoExtendedResponse>;
+    /**
+     * Add a recovery passkey to an existing account
+     *
+     * @param accountId - Account ID
+     * @param request - Passkey data (COSE public key, credential ID, algorithm, label)
+     * @param token - JWT token
+     * @returns Success response with label
+     */
+    addPasskey(accountId: string, request: AddPasskeyRequest, token: string): Promise<AddPasskeyResponse>;
+    /**
+     * Remove a passkey from an account
+     *
+     * Note: Cannot remove the owner passkey (index 0)
+     *
+     * @param accountId - Account ID
+     * @param passkeyIndex - Index of passkey to remove (1-3 for recovery passkeys)
+     * @param token - JWT token
+     * @returns Success response
+     */
+    removePasskey(accountId: string, passkeyIndex: number, token: string): Promise<RemovePasskeyResponse>;
     /**
      * Health check
      *
@@ -402,6 +1031,171 @@ declare class KentuckySignerClient {
      * @returns Version string
      */
     getVersion(): Promise<string>;
+    /**
+     * Add a guardian passkey to an account
+     *
+     * Guardians can participate in account recovery but cannot access the wallet.
+     * An account can have up to 3 guardians (indices 1-3).
+     *
+     * @param request - Guardian data (attestation object and optional label)
+     * @param token - JWT token
+     * @returns Success response with guardian index and count
+     */
+    addGuardian(request: AddGuardianRequest, token: string): Promise<AddGuardianResponse>;
+    /**
+     * Remove a guardian passkey from an account
+     *
+     * Cannot remove guardians during an active recovery.
+     *
+     * @param guardianIndex - Index of guardian to remove (1-3)
+     * @param token - JWT token
+     * @returns Success response with remaining guardian count
+     */
+    removeGuardian(guardianIndex: number, token: string): Promise<RemoveGuardianResponse>;
+    /**
+     * Get guardians for an account
+     *
+     * @param token - JWT token
+     * @returns Guardian list with indices and labels
+     */
+    getGuardians(token: string): Promise<GetGuardiansResponse>;
+    /**
+     * Initiate account recovery
+     *
+     * Call this when you've lost access to your account. You'll need to register
+     * a new passkey which will become the new owner passkey after recovery completes.
+     *
+     * @param accountId - Account ID to recover
+     * @param attestationObject - WebAuthn attestation object for new owner passkey
+     * @param label - Optional label for new owner passkey
+     * @returns Challenges for guardians to sign, threshold, and timelock info
+     */
+    initiateRecovery(accountId: string, attestationObject: string, label?: string): Promise<InitiateRecoveryResponse>;
+    /**
+     * Submit a guardian signature for recovery
+     *
+     * Each guardian must sign their challenge using their passkey.
+     *
+     * @param request - Guardian signature data
+     * @returns Current verification status
+     */
+    verifyGuardian(request: VerifyGuardianRequest): Promise<VerifyGuardianResponse>;
+    /**
+     * Get recovery status for an account
+     *
+     * @param accountId - Account ID to check
+     * @returns Recovery status including verification count and timelock
+     */
+    getRecoveryStatus(accountId: string): Promise<RecoveryStatusResponse>;
+    /**
+     * Complete account recovery
+     *
+     * Call this after enough guardians have verified and the timelock has expired.
+     * The new owner passkey will replace the old one.
+     *
+     * @param accountId - Account ID to complete recovery for
+     * @returns Success message
+     */
+    completeRecovery(accountId: string): Promise<CompleteRecoveryResponse>;
+    /**
+     * Cancel a pending recovery
+     *
+     * Only the current owner (with valid auth) can cancel a recovery.
+     * Use this if you regain access and want to stop an unauthorized recovery.
+     *
+     * @param token - JWT token (must be authenticated as owner)
+     * @returns Success message
+     */
+    cancelRecovery(token: string): Promise<CancelRecoveryResponse>;
+    /**
+     * Get 2FA status for the authenticated account
+     *
+     * @param token - JWT token
+     * @returns 2FA status including TOTP and PIN enablement
+     */
+    get2FAStatus(token: string): Promise<TwoFactorStatusResponse>;
+    /**
+     * Setup TOTP for the account
+     *
+     * Returns an otpauth:// URI for QR code generation and a base32 secret
+     * for manual entry. After setup, call enableTOTP with a valid code to
+     * complete the setup.
+     *
+     * @param token - JWT token
+     * @returns TOTP setup response with URI and secret
+     */
+    setupTOTP(token: string): Promise<TotpSetupResponse>;
+    /**
+     * Verify and enable TOTP for the account
+     *
+     * Call this after setupTOTP with a valid code from the authenticator app.
+     *
+     * @param code - 6-digit TOTP code from authenticator app
+     * @param token - JWT token
+     * @returns Success response
+     */
+    enableTOTP(code: string, token: string): Promise<TwoFactorResponse>;
+    /**
+     * Disable TOTP for the account
+     *
+     * Requires a valid TOTP code for confirmation.
+     *
+     * @param code - Current 6-digit TOTP code
+     * @param token - JWT token
+     * @returns Success response
+     */
+    disableTOTP(code: string, token: string): Promise<TwoFactorResponse>;
+    /**
+     * Verify a TOTP code
+     *
+     * Use this to verify a TOTP code without performing any other operation.
+     *
+     * @param code - 6-digit TOTP code
+     * @param token - JWT token
+     * @returns Verification result
+     */
+    verifyTOTP(code: string, token: string): Promise<TwoFactorVerifyResponse>;
+    /**
+     * Setup PIN for the account
+     *
+     * Sets a 4-digit or 6-digit PIN. If a PIN is already set, this replaces it.
