Merge branch 'naga' into chore/doc-updates

Author: Ansonhkg

docs/governance/overview.mdx

@@ -2,6 +2,12 @@
 title: "Overview"
 ---
 
+<Tip>
+$LITKEY and the Staking Contest to Select the Genesis Node Operator Set for the Naga Mainnet are now LIVE.
+
+[Learn More](https://spark.litprotocol.com/litkey-is-live/).
+</Tip>
+
 Lit Protocol has established an initial governance system to guide and organize its development and operations. This system exists to manage decision-making related to the core protocol, the infrastructure that supports it, and the broader ecosystem of applications built on top of it.
 
 ## Purpose

docs/index.mdx

@@ -4,13 +4,9 @@ description: 'Decentralized key management and private compute'
 ---
 
 <Tip>
-We're excited to announce that Vincent is now live! Vincent is a powerful toolkit that enables secure web3 capabilities for AI agents through:
+$LITKEY and the Staking Contest to Select the Genesis Node Operator Set for the Naga Mainnet are now LIVE.
 
-- Secure Delegation: Safely delegate wallet operations to AI agents while maintaining full control
-- Customizable Tools: Define and manage specific web3 actions your agents can perform
-- Policy Controls: Set granular rules and restrictions for how agents interact with web3
-
-Check out the [Vincent documentation](https://docs.heyvincent.ai/) to get started!
+[Learn More](https://spark.litprotocol.com/litkey-is-live/).
 </Tip>
 
 # Overview

docs/node-ops/overview.mdx

@@ -2,6 +2,12 @@
 title: "Overview"
 ---
 
+<Tip>
+$LITKEY and the Staking Contest to Select the Genesis Node Operator Set for the Naga Mainnet are now LIVE.
+
+[Learn More](https://spark.litprotocol.com/litkey-is-live/).
+</Tip>
+
 Lit Protocol is secured and operated by a decentralized network of validator nodes. These nodes are responsible for executing the threshold cryptographic operations that underpin the core functionality of the network, including signing, encryption, decryption, and private compute via Lit Actions.
 
 Each node participates in threshold signature multi-party computation (TSS MPC) protocols and operates inside a confidential compute environment (TEE), ensuring that no single operator can access plaintext key material or violate policy constraints.
@@ -14,4 +20,4 @@ A staking and delegation contest will be run to select the genesis validator set
 
 To whitelist your node, visit https://staking.litprotocol.com/ 
 
-Refer to the next page for details on hardware specs, minimum requirements, and operational guidelines for node operators. 
+Refer to the next page for details on hardware specs, minimum requirements, and operational guidelines for node operators. 

docs/sdk/getting-started/auth-services.mdx

@@ -56,6 +56,25 @@ Lit hosts default Auth Service instances so you can build without deploying infr
   configuration.
 </Note>
 
+## Payment Delegation APIs
+
+The Auth Service also exposes lightweight endpoints that sponsor user requests on the network. These are the same APIs the Lit SDK calls when you use `litClient.authService.registerPayer` / `delegateUsers` from the Payment Manager guide.
+
+- `POST /register-payer`
+  - Headers: `x-api-key`.
+  - Behaviour: generates a random `payerSecretKey`, hashes it with the API key, and derives a child wallet from `LIT_DELEGATION_ROOT_MNEMONIC`.
+  - Response: `{ success, payerWalletAddress, payerSecretKey }`. The service **does not** persist the secret—you must store it securely (KMS, vault, etc.).
+  - Rotation: call the endpoint again with the same API key to rotate the secret and derive a new child wallet.
+- `POST /add-users`
+  - Headers: `x-api-key`, `payer-secret-key`; body is a JSON array of user addresses.
+  - Behaviour: recomputes the same child wallet on the fly and calls `PaymentManager.delegatePaymentsBatch` so the payer sponsors those users.
+
+<Tip>
+  Running the Auth Service yourself keeps the derivation mnemonic and payer secrets inside your infrastructure. The Lit-hosted instance is great for quick starts, but you remain responsible for storing the returned `payerSecretKey`.
+</Tip>
+
+If you prefer not to run an Auth Service at all, you can still sponsor users manually: create a payer wallet, fund it, and call `paymentManager.delegatePayments*` directly from your backend. See [Payment Manager Setup](/sdk/getting-started/payment-manager-setup#sponsoring-your-users-capacity-delegation-replacement) for sample code.
+
 
