[SDK] Add signAuthorization support to 1193 provider

[joaquim-verges]

---

PR-Codex overview

This PR introduces support for signing authorizations in the 1193 provider of the thirdweb library by adding a new method.

Detailed summary

• Added a new method signAuthorization in the packages/thirdweb/src/wallets/injected/index.ts file.
• The signAuthorization method takes an AuthorizationRequest as a parameter.
• It constructs a payload using ox__Authorization.getSignPayload and requests signing via the eth_sign method.

✨ Ask PR-Codex anything about this PR by commenting with /codex {your question}

Summary by CodeRabbit

• New Features

  • Added support for signing authorization requests in injected wallets and EIP-1193 providers, enabling smoother authorization flows alongside existing message and typed data signing.

• Chores

  • Prepared a patch release entry documenting the new authorization signing support.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
docs-v2	Ready	Preview	Comment	Sep 9, 2025 11:14pm
nebula	Ready	Preview	Comment	Sep 9, 2025 11:14pm
thirdweb_playground	Ready	Preview	Comment	Sep 9, 2025 11:14pm
thirdweb-www	Ready	Preview	Comment	Sep 9, 2025 11:14pm
wallet-ui	Ready	Preview	Comment	Sep 9, 2025 11:14pm

[changeset-bot]

🦋 Changeset detected

Latest commit: 4b6a41f

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages

Name	Type
thirdweb	Patch
@thirdweb-dev/nebula	Patch
@thirdweb-dev/wagmi-adapter	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Walkthrough

Adds a changeset for a patch release noting signAuthorization support. Implements Authorization signing in the injected wallet by importing Authorization utilities, defining AuthorizationRequest, and adding an Account.signAuthorization method that prepares a payload and signs via eth_sign using the EIP-1193 provider.

Changes

Cohort / File(s)	Summary
Release notes / Changeset .changeset/*	Added a changeset marking a patch release for the thirdweb package describing addition of signAuthorization support to the 1193 provider.
Injected wallet Authorization signing packages/thirdweb/src/wallets/injected/index.ts	Imported ox/Authorization and AuthorizationRequest. Extended Account with signAuthorization(authorization) that builds a sign payload via Authorization.getSignPayload and signs with provider.request using eth_sign and the account address.

Sequence Diagram(s)

sequenceDiagram
  participant D as Dapp
  participant W as InjectedWallet (Account)
  participant P as EIP-1193 Provider
  participant U as User

  D->>W: signAuthorization(authorization)
  activate W
  W->>W: build sign payload via Authorization.getSignPayload
  W->>P: request({ method: "eth_sign", params: [address, payload] })
  activate P
  P->>U: Prompt to sign
  U-->>P: Approve / Reject
  P-->>W: signature or error
  deactivate P
  W-->>D: signature or error
  deactivate W

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Pre-merge checks (1 passed, 2 warnings)

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description Check	⚠️ Warning	The current description only includes the auto‐generated PR-Codex overview and does not fill in any of the required template sections—namely the issue tag or branch name, “Notes for the reviewer,” or “How to test” headers—so it does not conform to the repository’s PR description template.	Please populate the commented template sections by adding the issue or branch tag, providing detailed “Notes for the reviewer,” and describing “How to test” the new signAuthorization method (e.g., unit tests or playground steps).
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title “[SDK] Add signAuthorization support to 1193 provider” is a concise, one‐sentence summary that clearly highlights the primary change—adding signAuthorization support to the 1193 provider—and follows the repository’s convention by including the SDK prefix.

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• TEAM-0000: Entity not found: Issue - Could not find referenced Issue.

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch Add_signAuthorization_support_to_1193_provider

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[joaquim-verges]

• [SDK] Add signAuthorization support to 1193 provider #8029 👈 (View in Graphite)
• main

---

How to use the Graphite Merge Queue

Add either label to this PR to merge it via the merge queue:

• merge-queue - adds this PR to the back of the merge queue
• hotfix - for urgent hot fixes, skip the queue and merge this PR next

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

This stack of pull requests is managed by Graphite. Learn more about stacking.

