# KeyAuthorization

Tempo key authorization utilities for provisioning and signing access keys.

Access keys allow a root key (e.g., a passkey) to delegate transaction signing to secondary
keys with customizable permissions including expiry timestamps and per-TIP-20 token spending
limits. This enables a user to sign transactions without repeated passkey prompts.

[Access Keys Specification](https://docs.tempo.xyz/protocol/transactions/spec-tempo-transaction#access-keys)

## Examples

```ts twoslash
import {
  KeyAuthorization,
  SignatureEnvelope
} from 'ox/tempo'
import {
  Address,
  Secp256k1,
  WebCryptoP256,
  Value
} from 'ox'

const keyPair = await WebCryptoP256.createKeyPair()
const address = Address.fromPublicKey(keyPair.publicKey)

const authorization = KeyAuthorization.from({
  address,
  chainId: 4217n,
  expiry: 1234567890,
  type: 'p256',
  limits: [
    {
      token: '0x20c0000000000000000000000000000000000001',
      limit: Value.from('10', 6)
    }
  ]
})

const privateKey = '0x...'
const payload =
  KeyAuthorization.getSignPayload(authorization)
const signature = SignatureEnvelope.from(
  Secp256k1.sign({ payload, privateKey })
)

KeyAuthorization.from(authorization, { signature })
```

## Functions

| Name                | Description                         |
| ------------------- | ----------------------------------- |
| [`KeyAuthorization.deserialize`](/tempo/reference/KeyAuthorization/deserialize) | Deserializes an RLP-encoded [`KeyAuthorization.KeyAuthorization`](/tempo/reference/KeyAuthorization/types#keyauthorization). |
| [`KeyAuthorization.from`](/tempo/reference/KeyAuthorization/from) | Converts a Key Authorization object into a typed [`KeyAuthorization.KeyAuthorization`](/tempo/reference/KeyAuthorization/types#keyauthorization). |
| [`KeyAuthorization.fromRpc`](/tempo/reference/KeyAuthorization/fromRpc) | Converts an [`AuthorizationTempo.Rpc`](/tempo/reference/AuthorizationTempo/types#rpc) to an [`AuthorizationTempo.AuthorizationTempo`](/tempo/reference/AuthorizationTempo/types#authorizationtempo). |
| [`KeyAuthorization.fromTuple`](/tempo/reference/KeyAuthorization/fromTuple) | Converts an [`KeyAuthorization.Tuple`](/tempo/reference/KeyAuthorization/types#tuple) to an [`KeyAuthorization.KeyAuthorization`](/tempo/reference/KeyAuthorization/types#keyauthorization). |
| [`KeyAuthorization.getSignPayload`](/tempo/reference/KeyAuthorization/getSignPayload) | Computes the sign payload for an [`KeyAuthorization.KeyAuthorization`](/tempo/reference/KeyAuthorization/types#keyauthorization). |
| [`KeyAuthorization.hash`](/tempo/reference/KeyAuthorization/hash) | Computes the hash for an [`KeyAuthorization.KeyAuthorization`](/tempo/reference/KeyAuthorization/types#keyauthorization). |
| [`KeyAuthorization.serialize`](/tempo/reference/KeyAuthorization/serialize) | Serializes a [`KeyAuthorization.KeyAuthorization`](/tempo/reference/KeyAuthorization/types#keyauthorization) to RLP-encoded hex. |
| [`KeyAuthorization.toRpc`](/tempo/reference/KeyAuthorization/toRpc) | Converts an [`KeyAuthorization.KeyAuthorization`](/tempo/reference/KeyAuthorization/types#keyauthorization) to an [`KeyAuthorization.Rpc`](/tempo/reference/KeyAuthorization/types#rpc). |
| [`KeyAuthorization.toTuple`](/tempo/reference/KeyAuthorization/toTuple) | Converts an [`KeyAuthorization.KeyAuthorization`](/tempo/reference/KeyAuthorization/types#keyauthorization) to an [`KeyAuthorization.Tuple`](/tempo/reference/KeyAuthorization/types#tuple). |

## Errors

| Name                | Description                         |
| ------------------- | ----------------------------------- |
| [`KeyAuthorization.InvalidAdminMarkerError`](/tempo/reference/KeyAuthorization/errors#keyauthorizationinvalidadminmarkererror) | Thrown when a TIP-1049 admin marker has any value other than `0x01`. |
| [`KeyAuthorization.InvalidWitnessSizeError`](/tempo/reference/KeyAuthorization/errors#keyauthorizationinvalidwitnesssizeerror) | Thrown when a `witness` field is not exactly 32 bytes. |

## Types

| Name                | Description                         |
| ------------------- | ----------------------------------- |
| [`KeyAuthorization.Input`](/tempo/reference/KeyAuthorization/types#keyauthorizationinput) | Input type for a Key Authorization. |
| [`KeyAuthorization.KeyAuthorization`](/tempo/reference/KeyAuthorization/types#keyauthorizationkeyauthorization) | Key authorization for provisioning access keys. |
| [`KeyAuthorization.Rpc`](/tempo/reference/KeyAuthorization/types#keyauthorizationrpc) | RPC representation matching the node's wire format. |
| [`KeyAuthorization.RpcCallScope`](/tempo/reference/KeyAuthorization/types#keyauthorizationrpccallscope) | RPC representation of a call scope (matches node's `CallScope` serde). |
| [`KeyAuthorization.RpcSelectorRule`](/tempo/reference/KeyAuthorization/types#keyauthorizationrpcselectorrule) | RPC representation of a selector rule (matches node's `SelectorRule` serde). |
| [`KeyAuthorization.RpcTokenLimit`](/tempo/reference/KeyAuthorization/types#keyauthorizationrpctokenlimit) | RPC representation of a token limit (matches node's `TokenLimit` serde). |
| [`KeyAuthorization.Scope`](/tempo/reference/KeyAuthorization/types#keyauthorizationscope) | Call scope entry restricting which contract, selector, and recipients an access key can use. |
| [`KeyAuthorization.Signed`](/tempo/reference/KeyAuthorization/types#keyauthorizationsigned) | Signed representation of a Key Authorization. |
| [`KeyAuthorization.TokenLimit`](/tempo/reference/KeyAuthorization/types#keyauthorizationtokenlimit) | Token spending limit for access keys. |
| [`KeyAuthorization.Tuple`](/tempo/reference/KeyAuthorization/types#keyauthorizationtuple) | Tuple representation of a Key Authorization. |
