-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature Request] enhance getPepper
function to support offchain Keyless account verification
#535
Comments
@yeptos, you are not proposing a change to the way peppers are derived, correct? Just a change to an SDK's function signature? Specifically, you are asking: instead of taking an @heliuchuan, we could do this, no? But @yeptos, why not just mock an FWIW, the pepper service API already works like you want (see here) |
@yeptos what do you think of an ability to construct a ephemeralKeyPair without a privatekey and be able to use that instead? |
Also how are you passing in the non-sensitive keypair data to off-chain services? Asking to better understand what would be the best solution |
@alinush hi Alin, you're right, this proposal is merely about changing the function in the SDK so it supports what I believe is a common use case for developers.
Yes.
Yes it's already possible and our team is not currently blocked by this. But I just hope the SDK can be made more straightforward so other developers can use the function without needing a workaround. |
sounds good to me!
The offchain authentication flow is roughly as following:
|
🚀 Feature Request Description
We propose modifying the
getPepper
function (keyless.ts#L33-58) to:EphemeralKey
instance.pepper
andaddress
values from the pepper service API response.Motivation
This improvement supports use cases similar to ERC-4361 Sign-In with Ethereum, allowing off-chain backend services to authorize users by verifying ownership of a Keyless account without handling sensitive private key data.
Pitch
Describe the solution you would like
Modify the signature of
getPepper
function as something like the following and update the implementation:Key changes
ephemeralKeyPair
withephemeralPublicKey
,expiryInSeconds
, andblindFactor
.pepper
andaddress
.Considerations
Changing the existing
getPepper
function would result in a breaking change. Adding a new function with a different signature could avoid this, but likely an overkill. Given that Keyless adoption (excluding Aptos Connect) is still limited, now could be the ideal time to make this change.Describe alternatives you've considered
One can simply make the API call without using the SDK, but it is not very good for developer experience and consistency.
Are you willing to open a pull request? (See CONTRIBUTING)
Yes. However, at least the function signature should be discussed with the maintainer of the codebase.
Additional context
The text was updated successfully, but these errors were encountered: