mppx 0.6.28 → 0.6.30

package/src/tempo/client/Charge.test.ts

@@ -0,0 +1,126 @@
+import { Challenge, Credential } from 'mppx'
+import { createClient, http } from 'viem'
+import { privateKeyToAccount } from 'viem/accounts'
+import { tempoLocalnet } from 'viem/chains'
+import { describe, expect, test, vi } from 'vp/test'
+
+import * as Methods from '../Methods.js'
+import { charge } from './Charge.js'
+
+const account = privateKeyToAccount(
+  '0x0000000000000000000000000000000000000000000000000000000000000001',
+)
+const currency = '0x3333333333333333333333333333333333333333'
+const recipient = '0x2222222222222222222222222222222222222222'
+
+type ChargeRequest = ReturnType<typeof Methods.charge.schema.request.parse>
+
+function createChallenge(
+  overrides: Partial<Parameters<typeof Methods.charge.schema.request.parse>[0]> = {},
+): Challenge.Challenge<ChargeRequest, 'charge', 'tempo'> {
+  const request = Methods.charge.schema.request.parse({
+    amount: '0',
+    currency,
+    decimals: 6,
+    recipient,
+    ...overrides,
+  })
+  return Challenge.from({
+    id: 'test-challenge-id',
+    intent: 'charge',
+    method: 'tempo',
+    realm: 'api.example.com',
+    request,
+  }) as Challenge.Challenge<ChargeRequest, 'charge', 'tempo'>
+}
+
+describe('tempo.charge client', () => {
+  test('uses client chain ID when the challenge omits chainId', async () => {
+    const client = createClient({
+      account,
+      chain: tempoLocalnet,
+      transport: http('http://127.0.0.1'),
+    })
+    const method = charge({
+      account,
+      getClient: () => client,
+    })
+
+    const credential = Credential.deserialize(
+      await method.createCredential({
+        challenge: createChallenge(),
+        context: {},
+      }),
+    )
+
+    expect(credential.source).toBe(`did:pkh:eip155:${tempoLocalnet.id}:${account.address}`)
+  })
+
+  test('uses challenge chainId for client resolution and proof source', async () => {
+    let requestedChainId: number | undefined
+    const chainId = 42431
+    const client = createClient({
+      account,
+      chain: tempoLocalnet,
+      transport: http('http://127.0.0.1'),
+    })
+    const method = charge({
+      account,
+      getClient: (parameters) => {
+        requestedChainId = parameters.chainId
+        return client
+      },
+    })
+
+    const credential = Credential.deserialize(
+      await method.createCredential({
+        challenge: createChallenge({ chainId }),
+        context: {},
+      }),
+    )
+
+    expect(requestedChainId).toBe(chainId)
+    expect(credential.source).toBe(`did:pkh:eip155:${chainId}:${account.address}`)
+  })
+
+  test('uses challenge chainId for non-zero transaction source', async () => {
+    vi.resetModules()
+    const prepareTransactionRequest = vi.fn(async () => ({}))
+    const signTransaction = vi.fn(async () => '0xdeadbeef')
+    vi.doMock('viem/actions', () => ({
+      prepareTransactionRequest,
+      sendCallsSync: vi.fn(),
+      signTransaction,
+      signTypedData: vi.fn(),
+    }))
+
+    try {
+      const { charge: chargeWithMockedActions } = await import('./Charge.js')
+      const chainId = 42431
+      const client = createClient({
+        account,
+        chain: tempoLocalnet,
+        transport: http('http://127.0.0.1'),
+      })
+      const method = chargeWithMockedActions({
+        account,
+        getClient: () => client,
+      })
+
+      const credential = Credential.deserialize(
+        await method.createCredential({
+          challenge: createChallenge({ amount: '1', chainId, supportedModes: ['pull'] }),
+          context: {},
+        }),
+      )
+
+      expect(prepareTransactionRequest).toHaveBeenCalledOnce()
+      expect(signTransaction).toHaveBeenCalledOnce()
+      expect(credential.payload).toEqual({ signature: '0xdeadbeef', type: 'transaction' })
+      expect(credential.source).toBe(`did:pkh:eip155:${chainId}:${account.address}`)
+    } finally {
+      vi.doUnmock('viem/actions')
+      vi.resetModules()
+    }
+  })
+})

package/src/tempo/client/Charge.ts

@@ -51,8 +51,12 @@ export function charge(parameters: charge.Parameters = {}) {
     }),
 
