HyperAuth
DocumentationComponentsReference

Configuration Reference

Configuration objects for the HyperAuth SDK client and Vault worker.

Configuration Reference

Configuration objects for the HyperAuth SDK client and Vault worker.

ClientConfig

Passed to createClient(config) or HyperAuthClient.create(plugin, config). All fields are optional.

interface ClientConfig {
  wasmUrl?: string;
  wasmBytes?: Uint8Array;
  logger?: Pick<Console, 'log' | 'error' | 'warn' | 'info' | 'debug'>;
  debug?: boolean;
  autoLockTimeout?: number;
  contracts?: ContractsConfig;
}

Fields

FieldTypeDefaultDescription
wasmUrlstring"/enclave.wasm"URL from which the WASM enclave binary is fetched. Used by createClient() when initializing the core worker.
wasmBytesUint8ArrayRaw WASM bytes. Alternative to wasmUrl for environments where fetching is unavailable.
loggerPick<Console, 'log' | 'error' | 'warn' | 'info' | 'debug'>consoleLogger instance. All log calls are gated by debug.
debugbooleanfalseEnable debug logging. When false, no messages are emitted through the logger.
autoLockTimeoutnumber300000Milliseconds of inactivity before the vault is automatically locked. Set to 0 to disable auto-lock. The timer resets on any vault operation.
contractsContractsConfigBase Sepolia defaultsOn-chain contract addresses. Defaults to defaultContracts (Base Sepolia, chain ID 84532).

Notes

  • wasmUrl and wasmBytes are mutually exclusive. wasmBytes takes precedence in the bridge implementation if both are supplied.
  • autoLockTimeout triggers HyperAuthClient.lock() after the inactivity period. If an onAutoLock callback has been registered via setAutoLockCallback(), it receives the encrypted database bytes from the lock result.
  • createClient() uses wasmUrl and contracts to initialize the core worker bridge. HyperAuthClient.create() with a pre-constructed WasmPlugin does not use these fields.

ContractsConfig

Smart contract addresses for a specific EVM chain. Used by the enclave to construct and verify on-chain operations.

interface ContractsConfig {
  chainId: number;
  entryPoint: string;
  didRegistry: string;
  accountHelper: string;
  sessionSBT: string;
  hyperAuthFactory: string;
}

Fields

FieldTypeDescription
chainIdnumberEVM chain ID
entryPointstringERC-4337 EntryPoint contract address
didRegistrystringHyperAuth DID Registry contract address
accountHelperstringAccount state helper contract address. Exposes getAccountState(address) and used by /api/accounts/state.
sessionSBTstringSession Soulbound Token contract address
hyperAuthFactorystringSmart account factory contract address. Exposes getAddress(pubKeyX, pubKeyY, salt) and used by /api/accounts/predict.

Default values (defaultContracts)

Exported as defaultContracts from @hyperauth/sdk. Matches the DEFAULT_CONTRACTS constant in the Vault worker.

FieldValue
chainId84532
entryPoint0x0000000071727De22E5E9d8BAf0edAc6f37da032
didRegistry0xd38972ffea26b66f09e2109e650887acd447e7b7
accountHelper0xd4d57cc363dd419cd95712eb5cddf1797ceb9dde
sessionSBT0x5a2822bd69aa3799232ac57decf2b07e3fed1881
hyperAuthFactory0xb797f4799d8aa218e9207f918fdea3afc76b1e18

WorkerConfig

Configuration passed to createCoreBridge(). Used internally by createClient().

interface WorkerConfig {
  wasmUrl: string;
  debug?: boolean;
  contracts?: ContractsConfig;
}

Fields

FieldTypeDefaultDescription
wasmUrlstringURL to fetch the WASM enclave binary. Required.
debugbooleanfalseEnable debug logging in the core worker.
contractsContractsConfigContract addresses forwarded to the enclave.

VaultStoreConfig

Configuration for VaultStore initialization. VaultStore manages the wa-sqlite persistence layer for fast page-reload restore.

interface VaultStoreConfig {
  dbName?: string;
}

Fields

FieldTypeDefaultDescription
dbNamestring"hyperauth-vault"Name of the wa-sqlite database opened in the browser's Origin Private File System.

