Skip to main content
Version: v3.x.x

Stytch OTP / TOTP

Email and SMS authentication provides users with a convenient way to verify their identity using one-time passwords (OTP) sent to their registered email address or phone number. We have chosen (Stytch)[] as our OTP Authentication provider. Once you have setup your Stytch project you can use it via project meta data in our lit-auth-client package.


The lit-auth-client requires a user session to be established in order to authenticate the session as this is the only way to obtain a session_jwt which our sdk requires. See Stytch documentation for more information.

We support all otp and totp authentication implementations stytch supports through the StytchOtpProvider this will use the sub property of the session token from our Stytch authnetication session as the user id to form the auth method identifier which is registered to the pkp for permitting the authentication method.

  • Email
  • sms
  • WhatsApp
  • TOTP (authenticator apps)

Obtain A Stytch session

import * as stytch from "stytch";

const client = new stytch.Client({
project_id: STYTCH_PROJECT_ID,

const emailResponse = await prompts({
type: "text",
name: "email",
message: "Enter your email address",

const stytchResponse = await{

const otpResponse = await prompts({
type: "text",
name: "code",
message: "Enter the code sent to your email:",

const authResponse = await client.otps.authenticate({
method_id: stytchResponse.email_id,
code: otpResponse.code,
session_duration_minutes: 60 * 24 * 7,

let sessionResp = await client.sessions.get({
user_id: authResponse.user_id,

// the sessionStatus contains the relevant session token
const sessionStatus = await client.sessions.authenticate({
session_token: authResponse.session_token,

Use an Authenticated Stytch Session with the lit-auth-client

import { LitAuthClient } from "@lit-protocol/lit-auth-client";

const authClient = new LitAuthClient({
litRelayConfig: {

const session =
authClient.initProvider < StytchOtpProvider > ProviderType.StytchOtp;
// from the above example of using the Stytch client to get an authenticated session
const authMethod = await session.authenticate({
accessToken: sessionStatus.session_jwt,

Using Specific Stytch Authentication Factors

We also support specific Stytch authentication factors which are the same as using the default StytchOtp provider type, however, instead of using the user identifier Stytch assigns to each user. The user id will be the Authentication Factor transport. Meaning for example of sms otp was the authentication factor, then the phone number of the user will be the user id below is a table of what each auth factor will use as the user id

ProviderTypeuser identifier value
StytchEmailFactorOtpemail address
StytchSmsFactorOtpphone number
StytchWhatsAppFactorOtpphone number
StytchTotpFactortotp id

There are two main benefits to using an auth factor over the generic Stytch OTP provider type.

  • Admins of the stytch project cannot modify the user's authentication on their side.
  • If being used through Claiming, the pkp public key can be dervied without users authenticating beforehand.

Using a specific authentication factor means that each user authentication factor is a new user to the Lit Nodes. Meaning if a user has two different auth factors, they are two different authentication methods.

Stytch Auth Method Provider Types


Minting via Contract

An alternative to minting the PKP NFT via the Lit Relay Server is to send a transaction to the smart contract yourself. You can reference the following example data that is passed to the mintNextAndAddAuthMethods method of the PKPHelper smart contract:

  • keyType is 2
  • permittedAuthMethodTypes is [9 - 13] depending on the type of Stytch authentication used
  • permittedAuthMethodIds is an array with 1 element being the user's email or phone number.
  • permittedAuthMethodScopes is an array with 1 zero-initialized element, e.g. [[ethers.BigNumber.from("0")]]
  • addPkpEthAddressAsPermittedAddress is true
  • sendPkpToItself is true

Authenticating to Fetch PKP information

// Using the session examples above you can call to fetch pkps by the auth method gotten from the provider examples
const txHash = await session.fetchPKPThroughRelayer(authMethod, {
permittedAuthMethodScopes: [[AuthMethodScope.SignAnything]]

The Lit Relay Server enables you to mint PKPs without worrying about gas fees. You can also use your own relay server or mint PKPs directly using Lit's contracts.

If you are using Lit Relay Server, you will need to request an API key here.


If the user is using a phone number, the country code must be provided.

Below is an example of an authentication method from successful authentication

"authMethodType": 9

Generating SessionSigs

After successfully authenticating with a social login provider, you can generate SessionSigs using the provider's getSessionSigs method. The getSessionSigs method takes in an AuthMethod object, optional LitNodeClient object, a PKP public key, and other session-specific arguments in SessionSigsParams object such as resourceAbilityRequests and chain. View the API Docs.

// Get session signatures for the given PKP public key and auth method
const sessionSigs = await provider.getSessionSigs({
authMethod: '<AuthMethod object returned from authenticate()>',
pkpPublicKey: '<YOUR PKP PUBLIC KEY>'
sessionSigsParams: {
chain: 'ethereum',
resourceAbilityRequests: [{
resource: litResource,
ability: LitAbility.AccessControlConditionDecryption

Generating Session Signatures using the LitNodeClient

Initalize an instance of the LitNodeClient and connect to the network

const litNodeClient: LitNodeClientNodeJs = new LitNodeClientNodeJs({
litNetwork: "cayenne",
debug: true,
await litNodeClient.connect();

Request a specified pkp to sign a session signature, authenticating with an Auth Method for a given PKP The session.fetchPKPThroughRelayer method above can be used to query PKP public keys associated with a given auth method. You can also use the contracts-sdk to query PKP information by Authentication Method.

// The implementation below is wrapped by the above `provider.getSessionSigs`
const authNeededCallback = async (params: AuthCallbackParams) => {
console.log("params", params);
const response = await litNodeClient.signSessionKey({
sessionKey: sessionKeyPair,
statement: params.statement,
authMethods: [authMethod], // auth method from one of the `lit-auth-client` authentication providers
pkpPublicKey: "<YOUR PKP PUBLIC KEY>", // pkp which has the auth method configured for authentication above
expiration: params.expiration,
resources: params.resources,
chainId: 1,
console.log("callback response", response);
return response.authSig;

const resourceAbilities = [
resource: new LitPkpResource("*"),
ability: LitAbility.PKPSigning,
const sessionSigs = await litNodeClient
chain: "ethereum",
expiration: new Date( + 1000 * 60 * 60 * 24 * 7).toISOString(),
resourceAbilityRequests: resourceAbilities,
sessionKey: sessionKeyPair,
.catch((err) => {
console.log("error while attempting to access session signatures: ", err);
throw err;
console.log("session signatures: ", sessionSigs);
const authSig = sessionSigs[Object.keys(sessionSigs)[0]];
console.log("authSig", authSig);