0xsequence · patrislav · Aug 11, 2025 · Aug 5, 2025 · Aug 7, 2025 · Aug 7, 2025
@@ -25,6 +25,7 @@
     "vitest": "^3.2.1"
   },
   "dependencies": {
+    "json-canonicalize": "^2.0.0",
     "jwt-decode": "^4.0.0",
     "ox": "^0.7.2"
   }

@@ -1,5 +1,5 @@
 /* eslint-disable */
-// identity-instrument v0.1.0 f482d220692b4c5e41797f4e8dddb70dab930ed3
+// identity-instrument v0.1.0 b0ca08fbbd2e98d269d745176d4de5cbfa8960d6
 // --
 // Code generated by [email protected] with typescript generator. DO NOT EDIT.
 //
@@ -16,7 +16,7 @@ export const WebRPCVersion = 'v1'
 export const WebRPCSchemaVersion = 'v0.1.0'
 
 // Schema hash generated from your RIDL schema
-export const WebRPCSchemaHash = 'f482d220692b4c5e41797f4e8dddb70dab930ed3'
+export const WebRPCSchemaHash = 'b0ca08fbbd2e98d269d745176d4de5cbfa8960d6'
 
 type WebrpcGenVersions = {
   webrpcGenVersion: string
@@ -71,18 +71,16 @@ function parseWebrpcGenVersions(header: string): WebrpcGenVersions {
 //
 
 export enum KeyType {
-  Secp256k1 = 'Secp256k1',
-  Secp256r1 = 'Secp256r1',
+  WebCrypto_Secp256r1 = 'WebCrypto_Secp256r1',
+  Ethereum_Secp256k1 = 'Ethereum_Secp256k1',
 }
 
 export enum IdentityType {
-  Guest = 'Guest',
   Email = 'Email',
   OIDC = 'OIDC',
 }
 
 export enum AuthMode {
-  Guest = 'Guest',
   OTP = 'OTP',
   IDToken = 'IDToken',
   AccessToken = 'AccessToken',
@@ -92,7 +90,6 @@ export enum AuthMode {
 
 export interface CommitVerifierParams {
   scope?: string
-  authKey: Key
   identityType: IdentityType
   authMode: AuthMode
   metadata: { [key: string]: string }
@@ -102,20 +99,19 @@ export interface CommitVerifierParams {
 
 export interface CompleteAuthParams {
   scope?: string
-  authKey: Key
   identityType: IdentityType
   signerType: KeyType
   authMode: AuthMode
   verifier: string
   answer: string
+  lifetime?: number
 }
 
 export interface SignParams {
   scope?: string
   signer: Key
+  nonce: string
   digest: string
-  authKey: Key
-  signature: string
 }
 
 export interface Identity {
@@ -173,6 +169,8 @@ export interface IdentityInstrument {
 
 export interface CommitVerifierArgs {
   params: CommitVerifierParams
+  authKey: Key
+  signature: string
 }
 
 export interface CommitVerifierReturn {
@@ -182,6 +180,8 @@ export interface CommitVerifierReturn {
 }
 export interface CompleteAuthArgs {
   params: CompleteAuthParams
+  authKey: Key
+  signature: string
 }
 
 export interface CompleteAuthReturn {
@@ -190,6 +190,8 @@ export interface CompleteAuthReturn {
 }
 export interface SignArgs {
   params: SignParams
+  authKey: Key
+  signature: string
 }
 
 export interface SignReturn {
@@ -660,6 +662,32 @@ export class TooManyAttemptsError extends WebrpcError {
   }
 }
 
+export class OAuthErrorError extends WebrpcError {
+  constructor(
+    name: string = 'OAuthError',
+    code: number = 7006,
+    message: string = `Failed to exchange OAuth credentials`,
+    status: number = 0,
+    cause?: string,
+  ) {
+    super(name, code, message, status, cause)
+    Object.setPrototypeOf(this, OAuthErrorError.prototype)
+  }
+}
+
+export class AccessErrorError extends WebrpcError {
+  constructor(
+    name: string = 'AccessError',
+    code: number = 7007,
+    message: string = `Access error`,
+    status: number = 0,
+    cause?: string,
+  ) {
+    super(name, code, message, status, cause)
+    Object.setPrototypeOf(this, AccessErrorError.prototype)
+  }
+}
+
 export enum errors {
   WebrpcEndpoint = 'WebrpcEndpoint',
   WebrpcRequestFailed = 'WebrpcRequestFailed',
@@ -686,6 +714,8 @@ export enum errors {
   AnswerIncorrect = 'AnswerIncorrect',
   ChallengeExpired = 'ChallengeExpired',
   TooManyAttempts = 'TooManyAttempts',
+  OAuthError = 'OAuthError',
+  AccessError = 'AccessError',
 }
 
 export enum WebrpcErrorCodes {
@@ -714,6 +744,8 @@ export enum WebrpcErrorCodes {
   AnswerIncorrect = 7003,
   ChallengeExpired = 7004,
   TooManyAttempts = 7005,
+  OAuthError = 7006,
+  AccessError = 7007,
 }
 
