API Reference

This section lists every exported function from @thirdweb-dev/vault-sdk grouped by broad capability. All functions are fully typed – hover in your editor for exact type information.

1. Client utilities

Function	Description
`createVaultClient({ secretKey })`	Uses your project secret key to establish a connection to your Vault instance and returns a `VaultClient`. Create one client per Vault instance and reuse it.
`ping({ client, request })`	Health-check endpoint mainly used in examples and tests. Returns the current server time.


const client = await createVaultClient({
  secretKey: "PROJECT_SECRET_KEY",
});
await ping({ client, request: { message: "pong?" } });

2. Service Accounts

Function	When to use
`createServiceAccount({ request })`	Bootstrap a brand-new Vault. Returns the admin key and rotation code. Run once during provisioning.
`getServiceAccount({ request })`	Retrieve metadata for the current service account. Requires admin key or a token with `serviceAccount:read` policy.
`rotateServiceAccount({ request })`	Rotate (invalidate) the admin key and all existing access tokens in a single atomic operation. Authenticate with the rotation code.

Example – rotate an account after a key leak:


await rotateServiceAccount({
  client,
  request: {
    auth: { rotationCode: process.env.VAULT_ROTATION_CODE! },
  },
});

3. EOAs (Wallets)

Function	Purpose
`createEoa`	Create a new EOA (wallet) inside the Vault. Optionally attach arbitrary `metadata` for later querying.
`listEoas`	Pagination-aware listing with optional metadata filters.
`signTransaction`	Ask the Vault to sign an EVM transaction (legacy, 2930, 1559, 4844 or 7702).
`signMessage`	Sign a plain string / hex message.
`signTypedData`	Sign EIP-712 typed data with full generic type safety.
`signAuthorization`	Sign an `Authorization` struct used by some L2s / account-abstraction schemes.
`signStructuredMessage`	Sign EIP-4337 user-operations (v0.6 & v0.7).


// sign a 1559 tx
import {
  parseTransaction,
  signTransaction,
} from "@thirdweb-dev/vault-sdk";
 
const tx = parseTransaction({
  to: "0x...",
  value: 0n,
  chainId: 1,
  maxFeePerGas: 30n * 10n ** 9n,
  maxPriorityFeePerGas: 1n * 10n ** 9n,
  gasLimit: 21_000,
});
 
await signTransaction({
  client,
  request: {
    auth: { accessToken: process.env.VAULT_SIG_TOKEN! },
    options: { from: "0xEoaAddress", transaction: tx },
  },
});

Note: parseTransaction is a convenience helper that normalises user-supplied objects – you can also build the canonical tx object yourself.

4. Access Tokens

Function	Purpose
`createAccessToken`	Mint a base token scoped by policies & metadata. Requires admin key.
`createSignedAccessToken`	Pure-client helper that turns a base token into a short-lived, signed JWT (prefixed with `vt_sat_`). No server round-trip required.
`listAccessTokens`	List existing tokens with pagination and optional metadata filters.
`revokeAccessToken`	Immediately invalidate a token (or all derived signed tokens) by `id`.


// Derive a time-boxed signed token for a serverless function
const sat = await createSignedAccessToken({
  vaultClient: client,
  baseAccessToken: process.env.VAULT_BASE_TOKEN!,
  additionalPolicies: [
    { type: "eoa:signMessage", chainId: 1, messagePattern: "^0x.*" },
  ],
  expiryTimestamp: Math.floor(Date.now() / 1000) + 60 * 5, // 5 min
});

5. Utilities

Function	Notes
`parseTransaction`	Normalises user input into a canonical `EthereumTypedTransaction` (supports Legacy, 2930, 1559, 4844, 7702). Throws `ParseTransactionError` on invalid input.
`ParseTransactionError`	Custom error class thrown by the above helper.


try {
  parseTransaction({ gas: 100_000 });
} catch (err) {
  if (err instanceof ParseTransactionError) {
    console.error(err.message);
  }
}

Types

All request & response shapes are exported as TypeScript types so you can easily model higher-level abstractions:


import type {
  CreateEoaPayload,
  SignMessagePayload,
  PolicyComponent,
} from "@thirdweb-dev/vault-sdk";

Refer to the generated .d.ts files for the complete list.