[SDK] Fix signAuthorization for 1193 providers

[joaquim-verges]

---

PR-Codex overview

This PR focuses on fixing the signAuthorization implementation for the 1193 provider in the thirdweb wallet, enhancing error handling and support for different signing methods.

Detailed summary

• Modified sendTransaction to include authorizationList in the transaction parameters.
• Enhanced signAuthorization to:
  • Attempt signing with eth_sign first.
  • Fallback to secp256k1_sign if the first method fails.
  • Throw an error if signing fails.
  • Parse the signature using ox__Signature.fromHex.

✨ Ask PR-Codex anything about this PR by commenting with /codex {your question}

Summary by CodeRabbit

• New Features

  • Added runtime support for authorization lists in transactions for broader provider compatibility.

• Bug Fixes

  • Fixed unreliable authorization signing with EIP-1193 providers by adding a robust fallback signing flow.

• Improvements

  • Streamlined gas-fee handling when a gas price is provided for more predictable transactions.
  • Ensured consistent address normalization and merged authorization payloads reliably.

• Chores

  • Added a patch-level changeset entry for the thirdweb package.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
docs-v2	Ready	Preview	Comment	Sep 12, 2025 11:57am
nebula	Ready	Preview	Comment	Sep 12, 2025 11:57am
thirdweb_playground	Ready	Preview	Comment	Sep 12, 2025 11:57am
thirdweb-www	Ready	Preview	Comment	Sep 12, 2025 11:57am
wallet-ui	Ready	Preview	Comment	Sep 12, 2025 11:57am

[changeset-bot]

🦋 Changeset detected

Latest commit: 8c6378c

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages

Name	Type
thirdweb	Patch
@thirdweb-dev/nebula	Patch
@thirdweb-dev/wagmi-adapter	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Caution

Review failed

The pull request is closed.

Walkthrough

Adds a changeset and updates the injected wallet implementation to include authorizationList in eth_sendTransaction, revise signAuthorization to try eth_sign then fall back to secp256k1_sign with signature parsing/merging, and simplify gas-fee handling. No exported/public API signature changes.

Changes

Cohort / File(s)	Summary
Release notes / changeset .changeset/shaggy-fans-live.md	Adds a patch-level changeset for the thirdweb package noting a fix to signAuthorization for 1193 providers; no public API changes.
Injected wallet: signing and tx assembly packages/thirdweb/src/wallets/injected/index.ts	- Include authorizationList in eth_sendTransaction via ox__Authorization.toRpcList when present. - New signAuthorization flow: attempt eth_sign; on failure fall back to secp256k1_sign; parse signature with ox__Signature.fromHex and merge into returned authorization object; throw if no signature. - Adjusted imports (type EIP1193Provider, added ox/Signature). - Simplified gas fee encoding: use gasPrice hex when present, otherwise preserve maxFeePerGas/maxPriorityFeePerGas as hex. - Address normalization and payload merging consistency tweaks.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor D as Dapp
  participant IW as InjectedWallet
  participant P as EIP-1193 Provider

  rect rgba(200,230,255,0.25)
  Note over D,IW: signAuthorization flow (new)
  D->>IW: signAuthorization(authorization)
  IW->>P: eth_sign(address, payload)
  alt eth_sign succeeds
    P-->>IW: signature (hex)
  else eth_sign fails
    IW->>P: secp256k1_sign(payload)
    P-->>IW: signature (hex)
  end
  IW->>IW: parse signature via ox__Signature.fromHex
  IW-->>D: authorization + signature
  end

Loading

sequenceDiagram
  autonumber
  actor D as Dapp
  participant IW as InjectedWallet
  participant P as EIP-1193 Provider

  rect rgba(220,255,220,0.25)
  Note over D,P: eth_sendTransaction with optional authorizationList
  D->>IW: sendTransaction(tx)
  IW->>IW: build tx<br/>- gasPrice or EIP-1559 fields<br/>- authorizationList (if provided)
  IW->>P: eth_sendTransaction(txWithAuthList)
  P-->>IW: txHash
  IW-->>D: txHash
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• [SDK] Add signAuthorization support to 1193 provider #8029 — Modifies the same signAuthorization implementation in packages/thirdweb/src/wallets/injected/index.ts; related due to overlapping signing flow changes.

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 5af0e1e and 8c6378c.

📒 Files selected for processing (2)

• .changeset/shaggy-fans-live.md (1 hunks)
• packages/thirdweb/src/wallets/injected/index.ts (4 hunks)

✨ Finishing touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch joaquim/auth-1193

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[joaquim-verges]

• [SDK] Fix signAuthorization for 1193 providers #8042 👈 (View in Graphite)
• main

---

How to use the Graphite Merge Queue

Add either label to this PR to merge it via the merge queue:

• merge-queue - adds this PR to the back of the merge queue
• hotfix - for urgent hot fixes, skip the queue and merge this PR next

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

This stack of pull requests is managed by Graphite. Learn more about stacking.

[github-actions]

size-limit report 📦

Path	Size	Loading time (3g)	Running time (snapdragon)	Total time
thirdweb (esm)	63.96 KB (0%)	1.3 s (0%)	283 ms (+206.16% 🔺)	1.6 s
thirdweb (cjs)	356.86 KB (0%)	7.2 s (0%)	852 ms (+14.08% 🔺)	8 s
thirdweb (minimal + tree-shaking)	5.73 KB (0%)	115 ms (0%)	123 ms (+3699.07% 🔺)	237 ms
thirdweb/chains (tree-shaking)	526 B (0%)	11 ms (0%)	78 ms (+2886.54% 🔺)	88 ms
thirdweb/react (minimal + tree-shaking)	19.15 KB (0%)	383 ms (0%)	88 ms (+1888.69% 🔺)	471 ms

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (4)

.changeset/shaggy-fans-live.md (1)

2-5: Changeset is scoped and leveled correctly (patch).

Looks good. Consider expanding the note to explicitly mention the new eth_sendTransaction authorizationList support and the eth_sign → secp256k1_sign fallback behavior for traceability in release notes.

packages/thirdweb/src/wallets/injected/index.ts (3)

2-3: Imports: type-only for EIP1193 is good; consider lazy-loading ox modules.

ox/Signature and ox/Authorization are only needed in signAuthorization/sendTransaction. To keep initial bundle lean, prefer dynamic imports inside those methods.

Example (outside selected lines):

// in signAuthorization
const ox__Signature = await import("ox/Signature");

// in sendTransaction (only when tx.authorizationList is provided)
const ox__Authorization = await import("ox/Authorization");

---

203-214: authorizationList transformation is correct; small ergonomics tweak optional.

toRpcList on tx.authorizationList before spreading gas/other fields is correct for EIP-7702 RPC shape. Optional: only include the key when there’s at least one authorization to avoid serializing undefined.

- authorizationList: tx.authorizationList ?  ox__Authorization.toRpcList(tx.authorizationList) : undefined,
+ ...(tx.authorizationList && tx.authorizationList.length > 0
+  ? { authorizationList: ox__Authorization.toRpcList(tx.authorizationList) }
+  : {})

---

272-293: Sign flow improvement is solid; add a second secp256k1_sign param shape and better error surface.

Some 1193 providers expect params as [address, payload] for secp256k1_sign. Add a guarded second attempt and preserve causes when all attempts fail. Also consider a short timeout to avoid hanging UIs.

     async signAuthorization(authorization: AuthorizationRequest) {
       const payload = ox__Authorization.getSignPayload(authorization);
-      let signature: Hex | undefined;
-      try {
-        signature = await provider.request({
-          method: "eth_sign",
-          params: [getAddress(account.address), payload],
-        });
-      } catch {
-        // fallback to secp256k1_sign, some providers don't support eth_sign
-        signature = await provider.request({
-          // @ts-expect-error - overriding types here
-          method: "secp256k1_sign",
-          params: [payload],
-        });
-      }
-      if (!signature) {
-        throw new Error("Failed to sign authorization");
-      }
+      let signature: Hex | undefined;
+      let err1: unknown;
+      try {
+        signature = await provider.request({
+          method: "eth_sign",
+          params: [getAddress(account.address), payload],
+        });
+      } catch (e) {
+        err1 = e;
+      }
+      if (!signature) {
+        try {
+          signature = await provider.request({
+            // @ts-expect-error - provider-specific
+            method: "secp256k1_sign",
+            params: [payload],
+          });
+        } catch (e2) {
+          try {
+            signature = await provider.request({
+              // @ts-expect-error - provider-specific
+              method: "secp256k1_sign",
+              params: [getAddress(account.address), payload],
+            });
+          } catch (e3) {
+            throw new Error(
+              `Failed to sign authorization via eth_sign or secp256k1_sign`,
+            );
+          }
+        }
+      }
       const parsedSignature = ox__Signature.fromHex(signature as Hex);
       return { ...authorization, ...parsedSignature };
     },

Optional safety: recover and verify signer address matches account.address before returning to catch provider quirks.