     async createCredential({ challenge, context }) {
-      const chainId = challenge.request.methodDetails?.chainId
-      const client = await getClient({ chainId })
+      const challengeChainId = challenge.request.methodDetails?.chainId
+      const client = await getClient({ chainId: challengeChainId })
+      const chainId = challengeChainId ?? client.chain?.id
+      if (chainId === undefined)
+        throw new Error('No `chainId` provided. Pass a chain ID in the challenge or client.')
+
       const account = getAccount(client, context)
 
       const { request } = challenge
@@ -62,7 +66,7 @@ export function charge(parameters: charge.Parameters = {}) {
       if (BigInt(amount) === 0n) {
         const signature = await signTypedData(client, {
           account,
-          domain: Proof.domain(chainId!),
+          domain: Proof.domain(chainId),
           types: Proof.types,
           primaryType: 'Proof',
           message: Proof.message(challenge.id, challenge.realm),
@@ -70,7 +74,7 @@ export function charge(parameters: charge.Parameters = {}) {
         return Credential.serialize({
           challenge,
           payload: { signature, type: 'proof' },
-          source: Proof.proofSource({ address: account.address, chainId: chainId! }),
+          source: Proof.proofSource({ address: account.address, chainId }),
         })
       }
 
@@ -156,7 +160,7 @@ export function charge(parameters: charge.Parameters = {}) {
         return Credential.serialize({
           challenge,
           payload: { hash, type: 'hash' },
-          source: `did:pkh:eip155:${chainId}:${account.address}`,
+          source: Proof.proofSource({ address: account.address, chainId }),
         })
       }
 
@@ -175,7 +179,7 @@ export function charge(parameters: charge.Parameters = {}) {
       return Credential.serialize({
         challenge,
         payload: { signature, type: 'transaction' },
-        source: `did:pkh:eip155:${chainId}:${account.address}`,
+        source: Proof.proofSource({ address: account.address, chainId }),
       })
     },
   })

package/src/tempo/client/Session.test.ts

@@ -1,6 +1,7 @@
+import { SignatureEnvelope } from 'ox/tempo'
 import { type Address, createClient, decodeFunctionData, erc20Abi, type Hex, http } from 'viem'
 import { privateKeyToAccount } from 'viem/accounts'
-import { Addresses, Transaction } from 'viem/tempo'
+import { Account as TempoAccount, Addresses, Transaction, WebCryptoP256 } from 'viem/tempo'
 import { beforeAll, describe, expect, test } from 'vp/test'
 import { nodeEnv } from '~test/config.js'
 import { deployEscrow, openChannel } from '~test/tempo/session.js'
@@ -13,6 +14,7 @@ import * as Credential from '../../Credential.js'
 import { chainId, escrowContract as escrowContractDefaults } from '../internal/defaults.js'
 import { escrowAbi } from '../session/Chain.js'
 import type { SessionCredentialPayload } from '../session/Types.js'
+import { verifyVoucher } from '../session/Voucher.js'
 import { session } from './Session.js'
 
 function deserializePayload(result: string) {
@@ -184,6 +186,133 @@ describe('session (pure)', () => {
       expect(cred.source).toBe(`did:pkh:eip155:42431:${pureAccount.address}`)
     })
 
