Skip to main content
Version: v3.x.x

Generating SessionSigs

You can use any wallet or auth method to generate session signatures with the getSessionSigs() function from the Lit SDK. This function generates a session keypair and uses a callback function that signs the generated session key to create an AuthSig that is scoped to specific capabilities.

In order to generate SessionSigs, you need a capacityDelegationAuthSig in signatures. This is because capacity credits are now required on both Habanero and Manzano networks. You can buy or mint capacity credits centrally and delegate them to your users.

You can generate a SessionSig with the help of capacityDelegationAuthSig object in the following way:

import { LitNodeClient } from '@lit-protocol/lit-node-client';
import { LitAccessControlConditionResource, LitAbility } from '@lit-protocol/auth-helpers';

// Create a new ethers.js Wallet instance
const wallet = new Wallet(process.env.YOUR_PRIVATE_KEY);

// Instantiate a LitNodeClient
const litNodeClient = new LitNodeClient({
  litNetwork: "manzano",
  debug: true,
});
await litNodeClient.connect();

let nonce = await litNodeClient.getLatestBlockhash();

/**
 * When the getSessionSigs function is called, it will generate a session key
 * and sign it using a callback function. The authNeededCallback parameter
 * in this function is optional. If you don't pass this callback,
 * then the user will be prompted to authenticate with their wallet.
 */
const authNeededCallback = async ({ chain, resources, expiration, uri }) => {
  const domain = "localhost:3000";
  const message = new SiweMessage({
    domain,
    address: wallet.address,
    statement: "Sign a session key to use with Lit Protocol",
    uri,
    version: "1",
    chainId: "1",
    expirationTime: expiration,
    resources,
    nonce,
  });
  const toSign = message.prepareMessage();
  const signature = await wallet.signMessage(toSign);

  const authSig = {
    sig: signature,
    derivedVia: "web3.eth.personal.sign",
    signedMessage: toSign,
    address: wallet.address,
  };

  return authSig;
};

// Create an access control condition resource
const litResource = new LitAccessControlConditionResource(
  hashedEncryptedSymmetricKeyString
);

const sessionSigs = await litNodeClient.getSessionSigs({
  chain: "ethereum",
  resourceAbilityRequests: [
    {
      resource: litResource,
      ability: LitAbility.AccessControlConditionDecryption
    }
  ],
  authNeededCallback,
  capacityDelegationAuthSig,  // here is where we add the delegation to our session request
});

Note: The nonce should be the latest Ethereum blockhash returned by the nodes during the handshake.

note

If running the SDK in a Server environment, session signatures may not be cached unless you provide an instance of Storage to the runtime. Here is an implementation of LocalStorage which creates local files to persist storage data. If storage is not available, session keys MUST be persisted in an external data store. 

const LocalStorage = require('node-localstorage').LocalStorage;
const litNodeClient = new LitNodeClient({
 litNetwork: "cayenne",
 debug: true,
 storageProvider: {
   provider: new LocalStorage('./storage.test.db'),
 }
});

The getSessionSigs() function will try to create a session key for you and store it in local storage. You can also generate the session key yourself using generateSessionKeyPair() function and store it however you like. You can then pass the generated session key to getSessionSigs() as the sessionKey param.

In the example above, we construct a SIWE message manually, but you can use the checkAndSignAuthMessage when in a browser context.

Resources You Can Request

You can pass an array of "resource ability requests" to the getSessionSigs() function, which will be presented to the user in the SIWE message - read more here about Lit resources and abilities. The resources and abilities requested by the session key must be narrower or equal to the capabilities granted to it per the session capability object specified in the inner AuthSig.

When session capability objects are omitted from the getSessionSigs() function call, the SDK will generate a session capability object with wildcard permissions against all of the resources in that category by default, i.e. ability to perform operations against all access control conditions. Read more here about how to create custom session capability objects.

Clearing Local Storage

If you want to clear the session key stored in the browser local storage, you can call the disconnectWeb3 method.