Overview
zkLogin is a Sui primitive that allows users to transact on Sui using the OAuth login flows they’re familiar with, eliminating the friction of handling cryptographic keys or remembering mnemonics. zkLogin can be thought of as a two-factor authentication scheme, since sending a transaction requires both a credential from a recent OAuth login and a salt managed by someone other than the OAuth provider (in this case, Shinami). To learn more, see the Sui Foundation’s zkLogin doc. You’ll find API endpoints and key usage notes below. If you ever need help you can reach out to us.Use Cases
Core use cases include app-managed NFTs or closed-loop tokens. For a breakdown of the wallets we offer and wallet use-cases, see our high-level guide.Authentication, Rate Limits, and Error Handling
Authentication You authenticate via an access key passed in a header (‘X-Api-Key: ACCESS_KEY’) or in the request url, e.g.https://api.us1.shinami.com/sui/zkprover/v1/ACCESS_KEY. We recommend using a request header and not putting access keys in your request URLs for reduced visibility (in logs, etc). These steps are done automatically by our TypeScript SDK.
For more information, including how to set up an access key with Wallet Services rights, see our Authentication and API Keys guide.
Error Handling
See our Error Reference for guidance on the errors you may receive from our services, including a section on errors specific to the zkLogin wallet API.
Rate Limits
When you surpass the QPS limit for a key, we return a JSON-RPC error code -32010. We recommend implementing retries with a backoff to handle any rate limits errors that arise. You can also adjust the rate limits of your keys to better balance your QPS allotment across your keys.
We also have a limit of two zk proofs per address per minute. When you hit this limit, we return a JSON-RPC code -32012.
zkLogin Addresses
A zkLogin wallet address is derived fromiss, aud, sub, salt in the OpenID connect response, where:
iss: The OpenID provider.aud: The unique identifier assigned to your application by the OpenID provider.sub: The OpenID provider’s locally unique and never reassigned identifier for the user.salt: A consistent, ideally unique, value used to unlink the OpenID identifier with the on-chain address.
Tutorial + SDKs
The endpoints below show sample requests using our TypeScript SDK (in addition to cURL). We also have a Next.js zkLogin SDK, which aims to provide full-stack support for building user authentication and Sui transaction execution into your Next.js application, using zkLogin primitives. We built a Next.js starter template to quickly get you off the ground using this SDK. Even if you are starting with an existing Next.js application, it’s recommended to check out that example as a reference end-to-end implementation. Our Next.js tutorial has guidance on running our zkLogin app starter template.zkLogin wallet service methods
shinami_zkw_getOrCreateZkLoginWallet
Retrieves a zkLogin wallet along with its associated salt, creating a new wallet if necessary. This method provides the option to create and use multiple zkLogin wallets per (user, OAuth provider) pair by using the optionalsubWallet parameter. Note that your users will already have a different zkLogin wallet for each OAuth provider they use, whose jwt you pass to this method (see zkLogin Addresses for more details).
On the free tier you have a limit of wallet creations per month as shown on the “Sui Wallet Services” tab of the billing page in your dashboard (where you can also see how to upgrade if needed). If you hit this limit, you will get a JSON-RPC code -32012 and should not retry. All other wallet operations will still work for the month, like signing with wallets you’ve already created.
Request Parameters
Example Request Template
The TypeScript example uses the Shinami Clients SDK, which you can install with:
{{name}} with the actual value for that name.
zkProver service methods
shinami_zkp_createZkLoginProof
Generate a zkLogin proof prior to signing and executing a transaction. The example below uses the Shinami Clients SDK. Notes:- Devnet has a different zkey than Testnet and Mainnet. Shinami’s zk prover currently only works with Testnet and Mainnet.
- We have a limit of two zk proofs per address per minute. When you hit this limit, we return a JSON-RPC code
-32012.
Example Request Template
The TypeScript example uses the Shinami Clients SDK, which you can install with:
{{name}} with the actual value for that name.
Appendix
Common issues
JSON RPC -32002 on transaction execution (Invalid user signature)
Example errorsub value, and I was retrieving it as undefined from session storage when generating my address seed. Once I printed out my key variable values (sub, aud, salt, maxEpoch, ephemeral Keypair public key or address) at the time of fetching the JWT and compared them to the what I fetched from session storage right before generating my address seed and zkLogin signature, I was able to catch and fix the issue. Then my transaction when through without an error.