For zkLogin

chat-app/.env.example

@@ -1,7 +1,7 @@
 # Sui Network
 VITE_SUI_NETWORK=testnet
 VITE_SUI_RPC_URL=https://fullnode.testnet.sui.io:443
-VITE_SUI_GRAPHQL_URL=https://sui-testnet.mystenlabs.com/graphql
+VITE_SUI_GRAPHQL_URL=https://graphql.testnet.sui.io/graphql
 
 # Package IDs (only needed for localnet/devnet; auto-detected for testnet/mainnet)
 # VITE_PERMISSIONED_GROUPS_ORIGINAL_PACKAGE_ID=0x...
@@ -21,3 +21,15 @@ VITE_WALRUS_EPOCHS=5
 
 # Seal Key Servers (threshold encryption)
 # VITE_SEAL_KEY_SERVER_OBJECT_IDS=0x...,0x...
+# Only set when some key server object IDs are committee mode.
+# VITE_SEAL_COMMITTEE_SERVER_OBJECT_IDS=0x...,0x...
+VITE_SEAL_AGGREGATOR_URL=
+VITE_SEAL_COMMITTEE_SERVER_OBJECT_IDS=
+# Optional: rewrite on-chain key server URL in browser (useful when on-chain URL is localhost).
+VITE_SEAL_URL_OVERRIDE_FROM=http://localhost:2024
+VITE_SEAL_URL_OVERRIDE_TO=
+
+# Enoki
+VITE_ENOKI_PUBLIC_KEY=
+VITE_ENOKI_GOOGLE_CLIENT_ID=
+VITE_ENOKI_REDIRECT_URL=

chat-app/README.md

@@ -1,4 +1,4 @@
-# Sui Messaging Chat — Reference Application
+# Mizu Messaging Chat Demo — Reference Application
 
 ## 1. Overview
 

chat-app/index.html

@@ -3,7 +3,7 @@
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <title>Sui Messaging Chat</title>
+    <title>Mizu Messaging Chat Demo</title>
   </head>
   <body>
     <div id="root"></div>

chat-app/package.json

@@ -13,6 +13,7 @@
     "@mysten/bcs": "^2.0.3",
     "@mysten/dapp-kit": "^1.0.4",
     "@mysten/sui-stack-messaging": "link:../ts-sdks/packages/sui-stack-messaging",
+    "@mysten/enoki": "^1.0.4",
     "@mysten/sui-groups": "^0.0.1",
     "@mysten/seal": "^1.1.1",
     "@mysten/sui": "^2.13.2",

chat-app/src/App.tsx

@@ -40,7 +40,7 @@ function App() {
       {/* Header */}
       <header className="flex items-center justify-between border-b border-secondary-200 bg-white px-6 py-3 dark:border-secondary-700 dark:bg-secondary-800">
         <h1 className="text-lg font-semibold text-primary-600 dark:text-primary-400">
-          Sui Messaging Chat
+          Mizu Messaging Chat Demo
         </h1>
         <ConnectButton />
       </header>

chat-app/src/components/enoki/RegisterEnokiWallets.tsx

@@ -0,0 +1,34 @@
+import { useEffect } from 'react';
+import { registerEnokiWallets } from '@mysten/enoki';
+import { SuiGrpcClient } from '@mysten/sui/grpc';
+import { getEnokiConfig } from '../../lib/enoki-config';
+
+let hasRegisteredEnokiWallets = false;
+
+export function RegisterEnokiWallets() {
+  useEffect(() => {
+    if (hasRegisteredEnokiWallets) return;
+
+    const config = getEnokiConfig();
+    if (!config.enabled) {
+      console.info(`[enoki] Skip registration: ${config.reason}`);
+      return;
+    }
+
+    registerEnokiWallets({
+      apiKey: config.apiKey,
+      client: new SuiGrpcClient({ baseUrl: config.rpcUrl, network: config.network }),
+      network: config.network,
+      providers: {
+        google: {
+          clientId: config.googleClientId,
+          redirectUrl: config.redirectUrl,
+        },
+      },
+    });
+
+    hasRegisteredEnokiWallets = true;
+  }, []);
+
+  return null;
+}

