Facilitator v2: Add local signing support by reusing EVM_PRIVATE_KEY (#140) (#141)

* Facilitator v2: Add local signing support by reusing EVM_PRIVATE_KEY

This change enables facilitator v2 to send transactions on standard RPC
providers by using local signing with private keys instead of requiring
unlocked accounts on the node.

Changes:
- V2Config now includes privateKey field from EVM_PRIVATE_KEY env var
- FacilitatorConfig: make signer optional, add privateKey field
- createWalletClientForNetwork: support privateKey for local signing
- Update /supported endpoint to check for either signer or privateKey
- All route dependencies updated to pass v2PrivateKey

Fixes #140

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* Address PR review comments: make signer optional, improve validation

Changes:
- Make signer parameter optional in createWalletClientForNetwork
- Allow either signer or privateKey (not require both)
- Support privateKey with or without 0x prefix
- Add validation in createWalletClientForNetwork
- Update tests to cover new validation logic

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: jolestar

facilitator/src/config.ts

@@ -81,8 +81,10 @@ export interface FeeClaimConfig {
 export interface V2Config {
   /** Enable v2 support (requires FACILITATOR_ENABLE_V2=true) */
   enabled: boolean;
-  /** Facilitator signer address for v2 */
+  /** Facilitator signer address for v2 (optional, will be derived from privateKey if not provided) */
   signer?: string;
+  /** Private key for v2 signing (reuses EVM_PRIVATE_KEY from v1) */
+  privateKey?: string;
   /** Allowed routers per network for v2 (CAIP-2 network IDs) */
   allowedRouters?: Record<string, string[]>;
 }
@@ -589,10 +591,15 @@ function parseV2Config(): V2Config {
     return { enabled: false };
   }
 
-  // Parse v2 signer (required when v2 is enabled)
+  // Parse v2 signer (optional, for unlocked account mode)
   const signer = process.env.FACILITATOR_V2_SIGNER;
-  if (!signer) {
-    throw new Error("FACILITATOR_V2_SIGNER is required when FACILITATOR_ENABLE_V2=true");
+
+  // Get private key from v1's EVM_PRIVATE_KEY for local signing
+  const privateKey = process.env.EVM_PRIVATE_KEY;
+
+  // Either signer or privateKey must be provided
+  if (!signer && !privateKey) {
+    throw new Error("FACILITATOR_V2_SIGNER or EVM_PRIVATE_KEY is required when FACILITATOR_ENABLE_V2=true");
   }
 
   // Parse v2 allowed routers (optional)
@@ -620,6 +627,7 @@ function parseV2Config(): V2Config {
   return {
     enabled: true,
     signer,
+    privateKey,
     allowedRouters,
   };
 }

facilitator/src/index.ts

@@ -188,6 +188,7 @@ async function main() {
         rpcUrls: config.dynamicGasPrice.rpcUrls,
         enableV2: config.v2.enabled,
         v2Signer: config.v2.signer,
+        v2PrivateKey: config.v2.privateKey,
         allowedRouters: config.v2.allowedRouters,
       },
       requestBodyLimit: config.server.requestBodyLimit,

facilitator/src/routes/settle.ts

@@ -45,8 +45,10 @@ export interface SettleRouteDependencies {
   rpcUrls?: Record<string, string>;
   /** Enable v2 support (requires FACILITATOR_ENABLE_V2=true) */
   enableV2?: boolean;
-  /** Facilitator signer address for v2 */
+  /** Facilitator signer address for v2 (optional, will be derived from privateKey if not provided) */
   v2Signer?: string;
+  /** Private key for v2 local signing (reuses EVM_PRIVATE_KEY from v1) */
+  v2PrivateKey?: string;
   /** Allowed routers per network for v2 */
   allowedRouters?: Record<string, string[]>;
 }
@@ -79,6 +81,7 @@ export function createSettleRoutes(
     {
       enableV2: deps.enableV2,
       signer: deps.v2Signer,
+      privateKey: deps.v2PrivateKey,
       allowedRouters: deps.allowedRouters,
       rpcUrls: deps.rpcUrls,
     }

facilitator/src/routes/supported.ts

@@ -16,8 +16,10 @@ export interface SupportedRouteDependencies {
   poolManager: PoolManager;
   /** Enable v2 support (requires FACILITATOR_ENABLE_V2=true) */
   enableV2?: boolean;
-  /** Facilitator signer address for v2 */
+  /** Facilitator signer address for v2 (optional, will be derived from privateKey if not provided) */
   v2Signer?: string;
+  /** Private key for v2 local signing (reuses EVM_PRIVATE_KEY from v1) */
+  v2PrivateKey?: string;
   /** Allowed routers per network for v2 */
   allowedRouters?: Record<string, string[]>;
 }
@@ -29,7 +31,8 @@ export interface SupportedRouteDependencies {
  * @returns true if v2 is available for advertisement
  */
 function isV2Available(deps: SupportedRouteDependencies): boolean {
-  return !!(deps.enableV2 && deps.v2Signer);
+  // V2 is available when enabled AND has either signer or privateKey (for local signing)
+  return !!(deps.enableV2 && (deps.v2Signer || deps.v2PrivateKey));
 }
 
 /**

facilitator/src/routes/verify.ts

@@ -37,8 +37,10 @@ export interface VerifyRouteDependencies {
   rpcUrls?: Record<string, string>;
   /** Enable v2 support (requires FACILITATOR_ENABLE_V2=true) */
   enableV2?: boolean;
-  /** Facilitator signer address for v2 */
+  /** Facilitator signer address for v2 (optional, will be derived from privateKey if not provided) */
   v2Signer?: string;
+  /** Private key for v2 local signing (reuses EVM_PRIVATE_KEY from v1) */
+  v2PrivateKey?: string;
   /** Allowed routers per network for v2 */
   allowedRouters?: Record<string, string[]>;
 }
@@ -70,6 +72,7 @@ export function createVerifyRoutes(
     {
       enableV2: deps.enableV2,
       signer: deps.v2Signer,
+      privateKey: deps.v2PrivateKey,
       allowedRouters: deps.allowedRouters,
       rpcUrls: deps.rpcUrls,
     }

facilitator/src/version-dispatcher.ts

@@ -26,8 +26,10 @@ const logger = getLogger();
 export interface VersionDispatcherConfig {
   /** Enable v2 support (requires FACILITATOR_ENABLE_V2=true) */
   enableV2?: boolean;
-  /** Facilitator signer address for v2 */
+  /** Facilitator signer address for v2 (optional, will be derived from privateKey if not provided) */
   signer?: string;
+  /** Private key for v2 local signing (reuses EVM_PRIVATE_KEY from v1) */
+  privateKey?: string;
   /** Allowed routers per network for v2 */
   allowedRouters?: Record<string, string[]>;
   /** RPC URLs per network for both v1 and v2 */
@@ -73,9 +75,10 @@ export class VersionDispatcher {
     private config: VersionDispatcherConfig = {}
   ) {
     // Initialize v2 facilitator if enabled
-    if (this.config.enableV2 && this.config.signer) {
+    if (this.config.enableV2 && (this.config.signer || this.config.privateKey)) {
       this.v2Facilitator = createRouterSettlementFacilitator({
         signer: this.config.signer,
+        privateKey: this.config.privateKey,
         allowedRouters: this.config.allowedRouters,
         rpcUrls: this.config.rpcUrls,
       });

typescript/packages/facilitator_v2/src/facilitator.ts

@@ -16,7 +16,7 @@ import { FacilitatorValidationError, SettlementRouterError } from "./types.js";
 import { isSettlementMode, parseSettlementExtra, getNetworkConfig } from "@x402x/core_v2";
 import { calculateCommitment } from "@x402x/core_v2";
 import { settleWithSettlementRouter, createPublicClientForNetwork, createWalletClientForNetwork, waitForSettlementReceipt } from "./settlement.js";
-import { verifyTypedData, parseErc6492Signature } from "viem";
+import { verifyTypedData, parseErc6492Signature, privateKeyToAccount } from "viem";
 
 // EIP-712 authorization types for EIP-3009
 const authorizationTypes = {
@@ -126,10 +126,19 @@ export class RouterSettlementFacilitator implements SchemeNetworkFacilitator {
 
   /**
    * Get signer addresses for the network
+   * Derives from privateKey if signer address not explicitly provided
    */
   getSigners(network: string): string[] {
     validateNetwork(network);
-    return [this.config.signer];
+    // Use provided signer or derive from private key
+    if (this.config.signer) {
+      return [this.config.signer];
+    }
+    if (this.config.privateKey) {
+      const account = privateKeyToAccount(this.config.privateKey as `0x${string}`);
+      return [account.address];
+    }
+    throw new Error("Either signer or privateKey must be provided in FacilitatorConfig");
   }
 
