|
1 | 1 | --- |
2 | 2 | title: 'Derive Lit Action Public Keys' |
3 | | -description: 'How to deterministically derive and verify a Lit Action identity without executing it externally.' |
| 3 | +description: 'Deterministically derive and verify a Lit Action identity without executing it externally.' |
4 | 4 | --- |
5 | 5 |
|
| 6 | +# Details |
| 7 | + |
| 8 | +`Lit.Actions.signAsAction` enables a Lit Action to generate signatures that authenticate data without needing external keys. |
| 9 | +Any system can later verify these signatures using `Lit.Actions.verifyActionSignature`, or retrieve the associated public key with `Lit.Actions.getActionPublicKey` and perform verification independently. |
| 10 | + |
6 | 11 | # Derive a Lit Action Public Key Locally |
7 | 12 |
|
8 | 13 | ## Question |
9 | 14 |
|
10 | | -I want to call `Lit.Actions.signAsAction`. I know the action identity is derived from the Action's IPFS CID, but I cannot find a way to obtain the public key outside of the Action runtime. `Lit.Actions.getActionPublicKey` works within the Action, while `executeJs` only exposes `signatures.<name>.publicKey` after a signing operation. Is there a way to deterministically derive the Action's public key locally without running the Action? |
| 15 | +I want to call `Lit.Actions.signAsAction`. I know the action identity is derived from the Action's IPFS CID, but I cannot find a way to obtain the public key outside the Action runtime. `Lit.Actions.getActionPublicKey` works within the Action. However, `executeJs` only exposes `signatures.<name>.publicKey` after a signing operation. Is there a way to deterministically derive the Action's public key locally without running the Action? |
11 | 16 |
|
12 | 17 | ## Answer |
13 | 18 |
|
14 | 19 | Yes. Inside the Lit Action you can deterministically derive the Action identity (and therefore its public key) from the same inputs the nodes use: the Action's IPFS CID and the signing scheme. The snippet below shows the complete flow: |
15 | 20 |
|
16 | 21 | 1. Produce the 32-byte message hash the Lit nodes expect. |
17 | 22 | 2. Call `Lit.Actions.signAsAction` to sign that message with the Action identity. |
18 | | -3. Derive the Action public key via `Lit.Actions.getActionPublicKey`, passing the Action CID and signing scheme. |
| 23 | +3. Optionally derive the action public key via `Lit.Actions.getActionPublicKey`, passing the Action IPFS CID and signing scheme. |
19 | 24 | 4. Optionally verify the signature with `Lit.Actions.verifyActionSignature`. |
| 25 | +5. NOTE: `Lit.Actions.getActionPublicKey` and `Lit.Actions.verifyActionSignature` can be called from any Lit Action to verify signatures, not just from the same Action that called `Lit.Actions.signAsAction`. |
20 | 26 |
|
21 | 27 | ```js |
22 | 28 | const { sigName, toSign } = jsParams; // 'publicKey' not required; derive it from the Action IPFS CID |
@@ -72,7 +78,7 @@ This approach keeps the derivation entirely within the Lit Action context. Becau |
72 | 78 |
|
73 | 79 | ## Derive the Same Public Key from Client Code |
74 | 80 |
|
75 | | -If you prefer to resolve the Lit Action public key outside of the Action runtime - e.g., inside tests or other tooling—the SDK now exposes a helper that calls the on-chain PubkeyRouter contract. |
| 81 | +If you prefer to resolve the Lit Action public key outside the Action runtime - e.g., inside tests or other tooling—the SDK now exposes a helper that calls the on-chain PubkeyRouter contract. |
76 | 82 |
|
77 | 83 | ```ts |
78 | 84 | import { createLitClient } from "@lit-protocol/lit-client"; |
|
0 commit comments