Would you like me to add a quick check using viem’s recover to assert the signature corresponds to account.address?

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 3ad9f7d and 5af0e1e.

📒 Files selected for processing (2)

• .changeset/shaggy-fans-live.md (1 hunks)
• packages/thirdweb/src/wallets/injected/index.ts (4 hunks)

🧰 Additional context used

📓 Path-based instructions (5)

.changeset/*.md

📄 CodeRabbit inference engine (AGENTS.md)

.changeset/*.md: Each change in packages/* must include a changeset for the appropriate package
Version bump rules: patch for non‑API changes; minor for new/modified public API

Files:

• .changeset/shaggy-fans-live.md

**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.{ts,tsx}: Write idiomatic TypeScript with explicit function declarations and return types
Limit each file to one stateless, single-responsibility function for clarity
Re-use shared types from @/types or local types.ts barrels
Prefer type aliases over interface except for nominal shapes
Avoid any and unknown unless unavoidable; narrow generics when possible
Choose composition over inheritance; leverage utility types (Partial, Pick, etc.)
Comment only ambiguous logic; avoid restating TypeScript in prose

**/*.{ts,tsx}: Use explicit function declarations and explicit return types in TypeScript
Limit each file to one stateless, single‑responsibility function
Re‑use shared types from @/types where applicable
Prefer type aliases over interface except for nominal shapes
Avoid any and unknown unless unavoidable; narrow generics when possible
Prefer composition over inheritance; use utility types (Partial, Pick, etc.)
Lazy‑import optional features and avoid top‑level side‑effects to reduce bundle size

Files:

• packages/thirdweb/src/wallets/injected/index.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (CLAUDE.md)

Load heavy dependencies inside async paths to keep initial bundle lean (lazy loading)

Files:

• packages/thirdweb/src/wallets/injected/index.ts

packages/thirdweb/src/wallets/**

📄 CodeRabbit inference engine (CLAUDE.md)

packages/thirdweb/src/wallets/**: Unified Wallet and Account interfaces in wallet architecture
Support for in-app wallets (social/email login)
Smart wallets with account abstraction
EIP-1193, EIP-5792, EIP-7702 standard support in wallet modules

Files:

• packages/thirdweb/src/wallets/injected/index.ts

packages/thirdweb/**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

packages/thirdweb/**/*.{ts,tsx}: Every public symbol must have comprehensive TSDoc with at least one compiling @example and a custom tag (@beta, @internal, @experimental, etc.)
Comment only ambiguous logic; avoid restating TypeScript in prose
Lazy‑load heavy dependencies inside async paths (e.g., const { jsPDF } = await import("jspdf"))

Files:

• packages/thirdweb/src/wallets/injected/index.ts

🧠 Learnings (1)

📚 Learning: 2025-07-18T19:19:55.613Z

Learnt from: CR
PR: thirdweb-dev/js#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T19:19:55.613Z
Learning: Applies to packages/thirdweb/src/wallets/** : EIP-1193, EIP-5792, EIP-7702 standard support in wallet modules

Applied to files:

• packages/thirdweb/src/wallets/injected/index.ts

🧬 Code graph analysis (1)

packages/thirdweb/src/wallets/injected/index.ts (1)

packages/thirdweb/src/exports/utils.ts (2)

• numberToHex (82-82)
• getAddress (147-147)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)

• GitHub Check: Size
• GitHub Check: E2E Tests (pnpm, webpack)
• GitHub Check: E2E Tests (pnpm, vite)
• GitHub Check: E2E Tests (pnpm, esbuild)
• GitHub Check: Build Packages
• GitHub Check: Unit Tests
• GitHub Check: Analyze (javascript)

🔇 Additional comments (1)

packages/thirdweb/src/wallets/injected/index.ts (1)

190-194: Gas fee handling LGTM.

Using gasPrice branch with numberToHex is correct and cleanly overrides EIP-1559 fields via spread order.