+    test('manual open rejects P256 voucher signer while TIP-1020 verification is disabled', async () => {
+      const keyPair = await WebCryptoP256.createKeyPair()
+      const voucherSigner = TempoAccount.fromWebCryptoP256(keyPair)
+      const method = session({
+        getClient: () => pureClient,
+        account: pureAccount,
+        voucherSigner,
+      })
+
+      await expect(
+        method.createCredential({
+          challenge: makeChallenge(),
+          context: {
+            action: 'open',
+            channelId,
+            cumulativeAmount: '5',
+            transaction: '0xdeadbeef',
+          },
+        }),
+      ).rejects.toThrow('Session vouchers only support secp256k1 signatures')
+    })
+
+    test('manual open signs access-key vouchers with raw signatures', async () => {
+      const accessKey = TempoAccount.fromSecp256k1(
+        '0x59c6995e998f97a5a0044966f09453863d462d2b3f1446a99f0a3d7b5d0f5a0d',
+        { access: pureAccount },
+      )
+      const accessKeyClient = createClient({
+        account: accessKey,
+        transport: http('http://127.0.0.1'),
+      })
+      const method = session({
+        getClient: () => accessKeyClient,
+        account: accessKey,
+      })
+
+      const result = await method.createCredential({
+        challenge: makeChallenge(),
+        context: {
+          action: 'open',
+          channelId,
+          cumulativeAmount: '5',
+          transaction: '0xdeadbeef',
+        },
+      })
+
+      const cred = deserializePayload(result)
+      expect(cred.payload.action).toBe('open')
+      if (cred.payload.action !== 'open') throw new Error('unexpected action')
+      expect(cred.payload.authorizedSigner).toBeDefined()
+      if (!cred.payload.authorizedSigner) throw new Error('missing authorizedSigner')
+      expect(cred.payload.authorizedSigner.toLowerCase()).toBe(
+        accessKey.accessKeyAddress.toLowerCase(),
+      )
+
+      const envelope = SignatureEnvelope.from(
+        cred.payload.signature as SignatureEnvelope.Serialized,
+      )
+      expect(envelope.type).toBe('secp256k1')
+
+      const isValid = await verifyVoucher(
+        escrowAddress,
+        42431,
+        {
+          channelId,
+          cumulativeAmount: 5_000_000n,
+          signature: cred.payload.signature,
+        },
+        accessKey.accessKeyAddress,
+      )
+      expect(isValid).toBe(true)
+      expect(cred.source).toBe(`did:pkh:eip155:42431:${pureAccount.address}`)
+    })
+
+    test('manual open signs access-key vouchers with direct voucher signer', async () => {
+      const privateKey = '0x59c6995e998f97a5a0044966f09453863d462d2b3f1446a99f0a3d7b5d0f5a0d'
+      const accessKey = TempoAccount.fromSecp256k1(privateKey, { access: pureAccount })
+      const voucherSigner = TempoAccount.fromSecp256k1(privateKey)
+      const accessKeyClient = createClient({
+        account: accessKey,
+        transport: http('http://127.0.0.1'),
+      })
+      const method = session({
+        getClient: () => accessKeyClient,
+        account: accessKey,
+        voucherSigner,
+      })
+
+      const result = await method.createCredential({
+        challenge: makeChallenge(),
+        context: {
+          action: 'open',
+          channelId,
+          cumulativeAmount: '5',
+          transaction: '0xdeadbeef',
+        },
+      })
+
+      const cred = deserializePayload(result)
+      expect(cred.payload.action).toBe('open')
+      if (cred.payload.action !== 'open') throw new Error('unexpected action')
+      expect(cred.payload.authorizedSigner).toBeDefined()
+      if (!cred.payload.authorizedSigner) throw new Error('missing authorizedSigner')
+      expect(cred.payload.authorizedSigner.toLowerCase()).toBe(
+        accessKey.accessKeyAddress.toLowerCase(),
+      )
+
+      const envelope = SignatureEnvelope.from(
+        cred.payload.signature as SignatureEnvelope.Serialized,
+      )
+      expect(envelope.type).toBe('secp256k1')
+      expect(cred.payload.signature.length).toBe(132)
+
+      const isValid = await verifyVoucher(
+        escrowAddress,
+        42431,
+        {
+          channelId,
+          cumulativeAmount: 5_000_000n,
+          signature: cred.payload.signature,
+        },
+        accessKey.accessKeyAddress,
+      )
+      expect(isValid).toBe(true)
+      expect(cred.source).toBe(`did:pkh:eip155:42431:${pureAccount.address}`)
+    })
+
     test('manual close produces valid credential', async () => {
       const method = session({ getClient: () => pureClient, account: pureAccount })
 

package/src/tempo/client/Session.ts

@@ -7,6 +7,7 @@ import * as Method from '../../Method.js'
 import * as Account from '../../viem/Account.js'
 import * as Client from '../../viem/Client.js'
 import * as z from '../../zod.js'
+import { getAccountSignerAddress } from '../internal/account.js'
 import * as defaults from '../internal/defaults.js'
 import * as Methods from '../Methods.js'
 import type { SessionCredentialPayload } from '../session/Types.js'
@@ -27,7 +28,6 @@ export const sessionContextSchema = z.object({
   cumulativeAmount: z.optional(z.amount()),
   cumulativeAmountRaw: z.optional(z.string()),
   transaction: z.optional(z.string()),
-  authorizedSigner: z.optional(z.string()),
   additionalDeposit: z.optional(z.amount()),
   additionalDepositRaw: z.optional(z.string()),
   depositRaw: z.optional(z.string()),
@@ -79,9 +79,6 @@ export function session(parameters: session.Parameters = {}) {
     rpcUrl: defaults.rpcUrl,
   })
   const getAccount = Account.getResolver({ account: parameters.account })
-  const getAuthorizedSigner = (account: viem_Account) =>
-    parameters.authorizedSigner ??
-    (account as unknown as { accessKeyAddress?: Address }).accessKeyAddress
 