VaultSnapshotConfig

Configuration for VaultSnapshot, which wraps vault bytes in DAG-CBOR and stores them in a Helia blockstore.

interface VaultSnapshotConfig {
  gatewayUrl?: string;
}

Fields

FieldTypeDefaultDescription
gatewayUrlstringIPFS gateway URL used as a read fallback when the local Helia blockstore does not contain a requested CID. Example: "https://trustless-gateway.link".

Vault Worker Environment (Env)

The Cloudflare Worker Env interface declares all bindings and secrets required by the Vault worker. These are not SDK configuration — they are Cloudflare Worker environment bindings configured in wrangler.toml and the Cloudflare dashboard.

Bindings

BindingTypeDescription
VAULTDurableObjectNamespace<Vault>Per-identifier Durable Object namespace
CDN_ASSETSR2BucketR2 bucket for CDN assets (WASM binary)
ASSETSFetcherStatic asset binding for the SPA and payment pages
SESSION_DBD1DatabaseGlobal D1 database for sessions, registered DIDs, and verified identifiers
ANALYTICS_ENGINEAnalyticsEngineDatasetWorkers Analytics Engine for event tracking
INDEXERFetcherService binding to the indexer worker (optional)

Environment Variables

VariableTypeDescription
INDEXER_URLstringBase URL for the indexer (fallback when INDEXER service binding is absent)
WIDGET_ALLOWED_ORIGINSstring (optional)Comma-separated list of origins permitted for CORS on widget-facing endpoints (/api/status, /api/dids/lookup, /api/aliases/check)

Secrets

SecretDescription
TWILIO_ACCOUNT_SIDTwilio account SID for SMS verification
TWILIO_AUTH_TOKENTwilio auth token
TWILIO_VERIFY_SERVICE_SIDTwilio Verify service SID
RESEND_API_KEYResend API key for email delivery
RESEND_FROM_EMAILSender address for verification emails (defaults to "onboarding@resend.dev" if absent)
PIMLICO_API_KEYAPI key for the Pimlico ERC-4337 bundler
ATTESTATION_SIGNING_KEYHMAC-SHA256 key used to sign and verify VerificationAttestation payloads
INNGEST_EVENT_KEYInngest event key for publishing events
INNGEST_SIGNING_KEYInngest signing key for webhook verification

Vault Worker Constants

Constants defined in apps/vault/src/lib/types.ts. These values are fixed at deploy time and are not overridable via environment variables.

ConstantValueDescription
CHAIN_ID"84532"Target chain ID (Base Sepolia)
MAX_REGISTRATIONS_PER_IP3Maximum registration sessions per IP address
MAX_VERIFY_ATTEMPTS5Maximum OTP submission attempts per email code before the code is invalidated
EMAIL_CODE_EXPIRY_SECONDS90Email OTP TTL in seconds
RATE_LIMIT_CODES_PER_IDENTIFIER5Maximum verification code sends per identifier per hour (email channel only)
MAX_VERIFY_SENDS_PER_IP3Maximum verification sends per IP per 24 hours (all channels)
ATTESTATION_TTL_SECONDS300Verification attestation validity window in seconds

WebAuthn Defaults

Constants defined in sdk/client/src/constants.ts.

ConstantValueDescription
DEFAULT_RP_ID"did.run"Default WebAuthn Relying Party ID used by createPasskey() and authenticatePasskey(). Overridable via CreatePasskeyOptions.rpId.

How to Manage the Vault

Lock, unlock, and check vault status; export and import encrypted vault backups; persist vault state with snapshots.

Smart Contracts Reference

All contracts are deployed on Base Sepolia (chain ID 84532).

On this page

Configuration ReferenceClientConfigFieldsNotesContractsConfigFieldsDefault values (defaultContracts)WorkerConfigFieldsVaultStoreConfigFieldsVaultSnapshotConfigFieldsVault Worker Environment (Env)BindingsEnvironment VariablesSecretsVault Worker ConstantsWebAuthn Defaults