feat: add privy server wallet provider

[azf20]

What changed? Why?

• Introduces a Privy Server Wallet Provider (extending EvmWalletProvider), extending the viem provider using @privy-io/server-auth (which has a createViemAccount method)
• Follows the "configureWithWallet" pattern (similar to the cdp provider)
• Wallet ID is required
• Supports optional authorization private key

Qualified Impact

• This is an incremental provider, however it does add @privy-io/server-auth as a dependency. An initial implementation was made using the REST API to minimize dependencies, but adding support for authorization keys and full transaction sending / signing support introduced sufficient complexity that the trade off shifted to adding the dependency - particularly to avoid or easily mitigate breaking changes in future (on either side). However - open to discussion!

[cb-heimdall]

🟡 Heimdall Review Status

Requirement	Status	More Info
Reviews	🟡 -1/1	Denominator calculation Show calculation 1 if user is bot 0 1 if user is external 0 From .codeflow.yml 1 Additional review requirements Show calculation Max 0 0 From CODEOWNERS 0 Global minimum 0 Max 1 1 1 if commit is unverified 0 Sum 1

[John-peterson-coinbase]

network ID for base sepolia is base-sepolia

[azf20]

thanks, fixed!

[azf20]

thanks @John-peterson-coinbase, added fixes here f49f51d, including package-lock.json (though on reflection wasn't sure about the policy there). Let me know if there is anything else!

[John-peterson-coinbase]

Thanks @azf20 - please rebase and sign the commits following the commit signing instructions

[azf20]

thanks so much, I rebased and verified, hope that looks right!

[0xRAG]

Hey @azf20 I tested this locally and it's working great! As a couple final asks, could you:

• Add an examples/langchain-privy-chatbot – It can be a copy/paste of examples/langchain-cdp-chatbot swapping out CdpWalletProvider for PrivyWalletProvider
• Add an export_wallet function (see: here) or otherwise document the best way to save and restore a Privy wallet

Thank you!

[azf20]

OK great! I rebased and added an example - I added a comment explaining that Privy server wallets are embedded & controllable via the dashboard & API. Let me know if that makes sense or if you wanted that elsewhere

[0xRAG]

OK great! I rebased and added an example - I added a comment explaining that Privy server wallets are embedded & controllable via the dashboard & API. Let me know if that makes sense or if you wanted that elsewhere

Nice, thanks! Two things:

1. Let's add the new example to the workspaces entry in the root package.json. Then remove the package-lock.json from the new example
2. Thanks for the brief comment explaining Privy Server wallets – I think it would be nice to include it in the example README as well

[0xRAG]

Also, what are your thoughts on this ask:

Add an export_wallet function (see: here) or otherwise document the best way to save and restore a Privy wallet

Is this simply saving off the wallet ID, then using that to query Privy?

[azf20]

• Added to workspaces entry & removed package.json
• Added some more notes on Privy to the README
• Added an "Export" function for the Wallet Provider which returns the input configuration (App ID, Secret, Wallet ID, Auth Key if applicable) - this isn't the private key, but it's the information required to make any changes on the Privy side
• Fixed commit signing

Thanks!

[0xRAG]

Also @azf20 two more things before we can merge:

1. Please update the agentkit readme to include a section on the Privy server wallet
2. Update the changelog to include an entry on the new wallet provider

Almost there!

[azf20]

Thanks so much! Rebased + updated README and Changelog

[John-peterson-coinbase]

@0xRAG @azf20 - This config should take chainId instead of networkId . Network ID is a CDP concept and will limit the Privy implementation to only support CDP supported networks. Privy does not have the same constraints as CdpWalletProvider and therefore should take chainId which will unblock usage of all EVM.

[azf20]

Good call! This is done now in ba189e3

[cb-heimdall]

Review Error for John-peterson-coinbase @ 2025-02-13 23:31:28 UTC
User failed mfa authentication, public email is not set on your github profile. see go/mfa-help

[colfax23]

Wow, this is great! Thanks for doing this. I'm Colfax from the Privy team, it's nice to meet you, this was enjoyable to review.

The core change that needs to be made is around how the authorization private key + ID is handled during wallet creation. Feel free to let me know if you have any questions!