chat-app/src/contexts/MessagingClientContext.tsx

@@ -36,6 +36,42 @@ const WALRUS_PUBLISHER_URL =
 const WALRUS_AGGREGATOR_URL =
   import.meta.env.VITE_WALRUS_AGGREGATOR_URL || '';
 const WALRUS_EPOCHS = Number(import.meta.env.VITE_WALRUS_EPOCHS) || 1;
+const SEAL_URL_OVERRIDE_FROM =
+  import.meta.env.VITE_SEAL_URL_OVERRIDE_FROM || 'http://localhost:2024';
+const SEAL_URL_OVERRIDE_TO =
+  import.meta.env.VITE_SEAL_URL_OVERRIDE_TO || '';
+
+function installSealFetchUrlOverride() {
+  if (!SEAL_URL_OVERRIDE_TO) return;
+
+  const g = globalThis as typeof globalThis & {
+    __sealFetchRewriteInstalled?: boolean;
+  };
+  if (g.__sealFetchRewriteInstalled) return;
+
+  const originalFetch = globalThis.fetch.bind(globalThis);
+  globalThis.fetch = ((input: RequestInfo | URL, init?: RequestInit) => {
+    const requestUrl =
+      typeof input === 'string'
+        ? input
+        : input instanceof URL
+          ? input.toString()
+          : input.url;
+
+    if (requestUrl.startsWith(SEAL_URL_OVERRIDE_FROM)) {
+      const rewrittenUrl = `${SEAL_URL_OVERRIDE_TO}${requestUrl.slice(SEAL_URL_OVERRIDE_FROM.length)}`;
+      if (input instanceof Request) {
+        return originalFetch(new Request(rewrittenUrl, input), init);
+      }
+      return originalFetch(rewrittenUrl, init);
+    }
+
+    return originalFetch(input, init);
+  }) as typeof fetch;
+  g.__sealFetchRewriteInstalled = true;
+}
+
+installSealFetchUrlOverride();
 
 // Package config overrides (optional — auto-detected from network if not set)
 function parsePackageConfig() {
@@ -52,13 +88,27 @@ function parsePackageConfig() {
 }
 
 // Seal key server object IDs (comma-separated in env)
-function parseSealServerConfigs(): { objectId: string; weight: number }[] {
+function parseSealServerConfigs(): { objectId: string; weight: number; aggregatorUrl?: string }[] {
   const ids = import.meta.env.VITE_SEAL_KEY_SERVER_OBJECT_IDS;
   if (!ids) return [];
-  return ids.split(',').map((id: string) => ({
-    objectId: id.trim(),
-    weight: 1,
-  }));
+  const aggregatorUrl = import.meta.env.VITE_SEAL_AGGREGATOR_URL?.trim();
+  const committeeServerIds = new Set(
+    (import.meta.env.VITE_SEAL_COMMITTEE_SERVER_OBJECT_IDS || '')
+      .split(',')
+      .map((id: string) => id.trim())
+      .filter(Boolean),
+  );
+  return ids
+    .split(',')
+    .map((id: string) => id.trim())
+    .filter(Boolean)
+    .map((objectId: string) => ({
+      objectId,
+      weight: 1,
+      ...(aggregatorUrl && committeeServerIds.has(objectId)
+        ? { aggregatorUrl }
+        : {}),
+    }));
 }
 
 // Singleton GraphQL client (does not depend on wallet)
@@ -113,6 +163,7 @@ export function MessagingClientProvider({
         serverConfigs: sealServerConfigs,
       },
       encryption: {
+        sealThreshold: 1,
         sessionKey: {
           address: account.address,
           onSign: async (message: Uint8Array) => {

chat-app/src/index.css

@@ -1,7 +1,7 @@
 @import 'tailwindcss';
 
