Functions
createLitClient ({ network }
)
Parameters
param.network
NagaNetworkModule
required
The network to connect to. import { nagaDev } from "@lit-protocol/networks" ;
const litClient = await createLitClient ({ network: nagaDev });
Returns
Complete litClient object with all returned methods.
chain.raw.pkpSign
Signs arbitrary bytes with a PKP using the specified signing scheme on the chosen chain.
Parameters
0x‑prefixed PKP public key.
toSign
Uint8Array | ArrayLike<number>
required
Bytes to sign. If hashing is enabled, the hash of this payload is signed.
Signing scheme to use. ECDSA over secp256k1 with SHA‑256 prehash.
ECDSA over P‑256 with SHA‑256 prehash.
ECDSA over P‑384 with SHA‑384 prehash.
Schnorr over Ed25519 with SHA‑512 prehash.
Schnorr over secp256k1 with SHA‑256 prehash.
Schnorr over P‑256 with SHA‑256 prehash.
Schnorr over P‑384 with SHA‑384 prehash.
SchnorrRistretto25519Sha512
Schnorr over Ristretto25519 with SHA‑512 prehash.
Schnorr over Ed448 with SHAKE‑256 prehash.
SchnorrRedJubjubBlake2b512
Schnorr over Jubjub (red) with BLAKE2b‑512 prehash.
Schnorr over secp256k1 (Taproot) variant.
SchnorrRedDecaf377Blake2b512
Schnorr over Decaf377 (red) with BLAKE2b‑512 prehash.
Schnorrkel (Substrate) variant.
Defaults to EcdsaK256Sha256.
Supports EcdsaK256Sha256, SchnorrK256Sha256, SchnorrK256Taproot.
Target chain; determines hashing (e.g. keccak256 for ethereum, sha256 for bitcoin). Uses keccak256 prehashing when hashing is enabled.
Uses SHA‑256 prehashing when hashing is enabled.
authContext
AuthenticationContext
required
Authorisation/session context
Optional maximum price the user is willing to pay for this request.
Optional. Controls message pre‑hashing before signing. Do not transform toSign
; the payload is signed as‑is. Use when you already
computed the digest (e.g. EIP‑712 typed data, pre‑computed tx/message hash).
Auto‑hash toSign
according to signingScheme
and chain
via LitMessageSchema.
Show auto‑hash mapping (ECDSA)
Hash function used before signing.
Hash function used before signing.
Hash function used before signing.
Hash function used before signing.
Hash function used before signing.
Hash function used before signing.
Show auto‑hash mapping (FROST)
No hashing is applied; toSign
is signed as‑is.
Auto‑hash mapping is not defined; avoid relying on auto‑hash with these chains.
Compute the EIP‑712 digest client‑side and set bypassAutoHashing
=true to sign the digest directly.
Returns
The final signature for the request.
0x‑prefixed verifying (compressed) public key used to produce the signature.
0x‑prefixed hex of the exact payload that was signed (post‑hashing if applicable).
Recovery identifier when applicable to the scheme (0 or 1; may be null).
0x‑prefixed PKP public key associated with the signature.
The signature type/scheme used
executeJs
Execute a Lit Action (JS) on the network.
Parameters
Inline JS code to run. Either code or ipfsId must be provided.
IPFS CID of a Lit Action to run. Either code or ipfsId must be provided.
jsParams
any | { publicKey?: string; sigName?: string; ... }
Parameters injected into the Lit Action runtime before execution.
authContext
AuthenticationContext
required
Authorisation/session context for node authorisation.
Optional maximum price the user is willing to pay.
Returns
The action-defined response payload.
Aggregated logs from nodes.
Signature map when action performs signing.
Optional claim results when present.
Optional debug info (allNodeResponses, allNodeLogs, rawNodeHTTPResponses).
encrypt
Encrypt data with access control conditions using BLS.
Parameters
dataToEncrypt
string | object | any[] | Uint8Array
required
The data to encrypt. Strings/objects/arrays are internally converted to bytes. Objects/arrays are JSON-stringified first.
Target chain context for condition evaluation.
Standard access control conditions (ACC). Provide one of ACC, evmContractConditions, solRpcConditions, or unifiedAccessControlConditions.
EVM-specific contract conditions (mutually exclusive with other condition types).
Solana RPC conditions (mutually exclusive with other condition types).
unifiedAccessControlConditions
Unified access control conditions (mutually exclusive with other condition types).
Optional metadata to describe the data being encrypted. dataType
'uint8array' | 'string' | 'json' | 'buffer' | 'image' | 'video' | 'file'
Expected data type for downstream conversion on decrypt.
MIME type for file-like data.
Original filename for file-like data.
Arbitrary custom metadata.
Returns
Base64-encoded ciphertext.
SHA-256 hash (hex) of the plaintext data.
Echo of provided metadata or inferred data type where applicable.
decrypt
Decrypt data previously encrypted with access control conditions.
Parameters
Optional. Pass the full encrypted object from encrypt(). If omitted, provide fields below individually.