   /**
@@ -502,7 +511,13 @@ export class RouterSettlementFacilitator implements SchemeNetworkFacilitator {
     payload: PaymentPayload,
     requirements: PaymentRequirements
   ): Promise<SettleResponse> {
-    const walletClient = createWalletClientForNetwork(requirements.network, this.config.signer, this.config.rpcUrls);
+    const walletClient = createWalletClientForNetwork(
+      requirements.network,
+      this.config.signer,
+      this.config.rpcUrls,
+      undefined,
+      this.config.privateKey
+    );
     const publicClient = createPublicClientForNetwork(requirements.network, this.config.rpcUrls);
 
     try {

typescript/packages/facilitator_v2/src/settlement.ts

@@ -9,10 +9,12 @@ import {
   createPublicClient,
   createWalletClient,
   http,
+  privateKeyToAccount,
   type PublicClient,
   type WalletClient,
   type Chain,
   type Transport,
+  type Account,
 } from "viem";
 import type { SettlementRouterParams, SettleResponse, FacilitatorConfig } from "./types.js";
 import { SETTLEMENT_ROUTER_ABI } from "./types.js";
@@ -53,12 +55,15 @@ export function createPublicClientForNetwork(
 
 /**
  * Create viem wallet client for a network
+ * If privateKey is provided, uses local signing (works with standard RPC providers)
+ * If only signer address is provided, requires node to have the account unlocked
  */
 export function createWalletClientForNetwork(
   network: string,
-  signer: Address,
+  signer?: Address,
   rpcUrls?: Record<string, string>,
-  transport?: Transport
+  transport?: Transport,
+  privateKey?: string
 ): WalletClient {
   const networkConfig = getNetworkConfig(network);
 
@@ -69,8 +74,24 @@ export function createWalletClientForNetwork(
     throw new Error(`No RPC URL available for network: ${network}`);
   }
 
+  // Validate that at least one of signer or privateKey is provided
+  if (!signer && !privateKey) {
+    throw new Error("Either signer or privateKey must be provided to create wallet client");
+  }
+
+  // Use private key for local signing if provided, otherwise use signer address
+  let account: Account | Address;
+  if (privateKey) {
+    account = privateKeyToAccount(privateKey as Hex);
+  } else if (signer) {
+    account = signer;
+  } else {
+    // This should never happen due to the validation above
+    throw new Error("Failed to create account: neither signer nor privateKey provided");
+  }
+
   return createWalletClient({
-    account: signer,
+    account,
     chain: networkConfig as Chain,
     transport: transport || http(rpcUrl),
   });
@@ -266,7 +287,9 @@ export async function settleWithSettlementRouter(
     const walletClient = createWalletClientForNetwork(
       paymentRequirements.network,
       config.signer,
-      config.rpcUrls
+      config.rpcUrls,
+      undefined,
+      config.privateKey
     );
 
     // Execute settlement

typescript/packages/facilitator_v2/src/types.ts

@@ -42,8 +42,10 @@ export interface SettleResponse {
  * Configuration for RouterSettlementFacilitator
  */
 export interface FacilitatorConfig {
-  /** Signer address for facilitating settlements */
-  signer: Address;
+  /** Signer address for facilitating settlements (optional, will be derived from privateKey if not provided) */
+  signer?: Address;
+  /** Private key for local signing (enables sending transactions on standard RPC providers) */
+  privateKey?: string;
   /** Allowed SettlementRouter addresses per network */
   allowedRouters?: Record<string, string[]>;
   /** Optional RPC URLs per network */

typescript/packages/facilitator_v2/src/validation.ts

@@ -155,15 +155,35 @@ export function validateNetwork(network: string): Network {
  */
 export function validateFacilitatorConfig(config: {
   signer?: string;
+  privateKey?: string;
   allowedRouters?: Record<string, string[]>;
   rpcUrls?: Record<string, string>;
 }): void {
-  if (!config.signer) {
-    throw new FacilitatorValidationError("Missing signer in facilitator configuration");
+  // Either signer or privateKey must be provided
+  if (!config.signer && !config.privateKey) {
+    throw new FacilitatorValidationError("Missing signer or privateKey in facilitator configuration");
   }
 
-  if (!isValidEthereumAddress(config.signer)) {
-    throw new FacilitatorValidationError(`Invalid signer address: ${config.signer}`);
+  // Validate signer if provided
+  if (config.signer) {
+    if (!isValidEthereumAddress(config.signer)) {
+      throw new FacilitatorValidationError(`Invalid signer address: ${config.signer}`);
+    }
+  }
+
+  // Validate private key if provided
+  if (config.privateKey) {
+    // Private key should be a 32-byte hex string (64 hex chars), with optional 0x prefix
+    const privateKey = config.privateKey;
+    const hasPrefix = privateKey.startsWith("0x") || privateKey.startsWith("0X");
+    const hexBody = hasPrefix ? privateKey.slice(2) : privateKey;
+
+    // Validate that it's a valid 64-character hex string (32 bytes)
+    if (!/^[a-fA-F0-9]{64}$/.test(hexBody)) {
+      throw new FacilitatorValidationError(
+        "Invalid private key format: must be 32-byte hex string (64 hex chars, with optional 0x prefix)"
+      );
+    }
   }
 
   if (config.allowedRouters) {