 /*
- * Custom theme for Sui Messaging Chat.
+ * Custom theme for Mizu Messaging Chat Demo.
  * Tailwind v4 uses CSS-native @theme instead of tailwind.config.js.
  * Dark mode: use `class` strategy via `@variant dark (&:where(.dark, .dark *))`.
  */

chat-app/src/lib/dapp-kit-signer.ts

@@ -2,11 +2,11 @@
  * Adapter that wraps dapp-kit's signPersonalMessage into a Signer-compatible object
  * for use with the messaging SDK's relayer transport.
  *
- * Supports all Sui wallet types (Ed25519, Secp256k1, Secp256r1, zkLogin, multisig)
- * by lazily extracting the public key from the first signature when the wallet
- * doesn't expose publicKey upfront.
+ * Lazily extracts the public key from the first signature when the wallet
+ * doesn't expose publicKey upfront, which is useful for wallet adapters that
+ * derive the signing identity dynamically, including zkLogin-backed wallets.
  */
-import { Signer, parseSerializedSignature } from '@mysten/sui/cryptography';
+import { Signer, parseSerializedSignature, SIGNATURE_FLAG_TO_SCHEME } from '@mysten/sui/cryptography';
 import type { PublicKey, SignatureScheme } from '@mysten/sui/cryptography';
 import { publicKeyFromRawBytes, publicKeyFromSuiBytes } from '@mysten/sui/verify';
 import { toBase64 } from '@mysten/sui/utils';
@@ -65,10 +65,9 @@ export class DappKitSigner extends Signer {
     if (!this.#publicKey) {
       return 'ED25519'; // default until first signature resolves it
     }
-    const flag = this.#publicKey.flag();
-    if (flag === 0x00) return 'ED25519';
-    if (flag === 0x01) return 'Secp256k1';
-    return 'Secp256r1';
+    return SIGNATURE_FLAG_TO_SCHEME[
+      this.#publicKey.flag() as keyof typeof SIGNATURE_FLAG_TO_SCHEME
+    ] ?? 'ED25519';
   }
 
   getPublicKey(): PublicKey {

chat-app/src/lib/enoki-config.ts

@@ -0,0 +1,83 @@
+import type { EnokiNetwork } from '@mysten/enoki';
+
+type EnabledEnokiConfig = {
+  enabled: true;
+  apiKey: string;
+  googleClientId: string;
+  redirectUrl: string;
+  rpcUrl: string;
+  network: EnokiNetwork;
+};
+
+type DisabledEnokiConfig = {
+  enabled: false;
+  reason: string;
+};
+
+export type EnokiConfig = EnabledEnokiConfig | DisabledEnokiConfig;
+
+function readEnv(name: string): string {
+  const value = import.meta.env[name];
+  return typeof value === 'string' ? value.trim() : '';
+}
+
+function getNetwork(): EnokiNetwork {
+  const configuredNetwork = readEnv('VITE_SUI_NETWORK');
+  if (
+    configuredNetwork === 'mainnet' ||
+    configuredNetwork === 'testnet' ||
+    configuredNetwork === 'devnet'
+  ) {
+    return configuredNetwork;
+  }
+  return 'testnet';
+}
+
+function isValidUrl(url: string): boolean {
+  try {
+    new URL(url);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+export function getEnokiConfig(): EnokiConfig {
+  const apiKey = readEnv('VITE_ENOKI_PUBLIC_KEY');
+  const googleClientId = readEnv('VITE_ENOKI_GOOGLE_CLIENT_ID');
+  const redirectUrl = readEnv('VITE_ENOKI_REDIRECT_URL');
+  const rpcUrl = readEnv('VITE_SUI_RPC_URL');
+
+  if (!apiKey || !googleClientId || !redirectUrl || !rpcUrl) {
+    return {
+      enabled: false,
+      reason:
+        'Missing one or more Enoki env vars: VITE_ENOKI_PUBLIC_KEY, VITE_ENOKI_GOOGLE_CLIENT_ID, VITE_ENOKI_REDIRECT_URL, VITE_SUI_RPC_URL.',
+    };
+  }
+
+  if (!isValidUrl(redirectUrl)) {
+    return {
+      enabled: false,
+      reason: 'VITE_ENOKI_REDIRECT_URL is not a valid URL.',
+    };
+  }
+
+  if (!isValidUrl(rpcUrl)) {
+    return {
+      enabled: false,
+      reason: 'VITE_SUI_RPC_URL is not a valid URL.',
+    };
+  }
+
+  const network = getNetwork();
+
+  return {
+    enabled: true,
+    apiKey,
+    googleClientId,
+    redirectUrl,
+    rpcUrl,
+    network,
+  };
+}