+     *
+     * @param pin - 4 or 6 digit PIN
+     * @param token - JWT token
+     * @returns Success response with PIN length
+     */
+    setupPIN(pin: string, token: string): Promise<PinSetupResponse>;
+    /**
+     * Disable PIN for the account
+     *
+     * Requires the current PIN for confirmation.
+     *
+     * @param pin - Current PIN
+     * @param token - JWT token
+     * @returns Success response
+     */
+    disablePIN(pin: string, token: string): Promise<TwoFactorResponse>;
+    /**
+     * Verify a PIN
+     *
+     * Use this to verify a PIN without performing any other operation.
+     *
+     * @param pin - PIN to verify
+     * @param token - JWT token
+     * @returns Verification result
+     */
+    verifyPIN(pin: string, token: string): Promise<TwoFactorVerifyResponse>;
+    /**
+     * Sign an EVM transaction with 2FA
+     *
+     * Use this method when 2FA is enabled. If 2FA is not enabled,
+     * you can use the regular signEvmTransaction method instead.
+     *
+     * @param request - Sign request including tx_hash, chain_id, and optional 2FA codes
+     * @param token - JWT token
+     * @returns Signature response with r, s, v components
+     */
+    signEvmTransactionWith2FA(request: SignEvmRequestWith2FA, token: string): Promise<EvmSignatureResponse>;
 }
 /**
  * Create a new Kentucky Signer client
@@ -464,10 +1258,11 @@ declare function authenticateWithToken(baseUrl: string, accountId: string, token
  * Register a new passkey for account creation (browser only)
  *
  * @param options - Registration options
- * @returns Registration credential with public key
+ * @returns Registration credential with public key and attestation object
  */
 declare function registerPasskey(options: PasskeyRegistrationOptions): Promise<PasskeyCredential & {
     publicKey: string;
+    attestationObject: string;
 }>;
 /**
  * Check if a session is still valid
@@ -600,4 +1395,4 @@ declare function getJwtExpiration(token: string): number | null;
  */
 declare function formatError(error: unknown): string;
-export { type AccountCreationResponse, type AccountInfoResponse, type ApiErrorResponse, type AuthResponse, type AuthSession, type ChallengeResponse, type ClientOptions, type CreatePasswordAccountRequest, type EvmSignatureResponse, type KentuckySignerAccount, type KentuckySignerAccountOptions, KentuckySignerClient, type KentuckySignerConfig, KentuckySignerError, LocalStorageTokenStorage, MemoryTokenStorage, type PasskeyAuthOptions, type PasskeyCredential, type PasskeyRegistrationOptions, type PasswordAccountCreationOptions, type PasswordAuthOptions, type PasswordAuthRequest, type SignEvmRequest, type TokenStorage, authenticateWithPasskey, authenticateWithPassword, authenticateWithToken, base64UrlDecode, base64UrlEncode, bytesToHex, createAccountWithPassword, createClient, createKentuckySignerAccount, createServerAccount, formatError, getJwtExpiration, hexToBytes, isSessionValid, isValidAccountId, isValidEvmAddress, isWebAuthnAvailable, parseJwt, refreshSessionIfNeeded, registerPasskey, withRetry };
+export { type AccountCreationResponse, type AccountInfoExtendedResponse, type AccountInfoResponse, type AddGuardianRequest, type AddGuardianResponse, type AddPasskeyRequest, type AddPasskeyResponse, type AddPasswordRequest, type AddPasswordResponse, type ApiErrorResponse, type AuthConfig, type AuthResponse, type AuthResponseWithEphemeral, type AuthSession, type CancelRecoveryResponse, type ChallengeResponse, type ClientOptions, type CompleteRecoveryRequest, type CompleteRecoveryResponse, type CreatePasswordAccountRequest, EphemeralKeyManager, type EphemeralKeyPair, type EphemeralKeyStorage, type EvmSignatureResponse, type GetGuardiansResponse, type GuardianInfo, IndexedDBEphemeralKeyStorage, type InitiateRecoveryRequest, type InitiateRecoveryResponse, type KentuckySignerAccount, type KentuckySignerAccountOptions, KentuckySignerClient, type KentuckySignerConfig, KentuckySignerError, LocalStorageTokenStorage, MemoryEphemeralKeyStorage, MemoryTokenStorage, type PasskeyAuthOptions, type PasskeyCredential, type PasskeyRegistrationOptions, type PasswordAccountCreationOptions, type PasswordAuthOptions, type PasswordAuthRequest, type PinSetupRequest, type PinSetupResponse, type RecoveryStatusRequest, type RecoveryStatusResponse, type RemoveGuardianResponse, type RemovePasskeyResponse, type SecureClientOptions, SecureKentuckySignerClient, type SignEvmRequest, type SignEvmRequestWith2FA, type SignedPayload, type TokenStorage, type TotpEnableRequest, type TotpSetupResponse, type TwoFactorCallback, type TwoFactorCodes, type TwoFactorResponse, type TwoFactorStatusResponse, type TwoFactorVerifyResponse, type VerifyGuardianRequest, type VerifyGuardianResponse, authenticateWithPasskey, authenticateWithPassword, authenticateWithToken, base64UrlDecode, base64UrlEncode, bytesToHex, createAccountWithPassword, createClient, createKentuckySignerAccount, createSecureClient, createServerAccount, formatError, generateEphemeralKeyPair, getJwtExpiration, hexToBytes, isSessionValid, isValidAccountId, isValidEvmAddress, isWebAuthnAvailable, isWebCryptoAvailable, parseJwt, refreshSessionIfNeeded, registerPasskey, signPayload, verifyPayload, withRetry };