Base64-encoded ciphertext (required if data is not provided).
SHA-256 hash (hex) of the original plaintext (required if data is not provided).
One of ACC, evmContractConditions, solRpcConditions, or unifiedAccessControlConditions (must match encryption).
unifiedAccessControlConditions
Target chain context for condition evaluation.
Authorisation/session context for node authorisation.
Optional maximum price the user is willing to pay for this request.
Returns
convertedData
string | object | Buffer | Blob | File
Present when metadata.dataType was provided and conversion is applicable.
Metadata echo including dataType and optional file info.
mintWithEoa
Mint a PKP using an EOA.
Parameters
account
Account | WalletClient | Signer
required
The signing account that will perform the mint on-chain.
Returns
Transaction hash of the mint.
0x-hex uncompressed public key.
Derived 0x-hex Ethereum address.
mintWithAuth
Mint a PKP using an authentication method.
Parameters
account
Account | WalletClient | Signer
required
The signing account that will perform the mint on-chain.
Auth method payload (e.g., from ViemAccountAuthenticator): includes authMethodType, authMethodId, optional accessToken.
scopes
string[] | number[]
required
Permission scopes to attach to the minted PKP.
Returns
mintWithCustomAuth
Mint a PKP using custom authentication (Lit Action validator or IPFS CID).
Parameters
account
Account | WalletClient | Signer
required
The signing account for on-chain operations.
authData
AuthData (without accessToken)
required
Authentication method details used alongside the validation Lit Action.
Lit Action IPFS CID (must start with “Qm” and be ≥ 46 chars).
scope
'no-permissions' | 'sign-anything' | 'personal-sign'
required
Initial permission scope to grant.
addPkpEthAddressAsPermittedAddress
If true, add the PKP’s own address as a permitted address.
If true, transfers the PKP to itself after minting.
Returns
Echo of the provided Lit Action CID.
Mint result and PKP details from the chain API.
authService.mintWithAuth
Mint a PKP via the Auth Service. Parameters and returns mirror mintWithAuth
.
Parameters
account
Account | WalletClient | Signer
Optional. Override the Auth Service base URL; defaults to the network’s configured value.
Returns
getPKPPermissionsManager
Create a PKP permissions manager instance.
Parameters
PKP identifier. Exactly one of the following must be provided. PKP token ID (stringified bigint).
0x‑prefixed uncompressed PKP public key.
0x‑prefixed PKP Ethereum address.
account
Account | WalletClient | Signer
required
Account used for permission transactions and reads.
Returns
result
PKPPermissionsManager Object
addPermittedAction(params)
Add a permitted Lit Action. Permission scopes (e.g., ‘sign-anything’).
await manager . addPermittedAction ({ ipfsId: "Qm..." , scopes: [ "sign-anything" ] });
addPermittedAddress(params)
Add a permitted address. 0x‑prefixed address to permit.
await manager . addPermittedAddress ({ address: "0xUser..." , scopes: [ "sign-anything" ] });
addPermittedAuthMethod(params)
Permit an authentication method. authMethodType
string | number | bigint
required
await manager . addPermittedAuthMethod ({ authMethodType: 1 , authMethodId: "0x..." , userPubkey: "0x..." , scopes: [ "sign-anything" ] });
addPermittedAuthMethodScope(params)
Permit a scope for an auth method. authMethodType
string | number | bigint
required
scopeId
string | number | bigint
required
await manager . addPermittedAuthMethodScope ({ authMethodType: 1 , authMethodId: "0x..." , scopeId: 0 });
removePermittedAction(params)
await manager . removePermittedAction ({ ipfsId: "Qm..." });
removePermittedAddress(params)
await manager . removePermittedAddress ({ address: "0xUser..." });
removePermittedAuthMethod(params)
authMethodType
string | number | bigint
required
await manager . removePermittedAuthMethod ({ authMethodType: 1 , authMethodId: "0x..." });
removePermittedAuthMethodScope(params)
authMethodType
string | number | bigint
required
scopeId
string | number | bigint
required
await manager . removePermittedAuthMethodScope ({ authMethodType: 1 , authMethodId: "0x..." , scopeId: 0 });
isPermittedAction(params)
const ok = await manager . isPermittedAction ({ ipfsId: "Qm..." });
isPermittedAddress(params)
const ok = await manager . isPermittedAddress ({ address: "0xUser..." });
getPermittedActions()
Promise<readonly 0x-hex[]>
getPermittedAddresses()
Promise<readonly 0x-hex[]>
getPermittedAuthMethods()
Promise<readonly AuthMethod[]>
getPermittedAuthMethodScopes(params)
Promise<readonly boolean[]>
getPermissionsContext()
Promise<PermissionsContext>
Returns consolidated permissions (actions, addresses, authMethods).
batchUpdatePermissions(operations)
Batch perform add/remove operations. Show operations (array of)
{ type: 'addAction'; ipfsId; scopes }
{ type: 'addAddress'; address; scopes }
{ type: 'addAuthMethod'; authMethodType; authMethodId; userPubkey; scopes }
{ type: 'addAuthMethodScope'; authMethodType; authMethodId; scopeId }
{ type: 'removeAction'; ipfsId }
{ type: 'removeAddress'; address }
{ type: 'removeAuthMethod'; authMethodType; authMethodId }
{ type: 'removeAuthMethodScope'; authMethodType; authMethodId; scopeId }
await manager . batchUpdatePermissions ([
{ type: 'addAddress' , address: '0xUser...' , scopes: [ 'sign-anything' ] },
{ type: 'addAction' , ipfsId: 'Qm...' , scopes: [ 'sign-anything' ] },
]);
Remove all addresses, auth methods, and known test actions.
getPaymentManager
Get a Payment Manager for Ledger contract operations.
