Skip to main content

Using an Auth Sig

danger

Please do not cache Session Signatures, and instead generate them on-demand.

This guide covers the getSessionSigs function from the Lit SDK. For an overview of what Session Signatures are and how they are to be used, please go here.

Using the getSessionSigs function, you can specify the capabilities of your current session on the Lit network.

The function uses the session keypair generated by the LitNodeClient and invokes a callback function, authNeededCallback, to generate an AuthSig scoped to specific Lit capabilities and sign it using the session keypair to create the SessionSigs.

Using the getSessionSigs function, you can specify the capabilities of your current session on the Lit network. This function is the simplest way to get Session Signatures, at the minimum only requiring an Ethereum private key and the LitNodeClient. It will enable specific capabilities for your session keypair using the resources you specify in the AuthSig.

Prerequisites

Before continuing this guide, you should have an understanding of:

Parameters and Returns Values

To see the parameters and return of getSessionSigs, please visit our API Docs.

Example Implementation

The full code implementation can be found here.

Installing the Required Dependencies

npm install \
@lit-protocol/auth-helpers \
@lit-protocol/constants \
@lit-protocol/lit-node-client \
ethers@v5

The node-localstorage dependency is only required when executing code outside a browser environment. The SDK will use the native browser storage when in a browser environment. You can learn more about this here.

Initializing an Ethers Signer

The ETHEREUM_PRIVATE_KEY environment variable is required.

import { LIT_RPC } from "@lit-protocol/constants";
import * as ethers from "ethers";

const ethersSigner = new ethers.Wallet(
  process.env.ETHEREUM_PRIVATE_KEY,
  new ethers.providers.JsonRpcProvider(LIT_RPC.CHRONICLE_YELLOWSTONE)
);

Initializing a LitNodeClient

Here we are initializing an instance of LitNodeClient and connecting it to the datil-test Lit network.

import { LitNodeClient } from "@lit-protocol/lit-node-client";
import { LIT_NETWORK } from "@lit-protocol/constants";

let litNodeClient: LitNodeClient;

litNodeClient = new LitNodeClient({
      litNetwork: LIT_NETWORK.DatilTest,
      debug: false,
    });
await litNodeClient.connect();

Generating Session Signatures

In this example, we're granting the capability to request to decrypt any data that we may be authorized to decrypt (i.e. we satisfy the Access Control Conditions the data was encrypted with). We could, however, specify the LitAccessControlConditionResource for specific encrypted data we're permitting the decryption capability for. In real-world applications, it's more common and secure to limit access to specific Lit resources instead of specifying the wildcard ("*") identifier.

To get the Lit resource identifier for other resources, you can use the other methods included in @lit-protocol/auth-helpers package.

If you would like to use this function on the datil or datil-test networks, a capacityDelegationAuthSig is required. An example of how to generate one can be found in the full code example.

import { LIT_ABILITY } from "@lit-protocol/constants";
import {
  LitAccessControlConditionResource,
  createSiweMessage,
  generateAuthSig,
} from "@lit-protocol/auth-helpers";

const sessionSignatures = await litNodeClient.getSessionSigs({
  chain: "ethereum",
  expiration: new Date(Date.now() + 1000 * 60 * 10 ).toISOString(), // 10 minutes
  capabilityAuthSigs: [capacityDelegationAuthSig], // Unnecessary on datil-dev
  resourceAbilityRequests: [
    {
      resource: new LitAccessControlConditionResource("*"),
      ability: LIT_ABILITY.AccessControlConditionDecryption,
    },
  ],
  authNeededCallback: async ({
    uri,
    expiration,
    resourceAbilityRequests,
  }) => {
    const toSign = await createSiweMessage({
      uri,
      expiration,
      resources: resourceAbilityRequests,
      walletAddress: ethersSigner.address,
      nonce: await litNodeClient.getLatestBlockhash(),
      litNodeClient,
    });

    return await generateAuthSig({
      signer: ethersSigner,
      toSign,
    });
  },
});
note

The nonce should be the latest Ethereum blockhash returned by the nodes during the handshake.

Clearing Local Storage

If you want to clear the session key stored in the browser local storage, you can call the disconnectWeb3 method.

Summary

After executing the example implementation above, you will have generated Session Signatures that allow you to request decrypting data that you have satisfied the Access Control Conditions for.

The full code implementation can be found here.

info

Not finding the answer you're looking for? Share your feedback on these docs by creating an issue in our GitHub Issues and Reports repository or get support by visiting our Support page.