LIT-Protocol · Ansonhkg · Aug 13, 2025 · Aug 13, 2025 · Aug 13, 2025 · Aug 14, 2025
@@ -3,6 +3,7 @@ export * from './lib/generate-auth-sig';
 export * from './lib/models';
 export * from './lib/recap/recap-session-capability-object';
 export * from './lib/recap/resource-builder';
+export * from './lib/recap/utils';
 export * from './lib/resources';
 export * from './lib/session-capability-object';
 export * from './lib/siwe/create-siwe-message';

@@ -54,3 +54,55 @@ export function getRecapNamespaceAndAbility(litAbility: LIT_ABILITY_VALUES): {
       );
   }
 }
+
+export const RESOLVED_AUTH_CONTEXT_PREFIX = 'lit-resolvedauthcontext://';
+const PAYMENT_DELEGATION_PREFIX = 'lit-paymentdelegation://';
+const PKP_PREFIX = 'lit-pkp://';
+const ACC_PREFIX = 'lit-accesscontrolcondition://';
+
+/**
+ * Reverse mapping from Recap namespace/ability to LitAbility.
+ * Returns null when the recap entry only carries metadata (eg. resolved auth context).
+ */
+export function getLitAbilityFromRecap(params: {
+  recapNamespace: string;
+  recapAbility: string;
+  resourceKey: string;
+}): LIT_ABILITY_VALUES | null {
+  const { recapNamespace, recapAbility, resourceKey } = params;
+
+  if (recapNamespace === LIT_NAMESPACE.Threshold) {
+    if (recapAbility === LIT_RECAP_ABILITY.Decryption) {
+      return LIT_ABILITY.AccessControlConditionDecryption;
+    }
+
+    if (recapAbility === LIT_RECAP_ABILITY.Execution) {
+      return LIT_ABILITY.LitActionExecution;
+    }
+
+    if (recapAbility === LIT_RECAP_ABILITY.Signing) {
+      if (resourceKey.startsWith(PKP_PREFIX)) {
+        return LIT_ABILITY.PKPSigning;
+      }
+      if (resourceKey.startsWith(ACC_PREFIX)) {
+        return LIT_ABILITY.AccessControlConditionSigning;
+      }
+    }
+  }
+
+  if (
+    recapNamespace === LIT_NAMESPACE.Auth &&
+    recapAbility === LIT_RECAP_ABILITY.Auth
+  ) {
+    if (resourceKey.startsWith(PAYMENT_DELEGATION_PREFIX)) {
+      return LIT_ABILITY.PaymentDelegation;
+    }
+
+    if (resourceKey.startsWith(RESOLVED_AUTH_CONTEXT_PREFIX)) {
+      // Resolved auth context entries only contain metadata.
+      return null;
+    }
+  }
+
+  return null;
+}
@@ -9,8 +9,13 @@ import {
 import { AccessControlConditions, ILitResource } from '@lit-protocol/types';
 import { formatPKPResource } from './utils';
 
+const RESOLVED_AUTH_CONTEXT_PREFIX = 'lit-resolvedauthcontext';
+type InternalResourcePrefix =
+  | LIT_RESOURCE_PREFIX_VALUES
+  | typeof RESOLVED_AUTH_CONTEXT_PREFIX;
+
 abstract class LitResourceBase {
-  abstract resourcePrefix: LIT_RESOURCE_PREFIX_VALUES;
+  abstract resourcePrefix: InternalResourcePrefix;
   public readonly resource: string;
 
   constructor(resource: string) {
@@ -158,6 +163,18 @@ export function parseLitResource(resourceKey: string): ILitResource {
     return new LitActionResource(
       resourceKey.substring(`${LIT_RESOURCE_PREFIX.LitAction}://`.length)
     );
+  } else if (resourceKey.startsWith(RESOLVED_AUTH_CONTEXT_PREFIX)) {
+    const resource = resourceKey.substring(
+      `${RESOLVED_AUTH_CONTEXT_PREFIX}://`.length
+    );
+
+    return {
+      resourcePrefix: RESOLVED_AUTH_CONTEXT_PREFIX,
+      resource,
+      getResourceKey: () => `${RESOLVED_AUTH_CONTEXT_PREFIX}://${resource}`,
+      toString: () => `${RESOLVED_AUTH_CONTEXT_PREFIX}://${resource}`,
+      isValidLitAbility: () => false,
+    } as unknown as ILitResource;
   }
   throw new InvalidArgumentException(
     {