[colfax23]

As @John-peterson-coinbase mentioned above, Privy can support any EVM chain, so you can update the config to take in a chainId (eg 84532 for base sepolia). In order to resolve the viem chain object, here is a post I've found helpful.

[azf20]

done, thanks for the hint!

[colfax23]

nit: this call returns the whole wallet object (including the address), so if you shift things around a bit you can save the second network hop below to getWallet

[azf20]

nice yes did that too

[colfax23]

This actually takes as an input an authorizationKeyId which is an ID assigned by to an authorization key when it is registered with Privy server wallets. In order to use an authorization key with a wallet, you need to pre register it with Privy. We are actually working on supporting key registration during wallet creation, but it is not implemented yet.

I can see two paths forward here:

1. You can implement authorization key registration with Privy before wallet creation. We don't have support for it in server-auth but we do via our REST API (docs - see REST API tab). The developer would generate the p256 private + public keypair (instructions in above docs as well) and input them both as a config, then you would send the public key to privy, and you'll get back an ID which you'd use during wallet creation. The server-auth config above correctly takes in the private key.
2. You can take in an authorizationKeyId in the config, however that would require the developer to register the key with Privy themselves beforehand, which isn't an ideal experience.

[azf20]

Thanks for that context, sorry I had missed that you need to pass IDs for creation.

I tried 1., but hit an issue where the https://api.privy.io/v1/wallets endpoint was returning a 404 - see this branch on my project repository as a test case azf20/hello-world-computer@cd61b55

So I reverted to 2, but also found that an authorization key was required on new wallet creation, not sure if that is expected? Got the following when I didn't pass in an auth key:

 ⨯ Error: Missing `privy-authorization-signature` header.

So I updated the error handling and docs accordingly - not an ideal experience but I think ok for now

[colfax23]

Good catch - I'll look into this on our end and I think option 2 + pointing folks to the Privy dashboard to create their key is a good approach for now.

[colfax23]

nit: consider renaming this to authorizationPrivateKey so it is clear this is the private key, not the public key or ID, also to be parallel with the Privy config

[azf20]

good call, done

[colfax23]

I think it is worth specifying that this is the authorization private key

[azf20]

+1

[colfax23]

consider replacing "Privy wallets are embedded wallets" with "Privy's server wallets enable you to securely provision and manage cross-chain wallets via a flexible API"

[azf20]

+1

[cb-heimdall]

Review Error for colfax23 @ 2025-02-14 04:56:41 UTC
User must have write permissions to review

[azf20]

Thanks so much for taking a look @colfax23! I fixed and tested new wallet creation, see the approach taken here: #242 (comment). I encountered some issues which might be on the Privy side, so I went ahead with an approach that worked to create new server wallets in Privy:

Also updated to take any chainId (assuming it's supported by viem), as well as some docs / naming clarifications.

Appreciate the help!

[azf20]

An update: @colfax23 shared a URL which will work for wallet creation, and I go that working locally, with the slight downside that it creates a new signing key (with the same public key) on every run. Would be good to clarify expected behaviour on ⨯ Error: Missingprivy-authorization-signature header., and whether we prefer the "specify the keyId" or "dynamically create the key" approach here. Thanks!

[colfax23]

Looks great! Left a few minor comments, but once addressed this looks good to go from my perspective.

[colfax23]

nit: update to chainId: 84532

[azf20]

good catch!

[colfax23]

There is an edge case here where the authorizationPrivateKey is provided but not authorizationKeyId which will get things into a funky state. Can you do a check to enforce that either both or neither are provided before initializing the PrivyClient?

[azf20]

I think it's ok to initialise with just an authorizationPrivateKey if you're using an existing wallet, not creating a key?

[colfax23]

Ah, you're right - if the user has an existing wallet that has a key attached to it, you need to specify authorizationPrivateKey and technically don't need to specify the ID. My bad! Fine to leave as is, good catch.

[colfax23]

Can you link the key creation docs and / or point folks to the Privy dashboard to create their key + register it with Privy to get their ID?

[azf20]

updating README

[colfax23]

Good catch - I'll look into this on our end and I think option 2 + pointing folks to the Privy dashboard to create their key is a good approach for now.