chat-app/src/main.tsx

@@ -5,6 +5,7 @@ import { SuiClientProvider, WalletProvider } from '@mysten/dapp-kit';
 import { networkConfig } from './lib/network-config';
 import { MessagingClientProvider } from './contexts/MessagingClientContext';
 import { ErrorBoundary } from './components/ErrorBoundary';
+import { RegisterEnokiWallets } from './components/enoki/RegisterEnokiWallets';
 import App from './App';
 import '@mysten/dapp-kit/dist/index.css';
 import './index.css';
@@ -16,6 +17,7 @@ createRoot(document.getElementById('root')!).render(
     <QueryClientProvider client={queryClient}>
       <SuiClientProvider networks={networkConfig} defaultNetwork="testnet">
         <WalletProvider autoConnect>
+          <RegisterEnokiWallets />
           <MessagingClientProvider>
             <ErrorBoundary>
               <App />

relayer/.env.example

@@ -4,6 +4,7 @@ REQUEST_TTL_SECONDS=900
 
 # Sui Configuration (required)
 SUI_RPC_URL=https://fullnode.testnet.sui.io:443
+SUI_GRAPHQL_URL=https://graphql.testnet.sui.io/graphql
 # Testnet: 0xba8a26d42bc8b5e5caf4dac2a0f7544128d5dd9b4614af88eec1311ade11de79
 # Mainnet: 0x541840ae7df705d1c6329c22415ed61f9140a18b79b13c1c9dc7415b115c1ba8
 GROUPS_PACKAGE_ID=

relayer/Cargo.toml

@@ -16,6 +16,7 @@ axum = "0.7"
 tokio = { version = "1.43.0", features = ["full"] }
 serde = { version = "1.0", features = ["derive"] }
 serde_json = { version = "1.0", features = ["preserve_order"] }
+base64 = "0.21"
 tracing = "0.1"
 tracing-subscriber = "0.3"
 uuid = { version = "1.0", features = ["v4", "serde"] }

relayer/Dockerfile

@@ -21,6 +21,6 @@ COPY --from=builder /app/target/release/messaging-relayer ./messaging-relayer
 EXPOSE 3000
 
 HEALTHCHECK --interval=10s --timeout=5s --retries=3 --start-period=5s \
-    CMD curl -f http://localhost:3000/health_check || exit 1
+    CMD curl -f http://localhost:3000/relayer/health_check || exit 1
 
 CMD ["./messaging-relayer"]

relayer/README.md

@@ -51,7 +51,7 @@ All authenticated requests must include:
 
 | Header | Description |
 |--------|-------------|
-| `X-Signature` | Hex-encoded 64-byte raw signature |
+| `X-Signature` | Hex-encoded signature bytes. Keypair schemes use raw 64-byte signatures; zkLogin uses the serialized authenticator bytes |
 | `X-Public-Key` | Hex-encoded bytes: `flag_byte \|\| public_key_bytes` (first byte identifies the scheme) |
 
 Bodyless requests (GET, DELETE) also require:
@@ -68,11 +68,11 @@ When a request arrives, the auth middleware runs the following steps in order. I
 
 1. **Validate timestamp** — The timestamp (from body or header) must be within the configured TTL window (default 5 minutes). This prevents replay attacks where an attacker resubmits a previously captured request.
 