   const maxDeposit =
     parameters.maxDeposit !== undefined ? parseUnits(parameters.maxDeposit, decimals) : undefined
@@ -141,7 +138,7 @@ export function session(parameters: session.Parameters = {}) {
       )
     })()
 
-    const authorizedSigner = getAuthorizedSigner(account)
+    const voucherSigner = parameters.voucherSigner ?? account
 
     const key = channelKey(payee, currency, escrowContract)
     let entry = channels.get(key)
@@ -186,12 +183,12 @@ export function session(parameters: session.Parameters = {}) {
         entry.cumulativeAmount,
         escrowContract,
         chainId,
-        authorizedSigner,
+        voucherSigner,
       )
       notifyUpdate(entry)
     } else {
       const result = await createOpenPayload(client, account, {
-        authorizedSigner,
+        voucherSigner,
         escrowContract,
         payee,
         currency,
@@ -222,12 +219,8 @@ export function session(parameters: session.Parameters = {}) {
     const client = await getClient({ chainId })
 
     const action = context.action!
-    const {
-      channelId: channelIdRaw,
-      transaction,
-      authorizedSigner: contextAuthorizedSigner,
-    } = context
-    const authorizedSigner = (contextAuthorizedSigner as Address) ?? getAuthorizedSigner(account)
+    const { channelId: channelIdRaw, transaction } = context
+    const voucherSigner = parameters.voucherSigner ?? account
     const channelId = channelIdRaw as Hex.Hex
     const cumulativeAmount = context.cumulativeAmountRaw
       ? BigInt(context.cumulativeAmountRaw)
@@ -256,14 +249,14 @@ export function session(parameters: session.Parameters = {}) {
           { channelId, cumulativeAmount },
           escrowContract,
           chainId,
-          authorizedSigner,
+          voucherSigner,
         )
         payload = {
           action: 'open',
           type: 'transaction',
           channelId,
           transaction: transaction as Hex.Hex,
-          authorizedSigner: authorizedSigner ?? account.address,
+          authorizedSigner: getAccountSignerAddress(voucherSigner),
           cumulativeAmount: cumulativeAmount.toString(),
           signature,
         }
@@ -293,7 +286,7 @@ export function session(parameters: session.Parameters = {}) {
           cumulativeAmount,
           escrowContract,
           chainId,
-          authorizedSigner,
+          voucherSigner,
         )
         const key = channelIdToKey.get(channelId)
         if (key) {
@@ -316,7 +309,7 @@ export function session(parameters: session.Parameters = {}) {
           { channelId, cumulativeAmount },
           escrowContract,
           chainId,
-          authorizedSigner,
+          voucherSigner,
         )
         payload = {
           action: 'close',
@@ -364,8 +357,8 @@ export function session(parameters: session.Parameters = {}) {
 export declare namespace session {
   type Parameters = Account.getResolver.Parameters &
     Client.getResolver.Parameters & {
-      /** Address authorized to sign vouchers. Defaults to the account address. Use when a separate access key (e.g. secp256k1) signs vouchers while the root account funds the channel. */
-      authorizedSigner?: Address | undefined
+      /** Account that signs voucher digests. Defaults to `account`; access-key accounts sign raw vouchers as their access-key address. */
+      voucherSigner?: viem_Account | undefined
       /** Token decimals for parsing human-readable amounts (default: 6). */
       decimals?: number | undefined
       /** Initial deposit amount in human-readable units (e.g. "10" for 10 tokens). When set, the method handles the full channel lifecycle (open, voucher, cumulative tracking) automatically. */

package/src/tempo/client/SessionManager.test.ts

@@ -1,9 +1,16 @@
-import type { Hex } from 'viem'
+import { createClient, type Hex, http } from 'viem'
+import { privateKeyToAccount } from 'viem/accounts'
+import { Account as TempoAccount } from 'viem/tempo'
 import { describe, expect, test, vi } from 'vp/test'
 