 export const webrpcErrorByCode: { [code: number]: any } = {
@@ -742,6 +774,8 @@ export const webrpcErrorByCode: { [code: number]: any } = {
   [7003]: AnswerIncorrectError,
   [7004]: ChallengeExpiredError,
   [7005]: TooManyAttemptsError,
+  [7006]: OAuthErrorError,
+  [7007]: AccessErrorError,
 }
 
 export type Fetch = (input: RequestInfo, init?: RequestInit) => Promise<Response>
@@ -1,4 +1,5 @@
 import { Hex, Bytes } from 'ox'
+import { canonicalize } from 'json-canonicalize'
 import {
   CommitVerifierReturn,
   CompleteAuthReturn,
@@ -21,44 +22,50 @@ export class IdentityInstrument {
   }
 
   async commitVerifier(authKey: AuthKey, challenge: Challenge) {
+    const params = challenge.getCommitParams()
+    const signature = await authKey.sign(Bytes.fromString(canonicalize(params)))
     return this.rpc.commitVerifier({
-      params: {
-        ...challenge.getCommitParams(),
-        authKey: {
-          address: authKey.address,
-          keyType: authKey.keyType,
-        },
+      params,
+      authKey: {
+        address: authKey.address,
+        keyType: authKey.keyType,
       },
+      signature,
     })
   }
 
   async completeAuth(authKey: AuthKey, challenge: Challenge) {
+    const params = {
+      ...challenge.getCompleteParams(),
+      signerType: KeyType.Ethereum_Secp256k1,
+    }
+    const signature = await authKey.sign(Bytes.fromString(canonicalize(params)))
     return this.rpc.completeAuth({
-      params: {
-        ...challenge.getCompleteParams(),
-        signerType: KeyType.Secp256k1,
-        authKey: {
-          address: authKey.address,
-          keyType: authKey.keyType,
-        },
+      params,
+      authKey: {
+        address: authKey.address,
+        keyType: authKey.keyType,
       },
+      signature,
     })
   }
 
   async sign(authKey: AuthKey, digest: Bytes.Bytes) {
+    const params = {
+      signer: {
+        address: authKey.signer,
+        keyType: KeyType.Ethereum_Secp256k1,
+      },
+      digest: Hex.fromBytes(digest),
+      nonce: Hex.random(16),
+    }
     const res = await this.rpc.sign({
-      params: {
-        signer: {
-          address: authKey.signer,
-          keyType: KeyType.Secp256k1,
-        },
-        digest: Hex.fromBytes(digest),
-        authKey: {
-          address: authKey.address,
-          keyType: authKey.keyType,
-        },
-        signature: await authKey.sign(digest),
+      params,
+      authKey: {
+        address: authKey.address,
+        keyType: authKey.keyType,
       },
+      signature: await authKey.sign(Bytes.fromString(canonicalize(params))),
     })
     Hex.assert(res.signature)
     return res.signature

@@ -32,7 +32,7 @@ describe('IdTokenChallenge', () => {
 
 describe('AuthCodeChallenge', () => {
   const authCode = '1234567890'
-  const signer = { address: '0x26F5B2b3Feed8f02051c0b1c5b40cc088107935e', keyType: KeyType.Secp256k1 }
+  const signer = { address: '0x26F5B2b3Feed8f02051c0b1c5b40cc088107935e', keyType: KeyType.Ethereum_Secp256k1 }
 
   it('returns correct commit params', () => {
     const challenge = new AuthCodeChallenge('https://example.com', 'audience', 'https://dapp.com/redirect', authCode)
@@ -77,7 +77,7 @@ describe('AuthCodePkceChallenge', () => {
   const challenge = new AuthCodePkceChallenge('https://example.com', 'audience', 'https://dapp.com/redirect')
   const authCode = '1234567890'
   const verifier = 'verifier'
-  const signer = { address: '0x26F5B2b3Feed8f02051c0b1c5b40cc088107935e', keyType: KeyType.Secp256k1 }
+  const signer = { address: '0x26F5B2b3Feed8f02051c0b1c5b40cc088107935e', keyType: KeyType.Ethereum_Secp256k1 }
 
   it('returns correct commit params', () => {
     const params = challenge.getCommitParams()
@@ -172,7 +172,7 @@ describe('OtpChallenge', () => {
   })
 
   describe('fromSigner', () => {
-    const signer = { address: '0x26F5B2b3Feed8f02051c0b1c5b40cc088107935e', keyType: KeyType.Secp256k1 }
+    const signer = { address: '0x26F5B2b3Feed8f02051c0b1c5b40cc088107935e', keyType: KeyType.Ethereum_Secp256k1 }
 
     describe('getCommitParams', () => {
       it('returns correct commit params', () => {
@@ -186,7 +186,10 @@ describe('OtpChallenge', () => {
       })
 
       it('throws if signer is not provided', () => {
-        const challenge = OtpChallenge.fromSigner(IdentityType.Email, { address: '', keyType: KeyType.Secp256k1 })
+        const challenge = OtpChallenge.fromSigner(IdentityType.Email, {
+          address: '',
+          keyType: KeyType.Ethereum_Secp256k1,
+        })
         expect(() => challenge.getCommitParams()).toThrow()
       })
     })