 ### Install the SDK
 

docs/sdk/getting-started/payment-manager-setup.mdx

@@ -1,11 +1,15 @@
 ---
-title: "Payment Manager Setup"
-description: "Configure payment system for the Lit JS SDK"
+title: 'Payment Manager Setup'
+description: 'Configure payment system for the Lit JS SDK'
 ---
 
 <Warning>
-  ❗️ Currently free on the dev network, so no need to deposit funds. More
-  details coming soon for test and production networks.
+  ❗️ Payment status by network:
+  - **naga-dev** – usage is currently free; no deposits required.
+  - **naga-test** – payments are enabled using test tokens (see faucet link
+    below).
+  - **Mainnet** – coming soon; mainnet payment details will be announced
+    shortly.
 </Warning>
 
 <Note>
@@ -22,9 +26,9 @@ description: "Configure payment system for the Lit JS SDK"
 
 The Payment Manager handles Lit Protocol's payment system - a billing mechanism for decentralized cryptographic services. Users deposit funds to pay for compute resources when accessing core network operations:
 
-- **Encryption/Decryption** - Encrypt data that only authorized users or conditions can decrypt
-- **PKP Signing** - Generate signatures and sign transactions using your PKP wallet
-- **Lit Actions** - Execute serverless JavaScript functions for decentralized computation
+- [Encryption/Decryption](/sdk/auth-context-consumption/encrypt-and-decrypt) - Encrypt data that only authorized users or conditions can decrypt.
+- [PKP Signing](/sdk/auth-context-consumption/pkp-sign) - Generate signatures and sign transactions using your PKP wallet.
+- [Lit Actions](/sdk/auth-context-consumption/execute-js) - Execute serverless JavaScript functions for decentralized computation.
 
 Similar to how you pay AWS for cloud computing, this system ensures the decentralized network can sustain itself and compensate node operators. The Payment Manager allows you to deposit funds, request withdrawals (with security delays), and manage balances for yourself or delegate payment for other users - enabling applications to sponsor their users' costs for a seamless experience.
 
@@ -38,11 +42,12 @@ Similar to how you pay AWS for cloud computing, this system ensures the decentra
   // 1. Create lit client
   const litClient = await createLitClient({ network: nagaTest });
 
-  // 2. Get PaymentManager instance (requires account for transactions)
-  const paymentManager = await litClient.getPaymentManager({
+// 2. Get PaymentManager instance (requires account for transactions)
+const paymentManager = await litClient.getPaymentManager({
   account: yourAccount // viem account instance
-  });
-  ```
+});
+
+````
 
   </Step>
 
@@ -59,7 +64,7 @@ const { data: myAccount } = useWalletClient();
 
 ```typescript viem/accounts
 // 1. import the privateKeyToAccount function from viem/accounts
-import { privateKeyToAccount } from "viem/accounts";
+import { privateKeyToAccount } from 'viem/accounts';
 
 // 2. Convert your private key to a viem account object that can be used for payment operations.
 const myAccount = privateKeyToAccount(process.env.PRIVATE_KEY as `0x${string}`);
@@ -74,7 +79,7 @@ const myAccount = privateKeyToAccount(process.env.PRIVATE_KEY as `0x${string}`);
 ```typescript Deposit funds to your own account
 // 1. Deposit funds to your own account
 const result = await paymentManager.deposit({
-  amountInEth: "0.1",
+  amountInEth: '0.1',
 });
 
 console.log(`Deposit successful: ${result.hash}`);
@@ -84,8 +89,8 @@ console.log(`Deposit successful: ${result.hash}`);
 ```typescript Deposit for another user
 // 1. Deposit funds for another user
 const result = await paymentManager.depositForUser({
-  userAddress: "0x742d35Cc6638Cb49f4E7c9ce71E02ef18C53E1d5",
-  amountInEth: "0.05",
+  userAddress: '0x742d35Cc6638Cb49f4E7c9ce71E02ef18C53E1d5',
+  amountInEth: '0.05',
 });
 
 console.log(`Deposit successful: ${result.hash}`);
@@ -97,12 +102,101 @@ console.log(`Deposit successful: ${result.hash}`);
 