@@ -89,6 +89,33 @@ export { getAuthIdByAuthMethod } from './lib/authenticators/helper/utils';
  * @returns {SessionKeyPair} The generated session key pair.
  */
 export { generateSessionKeyPair } from './lib/AuthManager/utils/generateSessionKeyPair';
+export { validateDelegationAuthSig } from './lib/AuthManager/utils/validateDelegationAuthSig';
+
+/**
+ * Utility function to generate a PKP delegation auth signature for a given session key pair.
+ * The PKP will sign the session key delegation message via Lit nodes.
+ * This function is useful for server-side scenarios where you want to pre-generate
+ * PKP session materials and reuse them across multiple requests.
+ */
+export { generatePkpDelegationAuthSig } from './lib/AuthManager/authAdapters/generatePkpDelegationAuthSig';
+
+/**
+ * Utility function to generate an EOA delegation auth signature for a given session key pair.
+ * The EOA wallet will sign the session key delegation message directly.
+ * This function is useful for server-side scenarios where you want to pre-generate
+ * EOA session materials and reuse them across multiple requests.
+ */
+export { generateEoaDelegationAuthSig } from './lib/AuthManager/authAdapters/generateEoaDelegationAuthSig';
+
+/**
+ * Utility function to create a PKP auth context from pre-generated session materials.
+ * This is a streamlined API for server-side scenarios where session materials
+ * are generated once and reused across multiple requests.
+ *
+ * This function only requires the essential parameters (pkpPublicKey, sessionKeyPair, delegationAuthSig)
+ * and extracts auth config information from the delegation signature automatically.
+ */
+export { getPkpAuthContextFromPreGeneratedAdapter } from './lib/AuthManager/authAdapters/getPkpAuthContextFromPreGeneratedAdapter';
 
 // ============================== Authenticators ==============================
 export {

@@ -1,6 +1,6 @@
 import { getChildLogger } from '@lit-protocol/logger';
 import { AuthData, HexPrefixedSchema } from '@lit-protocol/schemas';
-// import { AuthSig, SessionKeyPair } from '@lit-protocol/types';
+import { AuthSig, SessionKeyPair } from '@lit-protocol/types';
 import { z } from 'zod';
 import { AuthConfigV2 } from '../authenticators/types';
 import type { LitAuthStorageProvider } from '../storage/types';
@@ -11,7 +11,9 @@ import {
 import { getPkpAuthContextAdapter } from './authAdapters/getPkpAuthContextAdapter';
 import { AuthConfigSchema } from './authContexts/BaseAuthContextType';
 import { getCustomAuthContextAdapter } from './authAdapters/getCustomAuthContextAdapter';
-import { hexToBigInt, keccak256, toBytes } from 'viem';
+import { generatePkpDelegationAuthSig } from './authAdapters/generatePkpDelegationAuthSig';
+import { generateEoaDelegationAuthSig } from './authAdapters/generateEoaDelegationAuthSig';
+import { getPkpAuthContextFromPreGeneratedAdapter } from './authAdapters/getPkpAuthContextFromPreGeneratedAdapter';
 
 export interface AuthManagerParams {
   storage: LitAuthStorageProvider;
@@ -77,12 +79,19 @@ export const createAuthManager = (authManagerParams: AuthManagerParams) => {
       cache?: {
         delegationAuthSig?: boolean;
       };
-      // Optional pre-generated auth materials for server-side usage
-      // sessionKeyPair?: SessionKeyPair;
-      // delegationAuthSig?: AuthSig;
+      sessionKeyPair?: SessionKeyPair;
+      delegationAuthSig?: AuthSig;
     }) => {
       return getPkpAuthContextAdapter(authManagerParams, params);
     },
+    createPkpAuthContextFromPreGenerated: (params: {
+      pkpPublicKey: z.infer<typeof HexPrefixedSchema>;
+      sessionKeyPair: SessionKeyPair;
+      delegationAuthSig: AuthSig;
+      authData?: AuthData;
+    }) => {
+      return getPkpAuthContextFromPreGeneratedAdapter(params);
+    },
     createCustomAuthContext: (params: {
       // authData: AuthData;
       pkpPublicKey: z.infer<typeof HexPrefixedSchema>;
@@ -104,5 +113,22 @@ export const createAuthManager = (authManagerParams: AuthManagerParams) => {
 