[github-actions]

size-limit report 📦

Path	Size	Loading time (3g)	Running time (snapdragon)	Total time
thirdweb (esm)	63.96 KB (0%)	1.3 s (0%)	422 ms (+142.26% 🔺)	1.8 s
thirdweb (cjs)	356.86 KB (0%)	7.2 s (0%)	1.3 s (+4.34% 🔺)	8.4 s
thirdweb (minimal + tree-shaking)	5.73 KB (0%)	115 ms (0%)	177 ms (+2074.72% 🔺)	292 ms
thirdweb/chains (tree-shaking)	526 B (0%)	11 ms (0%)	142 ms (+4840.01% 🔺)	152 ms
thirdweb/react (minimal + tree-shaking)	19.15 KB (0%)	383 ms (0%)	141 ms (+677.08% 🔺)	523 ms

[codecov]

Codecov Report

❌ Patch coverage is 25.00000% with 6 lines in your changes missing coverage. Please review.
✅ Project coverage is 56.62%. Comparing base (2f6f3a0) to head (4b6a41f).
⚠️ Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
packages/thirdweb/src/wallets/injected/index.ts	25.00%	6 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8029      +/-   ##
==========================================
- Coverage   56.62%   56.62%   -0.01%     
==========================================
  Files         904      904              
  Lines       58677    58685       +8     
  Branches     4161     4162       +1     
==========================================
+ Hits        33225    33229       +4     
- Misses      25346    25351       +5     
+ Partials      106      105       -1     

Flag	Coverage Δ
packages	56.62% <25.00%> (-0.01%)	⬇️

Files with missing lines	Coverage Δ
packages/thirdweb/src/wallets/injected/index.ts	30.76% <25.00%> (-0.13%)	⬇️

... and 4 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (6)

.changeset/eighty-taxis-own.md (1)

5-6: Clarify the changeset entry.

Call out the new Account.signAuthorization method and that it signs an EIP‑7702 Authorization via eth_sign. Helps consumers understand impact.

packages/thirdweb/src/wallets/injected/index.ts (5)

270-276: Add return type, guard, and cast for the new method.

Make the method consistent with others (signMessage), and type its return. Also cast the RPC result to Hex.

-    async signAuthorization(authorization: AuthorizationRequest) {
-      const payload = ox__Authorization.getSignPayload(authorization);
-      return await provider.request({
-        method: "eth_sign",
-        params: [getAddress(account.address), payload],
-      });
-    },
+    async signAuthorization(authorization: AuthorizationRequest): Promise<Hex> {
+      if (!provider || !account.address) {
+        throw new Error("Provider not setup");
+      }
+      const payload = ox__Authorization.getSignPayload(authorization);
+      const signature = (await provider.request({
+        method: "eth_sign",
+        params: [getAddress(account.address), payload],
+      })) as Hex;
+      return signature;
+    },

---

1-1: Lazy‑load ox/Authorization to keep the injected entry lean.

ox/Authorization may be sizable; import it on demand inside the method.

-import * as ox__Authorization from "ox/Authorization";
+// lazy-load inside signAuthorization to reduce initial bundle

And update the method:

-      const payload = ox__Authorization.getSignPayload(authorization);
+      const { getSignPayload } = await import("ox/Authorization");
+      const payload = getSignPayload(authorization);

Also applies to: 270-276

---

270-276: Validate signer consistency with the authorization payload.

Avoid signing authorizations for a different address by mistake.

     async signAuthorization(authorization: AuthorizationRequest): Promise<Hex> {
+      // Optional: enforce signer consistency if the request carries an address
+      const signer = getAddress(account.address);
+      // @ts-expect-error - runtime check based on optional shape
+      if (authorization.address && getAddress(authorization.address) !== signer) {
+        throw new Error("Authorization signer does not match connected account");
+      }
+      // @ts-expect-error - alt field name some callers may use
+      // if (authorization.from && getAddress(authorization.from) !== signer) {
+      //   throw new Error("Authorization 'from' does not match connected account");
+      // }
       …
-      const signature = (await provider.request({
+      const signature = (await provider.request({
         method: "eth_sign",
-        params: [getAddress(account.address), payload],
+        params: [signer, payload],
       })) as Hex;
       return signature;
     },

---

18-18: Type import looks correct. Document the new API surface.

If signAuthorization is added to the public Account type, add TSDoc (with @beta/@experimental and an @example) where the type is declared.