 </Steps>
 
+## Sponsoring Your Users
+
+<Steps>
+  <Step title="Define spending limit">
+
+  Define spending limits for the users you want to sponsor (values are in wei).
+
+  <CodeGroup>
+
+```typescript
+await paymentManager.setRestriction({
+  totalMaxPrice: '1000000000000000000', // 1 ETH equivalent limit
+  requestsPerPeriod: '100', // max number of sponsored requests in a period
+  periodSeconds: '3600', // rolling window (1 hour in this example)
+});
+```
+
+  </CodeGroup>
+
+  </Step>
+
+  <Step title="Delegate users">
+
+  With restrictions set, delegate one or more users to spend from your payer wallet.
+
+  <CodeGroup>
+
+```typescript
+await paymentManager.delegatePaymentsBatch({
+  userAddresses: ['0xAlice...', '0xBob...'],
+});
+```
+
+  </CodeGroup>
+
+  </Step>
+
+  <Step title="Remove users (optional)">
+
+  Undelegate users when you no longer want to sponsor them.
+
+  <CodeGroup>
+
+```typescript
+await paymentManager.undelegatePaymentsBatch({
+  userAddresses: ['0xAlice...'],
+});
+```
+
+  </CodeGroup>
+
+  </Step>
+</Steps>
+
+## **Alternatively**
+
+Manage delegation via the hosted or self-hosted Auth Service (see [Auth Services setup](/sdk/getting-started/auth-services) for the full flow).
+
+## After Payment Delegation
+
+**Users decrypt as normal** – we still call `litClient.decrypt` with an auth context; the network draws fees from the delegated payer instead of the user’s wallet.
+
+<Note>
+  ℹ️ `userMaxPrice` is recommended for sponsored sessions, typically the same value or less than the the restriction the sponsor set; optional guardrail when self-funded.
+</Note>
+
+```typescript highlight={18}
+// Client-side decrypt with sponsored payments
+const authContext = await authManager.createEoaAuthContext({
+  litClient,
+  config: { account: walletClient },
+  authConfig: {
+    resources: [
+      ['access-control-condition-decryption', '*'],
+      ['lit-action-execution', '*'],
+    ],
+  },
+});
+
+const response = await litClient.decrypt({
+  data: encryptedData,
+  unifiedAccessControlConditions: accs,
+  authContext,
+  chain: 'ethereum',
+  userMaxPrice: 1000000000000000000n,
+});
+```
+
 ## Auth Service API Endpoints
 
-Leverage the hosted Auth Service to manage delegation without exposing private keys in your application:
+Leverage the hosted Auth Service to manage delegation without exposing private keys in your application. Full request/response details live in the [Auth Services setup guide](/sdk/getting-started/auth-services#payment-delegation-apis). In practice you will:
 