-2. **Decode public key** — The `X-Public-Key` header is hex-decoded. The first byte is the scheme flag (`0x00` = Ed25519, `0x01` = Secp256k1, `0x02` = Secp256r1). The remaining bytes are the raw public key. If the flag is unrecognized or the key length doesn't match the scheme, the request is rejected.
+2. **Decode public key** — The `X-Public-Key` header is hex-decoded. The first byte is the scheme flag (`0x00` = Ed25519, `0x01` = Secp256k1, `0x02` = Secp256r1, `0x05` = zkLogin). The remaining bytes are the raw public key or public identifier. If the flag is unrecognized or the bytes do not match the scheme format, the request is rejected.
 
-3. **Decode signature** — The `X-Signature` header is hex-decoded into 64 raw signature bytes.
+3. **Decode signature** — The `X-Signature` header is hex-decoded into scheme-specific signature bytes.
 
-4. **Verify signature** — The signature is verified against the signed message using the public key and the detected scheme. This uses `sui_crypto`'s `UserSignatureVerifier` with `PersonalMessage` wrapping (the same format Sui wallets use). If the signature doesn't match, the request is rejected.
+4. **Verify signature** — The signature is verified against the signed message using the public key and the detected scheme. Keypair schemes use `sui_crypto`'s `UserSignatureVerifier` with `PersonalMessage` wrapping. zkLogin signatures are verified against the Sui GraphQL API. If the signature doesn't match, the request is rejected.
 
 5. **Derive Sui address** — The sender's Sui address is derived from the public key by computing `Blake2b-256(flag_byte || public_key_bytes)`. This is how Sui maps public keys to addresses.
 
@@ -468,6 +468,7 @@ All configuration is loaded from environment variables. The relayer also support
 | `MEMBERSHIP_STORE_TYPE` | `memory` | No | Membership cache backend — currently only `memory` is implemented |
 | `SUI_RPC_URL` | — | **Yes** | Sui fullnode gRPC URL for checkpoint subscription (e.g., `https://fullnode.testnet.sui.io:443`) |
 | `GROUPS_PACKAGE_ID` | — | **Yes** | Groups SDK package ID deployed on Sui (e.g., `0xabc123...`) |
+| `SUI_GRAPHQL_URL` | — | No | Sui GraphQL endpoint used for zkLogin signature verification (required only for zkLogin auth, e.g., `https://graphql.testnet.sui.io/graphql`) |
 | `WALRUS_PUBLISHER_URL` | `https://publisher.walrus-testnet.walrus.space` | No | Walrus publisher endpoint for storing blobs/quilts |
 | `WALRUS_AGGREGATOR_URL` | `https://aggregator.walrus-testnet.walrus.space` | No | Walrus aggregator endpoint for reading blobs |
 | `WALRUS_STORAGE_EPOCHS` | `5` | No | Number of Walrus epochs to persist stored data |
@@ -523,6 +524,7 @@ src/
 # Create a .env file with required variables
 cat > .env << 'EOF'
 SUI_RPC_URL=https://fullnode.testnet.sui.io:443
+SUI_GRAPHQL_URL=https://graphql.testnet.sui.io/graphql
 GROUPS_PACKAGE_ID=0x...your_package_id...
 EOF
 
@@ -589,6 +591,7 @@ docker run -p 3000:3000 --env-file .env messaging-relayer
 # Or pass env vars directly
 docker run -p 3000:3000 \
   -e SUI_RPC_URL=https://fullnode.testnet.sui.io:443 \
+  -e SUI_GRAPHQL_URL=https://graphql.testnet.sui.io/graphql \
   -e GROUPS_PACKAGE_ID=0x... \
   messaging-relayer
 ```

relayer/docker-compose.yml

@@ -8,7 +8,7 @@ services:
     environment:
       - RUST_LOG=${RUST_LOG:-messaging_relayer=info}
     healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:${PORT:-3000}/health_check"]
+      test: ["CMD", "curl", "-f", "http://localhost:${PORT:-3000}/relayer/health_check"]
       interval: 10s
       timeout: 5s
       retries: 3