---

270-276: Wrap eth_sign in a try/catch and fallback to personal_sign
eth_sign correctly uses [address, data], but MetaMask disables it by default and Rabby’s support is inconsistent. Catch any rejection from the eth_sign call and retry with personal_sign (which expects [data, address]) to ensure broad compatibility.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 85d6074 and 4b6a41f.

📒 Files selected for processing (2)

• .changeset/eighty-taxis-own.md (1 hunks)
• packages/thirdweb/src/wallets/injected/index.ts (3 hunks)

🧰 Additional context used

📓 Path-based instructions (5)

.changeset/*.md

📄 CodeRabbit inference engine (AGENTS.md)

.changeset/*.md: Each change in packages/* must include a changeset for the appropriate package
Version bump rules: patch for non‑API changes; minor for new/modified public API

Files:

• .changeset/eighty-taxis-own.md

**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.{ts,tsx}: Write idiomatic TypeScript with explicit function declarations and return types
Limit each file to one stateless, single-responsibility function for clarity
Re-use shared types from @/types or local types.ts barrels
Prefer type aliases over interface except for nominal shapes
Avoid any and unknown unless unavoidable; narrow generics when possible
Choose composition over inheritance; leverage utility types (Partial, Pick, etc.)
Comment only ambiguous logic; avoid restating TypeScript in prose

**/*.{ts,tsx}: Use explicit function declarations and explicit return types in TypeScript
Limit each file to one stateless, single‑responsibility function
Re‑use shared types from @/types where applicable
Prefer type aliases over interface except for nominal shapes
Avoid any and unknown unless unavoidable; narrow generics when possible
Prefer composition over inheritance; use utility types (Partial, Pick, etc.)
Lazy‑import optional features and avoid top‑level side‑effects to reduce bundle size

Files:

• packages/thirdweb/src/wallets/injected/index.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (CLAUDE.md)

Load heavy dependencies inside async paths to keep initial bundle lean (lazy loading)

Files:

• packages/thirdweb/src/wallets/injected/index.ts

packages/thirdweb/src/wallets/**

📄 CodeRabbit inference engine (CLAUDE.md)

packages/thirdweb/src/wallets/**: Unified Wallet and Account interfaces in wallet architecture
Support for in-app wallets (social/email login)
Smart wallets with account abstraction
EIP-1193, EIP-5792, EIP-7702 standard support in wallet modules

Files:

• packages/thirdweb/src/wallets/injected/index.ts

packages/thirdweb/**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

packages/thirdweb/**/*.{ts,tsx}: Every public symbol must have comprehensive TSDoc with at least one compiling @example and a custom tag (@beta, @internal, @experimental, etc.)
Comment only ambiguous logic; avoid restating TypeScript in prose
Lazy‑load heavy dependencies inside async paths (e.g., const { jsPDF } = await import("jspdf"))

Files:

• packages/thirdweb/src/wallets/injected/index.ts

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: E2E Tests (pnpm, esbuild)
• GitHub Check: Size
• GitHub Check: Unit Tests
• GitHub Check: E2E Tests (pnpm, webpack)
• GitHub Check: Build Packages
• GitHub Check: E2E Tests (pnpm, vite)
• GitHub Check: Lint Packages
• GitHub Check: Analyze (javascript)

🔇 Additional comments (1)

packages/thirdweb/src/wallets/injected/index.ts (1)

270-276: Suggestion no longer applies – Account already defines signAuthorization (optional).

Likely an incorrect or invalid review comment.

[coderabbitai]

🛠️ Refactor suggestion

Version bump likely needs to be minor (public API surface).

If Account now exposes signAuthorization, this is a public API addition and should be a minor bump per guidelines. Use patch only if the method isn’t part of any exported/public type.

Apply this diff if it is public:

-"thirdweb": patch
+"thirdweb": minor

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"thirdweb": patch
	"thirdweb": minor

🤖 Prompt for AI Agents

In .changeset/eighty-taxis-own.md around line 2, the changeset currently lists
"thirdweb": patch but the new Account API exposes signAuthorization which is a
public API addition; change the bump from patch to minor and update any
accompanying description/title in the changeset to reflect a minor release. If
signAuthorization is not exported/public, keep patch; otherwise edit the file to
use "thirdweb": minor and save.