-- `POST /register-payer` - Send your `x-api-key` header to receive a delegated payer address and `payerSecretKey`. Persist this secret securely; it is required for all future delegation calls.
-- `POST /add-users` - Provide headers `x-api-key` and `payer-secret-key` plus a JSON body containing an array of user addresses. The Auth Service uses the Payment Manager internally to delegate payments to each address in a single transaction.
+- Call `authService.registerPayer` (hosted or self-hosted) to derive a payer wallet + `payerSecretKey`.
+- Call `authService.delegateUsers` (`/add-users`) to sponsor a list of user addresses.
+- Or skip the service entirely and use the Payment Manager methods directly (example below).
 
 ```typescript
 import { createLitClient } from '@lit-protocol/lit-client';
@@ -111,8 +205,8 @@ import { nagaTest } from '@lit-protocol/networks';
 // 1. Create the Lit client for the naga-test environment
 const litClient = await createLitClient({ network: nagaTest });
 
-const authServiceBaseUrl = 'https://naga-test-auth-service.example.com';
-const apiKey = process.env.LIT_API_KEY!;
+const authServiceBaseUrl = 'https://naga-test-auth-service.getlit.dev/';
+const apiKey = process.env.YOUR_AUTH_SERVICE_API_KEY!;
 
 // 3. Register a payer wallet (store the secret securely server-side)
 const registerResponse = await litClient.authService.registerPayer({
@@ -137,14 +231,8 @@ const delegateResponse = await litClient.authService.delegateUsers({
 console.log('Delegation submitted with tx hash:', delegateResponse.txHash);
 
 // 5. Continue to use the same payer secret for future delegation calls
-````
+```
 
 ### How the Auth Service derives payer wallets
 
-- The service holds a single root mnemonic (`LIT_DELEGATION_ROOT_MNEMONIC`).
-- `/register-payer` combines the `x-api-key` header with a freshly generated `payerSecretKey`. That pair is hashed into a deterministic derivation index, which is then used with the root mnemonic to derive a unique child wallet.
-- The response includes the derived wallet address and the random `payerSecretKey`. The server does not store this secret; you must persist it securely on the client side.
-- Later, `/add-users` expects both headers (`x-api-key` and `payer-secret-key`). The service recomputes the same derivation index and wallet on the fly, so the same header pair always maps to the same child wallet.
-- Calling `/register-payer` again with the same API key issues a new random `payerSecretKey`, which leads to a different child wallet. Choose whether to rotate secrets or keep the original one depending on your application needs.
-
-![](https://www.plantuml.com/plantuml/png/XPAn3jCm48PtFyMfKw8IiKSAQcab1a1K58c1CXpEaLWaJcHVIlFs6DkKcBHYYy-Vl_Floyuo6fxwJh3YZc0_SGjdCbSb2KuuzwGPZjHHWwm6BSJeS2NLYAw-ENJAxMy0BOJFT7ifyz3lGbodv3l5qG3lKMD3nlFn-ndh6RTyr3lSFTN5MYo96Xc_eINOh8F2OT1iKFeUzuKGLGKVgL6MoS28CnceAX5lNhnQ1YpXzE7y2LwQY1SUl-ZiLk2eYXyqvsA1hqw_8Kq6cKARCqb3VD57CkfAy1ExZXY-cw67NbC_Q2LX2quCJfnwdJXSi0ogp_xilguDMNlH2_rRcdt2-0m4aoLZ_viGwxhmv3BSYz2iiDuSAXxwydMLEmwaX8RYBBDSnABR_plY4fmCcToZEbUgMM1Ub0uxGoc7INCk0XNJf509Ibj6pGfvPVyNhUCZnRfzZIpRp4VCHGgxu_TVo1zSlAxuim75WoPy0qEIrCWhPJeBZxPeswUpjvEKP2rix-IET3trtIy0)
+- For hosted or self-hosted deployments, see the derivation and rotation notes in the [Auth Services guide](/sdk/getting-started/auth-services#payment-delegation-apis). Manual deployments can always provision and delegate entirely via the `PaymentManager` helper without touching these endpoints.

packages/artillery/CHANGELOG.md

@@ -1,5 +1,18 @@
 # @lit-protocol/artillery
 
+## 0.0.7
+
+### Patch Changes
+
+- @lit-protocol/e2e@3.0.2
+
+## 0.0.6
+
+### Patch Changes
+
+- Updated dependencies [6bd3394]
+  - @lit-protocol/e2e@3.0.1
+
 ## 0.0.5
 
 ### Patch Changes

packages/artillery/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lit-protocol/artillery",
-  "version": "0.0.5",
+  "version": "0.0.7",
   "private": true,
   "type": "commonjs",
   "dependencies": {

packages/auth-helpers/CHANGELOG.md

@@ -1,5 +1,11 @@
 # @lit-protocol/auth-helpers
 
+## 8.1.1
+
+### Patch Changes
+
+- 6bd3394: Update the naga-dev staking address. users are expected to reinstall the SDK to apply this patch to continue using the naga-dev network.
+
 ## 8.1.0
 
 ### Minor Changes

packages/auth-helpers/package.json

@@ -25,7 +25,7 @@
     "crypto": false,
     "stream": false
   },
-  "version": "8.1.0",
+  "version": "8.1.1",
   "main": "./src/index.js",
   "typings": "./src/index.d.ts",
   "dependencies": {

packages/auth-services/CHANGELOG.md

@@ -1,5 +1,13 @@
 # @lit-protocol/auth-services
 
+## 2.0.5
+
+### Patch Changes
+
+- 6bd3394: Update the naga-dev staking address. users are expected to reinstall the SDK to apply this patch to continue using the naga-dev network.
+- Updated dependencies [6bd3394]
+  - @lit-protocol/contracts@0.7.1
+
 ## 2.0.4
 
 ### Patch Changes