 import * as Challenge from '../../Challenge.js'
+import * as PaymentCredential from '../../Credential.js'
 import { formatNeedVoucherEvent, parseEvent } from '../session/Sse.js'
-import type { NeedVoucherEvent, SessionReceipt } from '../session/Types.js'
+import type {
+  NeedVoucherEvent,
+  SessionCredentialPayload,
+  SessionReceipt,
+} from '../session/Types.js'
 import { sessionManager } from './SessionManager.js'
 
 const channelId = '0x0000000000000000000000000000000000000000000000000000000000000001' as Hex
@@ -82,6 +89,66 @@ describe('Session', () => {
       expect(s.cumulative).toBe(0n)
       expect(s.opened).toBe(false)
     })
+
+    test('uses voucherSigner for managed open credentials', async () => {
+      vi.resetModules()
+      vi.doMock('viem/actions', () => ({
+        prepareTransactionRequest: vi.fn(async () => ({})),
+        sendCallsSync: vi.fn(),
+        signTransaction: vi.fn(async () => '0xdeadbeef'),
+        signTypedData: vi.fn(),
+      }))
+
+      try {
+        const { sessionManager: sessionManagerWithMocks } = await import('./SessionManager.js')
+        const account = privateKeyToAccount(
+          '0x0000000000000000000000000000000000000000000000000000000000000001',
+        )
+        const voucherSigner = TempoAccount.fromSecp256k1(
+          '0x0000000000000000000000000000000000000000000000000000000000000002',
+          { access: account },
+        )
+        const client = createClient({
+          account,
+          transport: http('http://127.0.0.1'),
+        })
+        const challenge = makeChallenge({
+          recipient: '0x742d35cc6634c0532925a3b844bc9e7595f8fe00',
+          methodDetails: {
+            escrowContract: '0x9d136eea063ede5418a6bc7beaff009bbb6cfa70',
+            chainId: 4217,
+          },
+        })
+        const mockFetch = vi
+          .fn()
+          .mockResolvedValueOnce(make402Response(challenge))
+          .mockResolvedValueOnce(makeOkResponse())
+
+        const manager = sessionManagerWithMocks({
+          account,
+          client,
+          fetch: mockFetch as typeof globalThis.fetch,
+          maxDeposit: '10',
+          voucherSigner,
+        })
+
+        const response = await manager.fetch('https://api.example.com/data')
+        const authorization = new Headers((mockFetch.mock.calls[1]![1] as RequestInit).headers).get(
+          'Authorization',
+        )
+
+        expect(response.status).toBe(200)
+        expect(authorization).toBeDefined()
+        if (!authorization) throw new Error('missing authorization header')
+        const credential = PaymentCredential.deserialize<SessionCredentialPayload>(authorization)
+        expect(credential.payload.action).toBe('open')
+        if (credential.payload.action !== 'open') throw new Error('unexpected action')
+        expect(credential.payload.authorizedSigner).toBe(voucherSigner.accessKeyAddress)
+      } finally {
+        vi.doUnmock('viem/actions')
+        vi.resetModules()
+      }
+    })
   })
 
   describe('.fetch()', () => {

package/src/tempo/client/SessionManager.ts

@@ -1,5 +1,5 @@
 import type { Hex } from 'ox'
-import { parseUnits, type Address } from 'viem'
+import { parseUnits, type Account as viem_Account, type Address } from 'viem'
 
 import * as Challenge from '../../Challenge.js'
 import * as Fetch from '../../client/internal/Fetch.js'
@@ -124,7 +124,7 @@ export function sessionManager(parameters: sessionManager.Parameters): SessionMa
 
   const method = sessionPlugin({
     account: parameters.account,
-    authorizedSigner: parameters.authorizedSigner,
+    voucherSigner: parameters.voucherSigner,
     getClient: parameters.client ? () => parameters.client! : parameters.getClient,
     escrowContract: parameters.escrowContract,
     decimals: parameters.decimals,
@@ -853,8 +853,8 @@ export function sessionManager(parameters: sessionManager.Parameters): SessionMa
 export declare namespace sessionManager {
   type Parameters = Account.getResolver.Parameters &
     Client.getResolver.Parameters & {
-      /** Address authorized to sign vouchers. Defaults to the account address. */
-      authorizedSigner?: Address | undefined
+      /** Account that signs voucher digests. Defaults to `account`; access-key accounts sign raw vouchers as their access-key address. */
+      voucherSigner?: viem_Account | undefined
       /** Viem client instance. Shorthand for `getClient: () => client`. */
       client?: import('viem').Client | undefined
       /** Token decimals used to convert `maxDeposit` to raw units. Defaults to `6`. */