       return getCustomAuthContextAdapter(authManagerParams, params);
     },
+    generatePkpDelegationAuthSig: (params: {
+      pkpPublicKey: z.infer<typeof HexPrefixedSchema>;
+      authData: AuthData;
+      sessionKeyPair: SessionKeyPair;
+      authConfig: AuthConfigV2;
+      litClient: BaseAuthContext<any>['litClient'];
+    }) => {
+      return generatePkpDelegationAuthSig(authManagerParams, params);
+    },
+    generateEoaDelegationAuthSig: (params: {
+      account: any; // ExpectedAccountOrWalletClient type
+      sessionKeyPair: SessionKeyPair;
+      authConfig: AuthConfigV2;
+      litClient: BaseAuthContext<any>['litClient'];
+    }) => {
+      return generateEoaDelegationAuthSig(authManagerParams, params);
+    },
   };
 };
@@ -0,0 +1,109 @@
+import { AUTH_METHOD_TYPE } from '@lit-protocol/constants';
+import { getChildLogger } from '@lit-protocol/logger';
+import { AuthConfigSchema } from '@lit-protocol/schemas';
+import { AuthSig, SessionKeyPair } from '@lit-protocol/types';
+import { z } from 'zod';
+import { AuthConfigV2 } from '../../authenticators/types';
+import { LitAuthData } from '../../types';
+import { AuthManagerParams } from '../auth-manager';
+import {
+  ExpectedAccountOrWalletClient,
+  getEoaAuthContext,
+} from '../authContexts/getEoaAuthContext';
+import { processResources } from '../utils/processResources';
+import { WalletClientAuthenticator } from '../../authenticators/WalletClientAuthenticator';
+import { ViemAccountAuthenticator } from '../../authenticators/ViemAccountAuthenticator';
+
+const _logger = getChildLogger({
+  module: 'generateEoaDelegationAuthSig',
+});
+
+/**
+ * Generates an EOA delegation auth signature for a given session key pair.
+ * The EOA wallet will sign the session key delegation message directly.
+ * This function is useful for server-side scenarios where you want to pre-generate
+ * EOA session materials and reuse them across multiple requests.
+ *
+ * @param upstreamParams - Auth manager parameters including storage
+ * @param params - Parameters for generating the EOA delegation signature
+ * @returns The delegation auth signature (AuthSig) signed by the EOA wallet
+ */
+export async function generateEoaDelegationAuthSig(
+  upstreamParams: AuthManagerParams,
+  params: {
+    account: ExpectedAccountOrWalletClient;
+    sessionKeyPair: SessionKeyPair;
+    authConfig: AuthConfigV2;
+    litClient: {
+      getContext: () => Promise<any>;
+    };
+  }
+): Promise<AuthSig> {
+  _logger.info(
+    {
+      hasAccount: !!params.account,
+      hasSessionKeyPair: !!params.sessionKeyPair,
+    },
+    'generateEoaDelegationAuthSig: Starting EOA delegation signature generation'
+  );
+
+  const _resources = processResources(params.authConfig.resources);
+
+  // Get network context from litClient for nonce
+  const litClientCtx = await params.litClient.getContext();
+
+  // Create a minimal LitAuthData structure with the provided session key pair
+  const litAuthData: LitAuthData = {
+    sessionKey: {
+      keyPair: params.sessionKeyPair,
+      expiresAt: params.authConfig.expiration!,
+    },
+    // For EOA, we use EthWallet as the auth method type
+    authMethodType: AUTH_METHOD_TYPE.EthWallet,
+  };
+
+  // Determine the authenticator based on account type
+  let authenticatorClass;
+  if (
+    'account' in params.account &&
+    params.account.account?.type === 'json-rpc'
+  ) {
+    // WalletClient
+    authenticatorClass = WalletClientAuthenticator;
+  } else {
+    // Viem Account
+    authenticatorClass = ViemAccountAuthenticator;
+  }
+
+  // Create auth config for validation
+  const authConfigForValidation = {
+    ...params.authConfig,
+    resources: _resources,
+  };
+  const validatedAuthConfig = AuthConfigSchema.parse(authConfigForValidation);
+
+  // Call getEoaAuthContext which will generate the delegation signature
+  const authContext = await getEoaAuthContext({
+    authentication: {
+      authenticator: authenticatorClass,
+      account: params.account,
+    },
+    authConfig: validatedAuthConfig,
+    deps: {
+      nonce: litClientCtx.latestBlockhash,
+      authData: litAuthData,
+    },
+  });
+
+  // Get the delegation signature from the auth context
+  const delegationAuthSig = await authContext.authNeededCallback();
+
+  _logger.info(
+    {
+      hasSignature: !!delegationAuthSig,
+    },
+    'generateEoaDelegationAuthSig: EOA delegation signature generated successfully'
+  );
+
+  return delegationAuthSig as AuthSig;
+}