Problem
There is no public API to sign arbitrary data using the wallet's identity key. The sphere.identity getter deliberately strips privateKey from the returned object, and the underlying _identity field is TypeScript-private.
Applications that need to prove identity (e.g. authenticating HTTP requests to a service) are forced to bypass access control:
const fullIdentity = (sphere as any)._identity;
const privateKey = fullIdentity.privateKey;
They must then bring in @noble/curves/secp256k1 and @noble/hashes as separate dependencies and reimplement signing from scratch — even though the SDK already depends on these libraries internally.
Context
We built two marketplace applications on top of sphere-sdk (a prediction market and a P2P marketplace). Both needed to authenticate HTTP requests using the wallet's secp256k1 keypair. Both independently implemented identical signing code (~30 lines each) that:
- Accesses
(sphere as any)._identity.privateKey
- Hashes a payload with SHA256 (from
@noble/hashes)
- Signs with secp256k1 (from
@noble/curves)
- Returns the signature + compressed public key
The SDK has SigningService internally for on-chain state transitions, but it's not exposed for general-purpose signing. The SDK also already exposes deriveAddress() which returns private keys, and exportToJSON() which dumps the master key — so there's no philosophical objection to key access, just a missing convenience method.
Proposed Solution
Add a public method to Sphere:
sphere.sign(message: Uint8Array): { signature: Uint8Array, publicKey: Uint8Array }Or with hex convenience:
sphere.signMessage(payload: string): { signature: string, publicKey: string }This would:
- Eliminate the
(sphere as any)._identity hack in every consumer
- Remove the need for consumers to directly depend on
@noble/curves and @noble/hashes
- Provide a safe, supported way to prove wallet ownership without exposing raw private keys
Alternatives
- Expose
sphere.getPrivateKey(): string — simpler but less safe, pushes signing responsibility to consumers
- Document the
_identity access pattern — legitimizes the hack but doesn't solve the dependency duplication
🤖 Generated with Claude Code
Problem
There is no public API to sign arbitrary data using the wallet's identity key. The
sphere.identitygetter deliberately stripsprivateKeyfrom the returned object, and the underlying_identityfield is TypeScript-private.Applications that need to prove identity (e.g. authenticating HTTP requests to a service) are forced to bypass access control:
They must then bring in
@noble/curves/secp256k1and@noble/hashesas separate dependencies and reimplement signing from scratch — even though the SDK already depends on these libraries internally.Context
We built two marketplace applications on top of sphere-sdk (a prediction market and a P2P marketplace). Both needed to authenticate HTTP requests using the wallet's secp256k1 keypair. Both independently implemented identical signing code (~30 lines each) that:
(sphere as any)._identity.privateKey@noble/hashes)@noble/curves)The SDK has
SigningServiceinternally for on-chain state transitions, but it's not exposed for general-purpose signing. The SDK also already exposesderiveAddress()which returns private keys, andexportToJSON()which dumps the master key — so there's no philosophical objection to key access, just a missing convenience method.Proposed Solution
Add a public method to
Sphere:Or with hex convenience:
This would:
(sphere as any)._identityhack in every consumer@noble/curvesand@noble/hashesAlternatives
sphere.getPrivateKey(): string— simpler but less safe, pushes signing responsibility to consumers_identityaccess pattern — legitimizes the hack but doesn't solve the dependency duplication🤖 Generated with Claude Code