[cb-heimdall]

Review Error for colfax23 @ 2025-02-14 13:26:16 UTC
User must have write permissions to review

[azf20]

Thanks, sounds good - updated READMEs accordingly

[John-peterson-coinbase]

LGTM pending a few instances of networkID -> chainID remaining, a few documentation updates, and a small change to the example.

We can land this in today's EOW release if these are resolved.

@azf20

[John-peterson-coinbase]

please update to chainId as previously discussed

[azf20]

👍

[John-peterson-coinbase]

This function should be exported from https://github.com/coinbase/agentkit/blob/main/typescript/agentkit/src/network/network.ts

[azf20]

👍

[John-peterson-coinbase]

please update to chainId as previously discussed

Also - should this return value be a named interface to make it more clear?

Let's also add an example of instantiating a PrivyWalletProvider from the exported object.

[azf20]

👍

[John-peterson-coinbase]

Suggested change

	/** Optional network ID to connect to */
	/** Optional chain ID to connect to */

[John-peterson-coinbase]

Suggested change

	chainId?: number;
	chainId?: string;

Update type to conform with Network interface typing.

[John-peterson-coinbase]

Suggested change

	networkId?: string;
	} {
	return {
	walletId: this.#walletId,
	authorizationPrivateKey: this.#authorizationPrivateKey,
	networkId: this.getNetwork().networkId,
	chainId: string;
	} {
	return {
	walletId: this.#walletId,
	authorizationPrivateKey: this.#authorizationPrivateKey,
	chainId: this.getNetwork().chainId,

Update to use chain ID as previously discussed.

This should return a named interface object for clarity.

[azf20]

👍

[John-peterson-coinbase]

nit: use chain ID

[azf20]

👍

[John-peterson-coinbase]

nit: use chain ID

[azf20]

👍

[John-peterson-coinbase]

If WALLET_DATA_FILE already exists, the example should read the exported wallet data from the file and instantiate the existing wallet.

[azf20]

updated to do this

[John-peterson-coinbase]

Please hyperlink to Privy documentation on Authorization Keys given this may be a new concept to AgentKit developers.

[azf20]

Shuffled it around to put the link to the docs before this 👍

[azf20]

thanks so much for the thorough feedback, good catches! pushed changes

[0xRAG]

It's my understanding that an authorization key is optional when creating a Privy server wallet, so can we relax the requirement here?

[azf20]

That was also my understanding, though when I tested the header was required - @colfax23 can you confirm if that's only in the case where an account has set up Authorization keys (which mine had)? If so we can update to helpfully handle the resulting error, rather than blocking here

[colfax23]

Authorization keys are not required for wallet creation unless you've created one in the dashboard and have given in the permissions Can create and modify wallets. If you've done that, we require it for all wallet creation requests.

Two pieces of feedback we're taking from this & working on:

• This UX of requiring it in all cases if a key is created is not intuitive, we're working on some updates here
• The error message when you try to create a wallet without specifying the key, when it is required, is not very clear (it is Missing privy-authorization-signature header.)

For the next steps, I think we can relax this constraint, and @azf20 if you can handle the error gracefully if a key is required but not present that'd be great!

Also, @azf20 when you mention in the README about creating authorization keys in the Privy dashboard, can you add a note to uncheck Can create and modify wallets to help prevent people from getting into this state by mistake like you did? That way they can create a key that is intended for wallet transaction signing purposes only.

[0xRAG]

Got it, thanks for the clarification @colfax23!

[azf20]

thanks both! I added a more helpful error message for that specific case + updated the README

[0xRAG]

@azf20 config.authorizationKeyId could be null here, we need to optionally pass it:

authorizationKeyIds: config.authorizationKeyId ? [config.authorizationKeyId] : undefined,

[0xRAG]

I ran into the opposite error scenario which I think we should handle: I was passing in an authorizationKeyId but no authorizationPrivateKey. Let's add an error case for this as well

      if (config.authorizationKeyId && !config.authorizationPrivateKey) {
        throw new Error(
          "authorizationPrivateKey is required when creating a new wallet with an authorization key. " +
            "If you don't have it, you can create a new one in your Privy Dashboard, or delete the authorization key.",
        );
      }