@@ -8,7 +8,7 @@ import * as Identity from '@0xsequence/identity-instrument'
 export function toIdentityAuthKey(authKey: AuthKey): Identity.AuthKey {
   return {
     address: authKey.address,
-    keyType: Identity.KeyType.Secp256r1,
+    keyType: Identity.KeyType.WebCrypto_Secp256r1,
     signer: authKey.identitySigner,
     async sign(digest: Bytes.Bytes) {
       const authKeySignature = await window.crypto.subtle.sign(

@@ -22,7 +22,7 @@ export class AuthCodePkceHandler extends AuthCodeHandler implements Handler {
   public async commitAuth(target: string, isSignUp: boolean, state?: string, signer?: string) {
     let challenge = new Identity.AuthCodePkceChallenge(this.issuer, this.audience, this.redirectUri)
     if (signer) {
-      challenge = challenge.withSigner({ address: signer, keyType: Identity.KeyType.Secp256k1 })
+      challenge = challenge.withSigner({ address: signer, keyType: Identity.KeyType.Ethereum_Secp256k1 })
     }
     const { verifier, loginHint, challenge: codeChallenge } = await this.nitroCommitVerifier(challenge)
     if (!state) {

@@ -62,7 +62,7 @@ export class AuthCodeHandler extends IdentityHandler implements Handler {
   ): Promise<[IdentitySigner, { [key: string]: string }]> {
     let challenge = new Identity.AuthCodeChallenge(this.issuer, this.audience, this.redirectUri, code)
     if (commitment.signer) {
-      challenge = challenge.withSigner({ address: commitment.signer, keyType: Identity.KeyType.Secp256k1 })
+      challenge = challenge.withSigner({ address: commitment.signer, keyType: Identity.KeyType.Ethereum_Secp256k1 })
     }
     await this.nitroCommitVerifier(challenge)
     const { signer, email } = await this.nitroCompleteAuth(challenge)

@@ -8,8 +8,6 @@ import { IdentitySigner, toIdentityAuthKey } from '../../identity/signer.js'
 export const identityTypeToHex = (identityType?: Identity.IdentityType): Hex.Hex => {
   // Bytes4
   switch (identityType) {
-    case Identity.IdentityType.Guest:
-      return '0x00000000'
     case Identity.IdentityType.Email:
       return '0x00000001'
     case Identity.IdentityType.OIDC:

@@ -91,7 +91,7 @@ export class OtpHandler extends IdentityHandler implements Handler {
         new Promise(async (resolve, reject) => {
           const challenge = Identity.OtpChallenge.fromSigner(this.identityType, {
             address,
-            keyType: Identity.KeyType.Secp256k1,
+            keyType: Identity.KeyType.Ethereum_Secp256k1,
           })
           const { loginHint, challenge: codeChallenge } = await this.nitroCommitVerifier(challenge)
 

@@ -159,7 +159,7 @@ describe('AuthCodePkceHandler', () => {
       // Verify nitroCommitVerifier was called with signer in challenge
       expect(handler['nitroCommitVerifier']).toHaveBeenCalledWith(
         expect.objectContaining({
-          signer: { address: signer, keyType: Identity.KeyType.Secp256k1 },
+          signer: { address: signer, keyType: Identity.KeyType.Ethereum_Secp256k1 },
         }),
       )
     })

@@ -571,7 +571,7 @@ describe('AuthCodeHandler', () => {
       expect(mockCommitVerifier).toHaveBeenCalledWith(
         expect.objectContaining({
           address: mockAuthKey.address,
-          keyType: KeyType.Secp256r1,
+          keyType: KeyType.WebCrypto_Secp256r1,
           signer: mockAuthKey.identitySigner,
         }),
         mockChallenge,

@@ -73,7 +73,7 @@ describe('Identity Signer', () => {
       const result = toIdentityAuthKey(testAuthKey)
 
       expect(result.address).toBe(testAuthKey.address)
-      expect(result.keyType).toBe(KeyType.Secp256r1)
+      expect(result.keyType).toBe(KeyType.WebCrypto_Secp256r1)
       expect(result.signer).toBe(testAuthKey.identitySigner)
       expect(typeof result.sign).toBe('function')
     })

@@ -406,7 +406,7 @@ describe('OtpHandler', () => {
       expect(handleResult).toBe(true)
       expect(MockedOtpChallenge.fromSigner).toHaveBeenCalledWith(IdentityType.Email, {
         address: testWallet,
-        keyType: KeyType.Secp256k1,
+        keyType: KeyType.Ethereum_Secp256k1,
       })
       expect(mockCallback).toHaveBeenCalledWith('[email protected]', expect.any(Function))
     })
@@ -478,7 +478,7 @@ describe('OtpHandler', () => {
       expect(mockCommitVerifier).toHaveBeenCalledWith(
         expect.objectContaining({
           address: mockAuthKey.address,
-          keyType: KeyType.Secp256r1,
+          keyType: KeyType.WebCrypto_Secp256r1,
           signer: mockAuthKey.identitySigner,
         }),
         mockChallenge,