package/src/tempo/internal/account.ts

@@ -1,4 +1,17 @@
 import type { Account, Address } from 'viem'
+import type { Account as TempoAccount } from 'viem/tempo'
+
+/** Returns whether an account is a Tempo access-key account. */
+export function isAccessKeyAccount(
+  account: Account,
+): account is Account & TempoAccount.AccessKeyAccount {
+  return 'accessKeyAddress' in account
+}
+
+/** Returns the address that should authorize direct account signatures. */
+export function getAccountSignerAddress(account: Account): Address {
+  return isAccessKeyAccount(account) ? account.accessKeyAddress : account.address
+}
 
 /**
  * Resolves a recipient address and optional fee payer from flexible input parameters.

package/src/tempo/internal/fee-payer.test.ts

@@ -1,4 +1,4 @@
-import { encodeFunctionData } from 'viem'
+import { encodeFunctionData, maxUint256 } from 'viem'
 import { Abis, Addresses } from 'viem/tempo'
 import { describe, expect, test } from 'vp/test'
 
@@ -443,7 +443,7 @@ describe('prepareSponsoredTransaction', () => {
     maxFeePerGas: 1_000_000_000n,
     maxPriorityFeePerGas: 1_000_000_000n,
     nonce: 1n,
-    nonceKey: 1n,
+    nonceKey: 'expiring',
     signature: { r: 1n, s: 1n, yParity: 0 } as any,
     validBefore: Math.floor(Date.now() / 1_000) + 300,
   } as const
@@ -460,6 +460,36 @@ describe('prepareSponsoredTransaction', () => {
     ).not.toThrow()
   })
 
+  test('accepts serialized expiring nonce key', () => {
+    expect(() =>
+      prepareSponsoredTransaction({
+        account: sponsor,
+        chainId: 42431,
+        details,
+        expectedFeeToken: bogus,
+        transaction: {
+          ...baseTransaction,
+          nonceKey: maxUint256,
+        } as any,
+      }),
+    ).not.toThrow()
+  })
+
+  test('error: rejects non-expiring nonce keys', () => {
+    expect(() =>
+      prepareSponsoredTransaction({
+        account: sponsor,
+        chainId: 42431,
+        details,
+        expectedFeeToken: bogus,
+        transaction: {
+          ...baseTransaction,
+          nonceKey: 1n,
+        } as any,
+      }),
+    ).toThrow('must use an expiring nonce')
+  })
+
   test('accepts higher Moderato priority fees by default', () => {
     expect(() =>
       prepareSponsoredTransaction({

package/src/tempo/internal/fee-payer.ts

@@ -2,7 +2,7 @@ import type { TempoAddress } from 'ox/tempo'
 import { TxEnvelopeTempo } from 'ox/tempo'
 import type { Hex } from 'viem'
 import type { Account } from 'viem'
-import { decodeFunctionData } from 'viem'
+import { decodeFunctionData, maxUint256 } from 'viem'
 import { Abis, Addresses, Transaction } from 'viem/tempo'
 
 import * as TempoAddress_internal from './address.js'
@@ -126,6 +126,10 @@ function getPolicy(chainId: number, overrides: Partial<Policy> | undefined): Pol
   }
 }
 
+function isExpiringNonceKey(nonceKey: SponsoredTransaction['nonceKey']): boolean {
+  return nonceKey === 'expiring' || nonceKey === maxUint256
+}
+
 /** Validates that a set of transaction calls matches an allowed fee-payer pattern. */
 export function validateCalls(
   calls: readonly { data?: `0x${string}` | undefined; to?: TempoAddress.Address | undefined }[],
@@ -358,7 +362,7 @@ export function prepareSponsoredTransaction(parameters: {
       maxPriorityFeePerGas: maxPriorityFeePerGas.toString(),
     })
 
-  if (nonceKey === undefined) fail('fee-sponsored transaction must use an expiring nonce')
+  if (!isExpiringNonceKey(nonceKey)) fail('fee-sponsored transaction must use an expiring nonce')
   if (validBefore === undefined)
     fail('fee-sponsored transaction must declare validBefore for the expiring nonce')
   const validBeforeValue = validBefore