Parameters
account
Account | WalletClient | Signer
required
The account used for deposits, withdrawals, and queries.
Returns
Deposit funds to your own account. Amount to deposit in ETH (string), internally converted to Wei.
await paymentManager . deposit ({ amountInEth: "0.1" });
Deposit funds for another user. await paymentManager . depositForUser ({ userAddress: "0x..." , amountInEth: "0.25" });
Get total and available balances for a user. const bal = await paymentManager . getBalance ({ userAddress: "0x..." });
console . log ( bal . totalBalance , bal . availableBalance );
Request withdrawal (starts delay period). await paymentManager . requestWithdraw ({ amountInEth: "0.05" });
Execute withdrawal after delay. await paymentManager . withdraw ({ amountInEth: "0.05" });
getWithdrawRequest(params)
Promise<WithdrawRequestInfo>
Get current withdrawal request for a user. const info = await paymentManager . getWithdrawRequest ({ userAddress: "0x..." });
getWithdrawDelay()
Promise<{ delaySeconds: string; raw: bigint }>
Get global withdrawal delay in seconds. const delay = await paymentManager . getWithdrawDelay ();
canExecuteWithdraw(params)
Promise<{ canExecute: boolean; timeRemaining?: number; withdrawRequest: WithdrawRequestInfo }>
Check whether a user’s withdrawal can be executed now. const { canExecute , timeRemaining } = await paymentManager . canExecuteWithdraw ({ userAddress: "0x..." });
Delegate payments to a user. await paymentManager . delegatePayments ({ userAddress: "0xUser..." });
undelegatePayments(params)
Undelegate payments from a user. await paymentManager . undelegatePayments ({ userAddress: "0xUser..." });
delegatePaymentsBatch(params)
Delegate payments to multiple users. await paymentManager . delegatePaymentsBatch ({ userAddresses: [ "0xA..." , "0xB..." ] });
undelegatePaymentsBatch(params)
Undelegate payments from multiple users. await paymentManager . undelegatePaymentsBatch ({ userAddresses: [ "0xA..." , "0xB..." ] });
Set payment restriction for caller. await paymentManager . setRestriction ({ totalMaxPrice: "1000000000000000000" , requestsPerPeriod: "100" , periodSeconds: "86400" });
List payers for a user. const payers = await paymentManager . getPayers ({ userAddress: "0xUser..." });
List users for a payer. const users = await paymentManager . getUsers ({ payerAddress: "0xPayer..." });
getRestriction(params)
Promise<{ totalMaxPrice: string; requestsPerPeriod: string; periodSeconds: string; raw: Restriction }>
Get restriction for a payer. const r = await paymentManager . getRestriction ({ payerAddress: "0xPayer..." });
getPayersAndRestrictions(params)
Promise<{ payers: string[][]; restrictions: { totalMaxPrice: string; requestsPerPeriod: string; periodSeconds: string; }[][]; raw: { payers: string[][]; restrictions: Restriction[][] } }>
Batch get payers and restrictions for users. const res = await paymentManager . getPayersAndRestrictions ({ userAddresses: [ "0xA..." , "0xB..." ] });
viewPKPPermissions
View current permissions context for a PKP.
Parameters
pkpIdentifier
{ tokenId?: string; pubkey?: string; address?: string }
required
Returns
viewPKPsByAddress
List PKPs owned by an address.
Parameters
Address whose PKPs to fetch.
Returns
getPkpViemAccount
Create a Viem-compatible account backed by a PKP.
Parameters
0x-prefixed PKP public key.
authContext
AuthenticationContext
required
Authorisation context used for signing sessions.
Viem chain configuration used by the returned account.
Returns
signMessage / signTypedData / sendTransaction
Standard Viem account methods that route to PKP signing under the hood.
Returns
The final signature for the request.
0x‑prefixed verifying (compressed) public key used to produce the signature.
0x‑prefixed hex of the exact payload that was signed (post‑hashing if applicable).
Recovery identifier when applicable to the scheme (0 or 1; may be null).
0x‑prefixed PKP public key associated with the signature.
The signature type/scheme used (e.g. ECDSA, Schnorr).
getChainConfig
Returns the chain configuration for the current network.
Parameters
none
Returns
Viem chain configuration used by the returned account.
disconnect
Stop background state updates and release resources.
Parameters
none
Returns
void