llms.txt
@mysten/sui v2.0 and a new dApp Kit are here! Check out the migration guide
Mysten Labs SDKs

ZkLogin

Zero-knowledge authentication with OAuth providers on Sui.

Utilities for working with zkLogin. Currently contains functionality to create and parse zkLogin signatures and compute zkLogin addresses.

To parse a serialized zkLogin signature

import { parseZkLoginSignature } from '@mysten/sui/zklogin';

const parsedSignature = await parseZkLoginSignature('BQNNMTY4NjAxMzAyO....');

Use getZkLoginSignature to serialize a zkLogin signature.

import { getZkLoginSignature } from '@mysten/sui/zklogin';

const serializedSignature = await getZkLoginSignature({ inputs, maxEpoch, userSignature });

To compute the address for a given address seed and iss you can use computeZkLoginAddressFromSeed

import { computeZkLoginAddressFromSeed } from '@mysten/sui/zklogin';

const address = computeZkLoginAddressFromSeed(0n, 'https://accounts.google.com');

To compute an address from jwt:

import { jwtToAddress } from '@mysten/sui/zklogin';

const address = jwtToAddress(jwtAsString, salt);

To compute an address from a parsed jwt:

import { computeZkLoginAddress } from '@mysten/sui/zklogin';

const address = computeZkLoginAddress({
	claimName,
	claimValue,
	iss,
	aud,
	userSalt: BigInt(salt),
});

Computing the address seed

To compute the address seed directly, use genAddressSeed:

import { genAddressSeed } from '@mysten/sui/zklogin';

const addressSeed = genAddressSeed(userSalt, claimName, claimValue, aud);

The claimName, claimValue, and aud parameters must not contain backslashes (\), double-quotes ("), or control characters (codepoints below 0x20). genAddressSeed throws an error if any of these characters are present, as they indicate improperly escaped JSON values. Ensure you pass the raw, unescaped claim values (for example, as decoded from the JWT payload), not JSON-encoded strings.

To use zkLogin inside a multisig, see the Multisig Guide for more details.

Legacy addresses

When zklogin was first introduced, there was an inconsistency in how the address seed was computed. For backwards compatibility reasons there are 2 valid addresses for a given set of inputs. Methods that produce zklogin addresses all accept a legacyAddress boolean flag, either as their last parameter, or in their options argument.

import {
	computeZkLoginAddress,
	computeZkLoginAddressFromSeed,
	jwtToAddress,
	toZkLoginPublicIdentifier,
	genAddressSeed,
} from '@mysten/sui/zklogin';

const address = jwtToAddress(jwtAsString, salt, true);
const address = computeZkLoginAddressFromSeed(0n, 'https://accounts.google.com', true);
const address = computeZkLoginAddress({
	claimName,
	claimValue,
	iss,
	aud,
	userSalt: BigInt(salt),
	legacyAddress: true,
});
const address = toZkLoginPublicIdentifier(
	genAddressSeed(userSalt, claimName, claimValue, aud),
	iss,
	{ legacyAddress: true },
).toSuiAddress();
Edit on GitHub

BCS

Binary Canonical Serialization for encoding Sui Move types.

Transaction Executors

Manage transaction execution with queuing and parallel strategies.

On this page

Computing the address seedLegacy addresses