Close Devin, close

Author: alexvelea

examples/read-only-auth/.gitignore

@@ -0,0 +1 @@
+*.json

examples/read-only-auth/README.md

@@ -20,7 +20,7 @@ The setup script configures API key 253 for all accounts associated with your Et
 
 ```bash
 cd examples/read-only-auth
-python3 setup.py > config.json
+python3 setup.py config.json
 ```
 
 This will:
@@ -39,7 +39,7 @@ ETH_PRIVATE_KEY = "your_ethereum_private_key_here"
 API_KEY_INDEX = 253  # Using 253 as it's typically unused
 ```
 
-### Output Format
+### Config Format
 
 ```json
 {
@@ -66,30 +66,15 @@ The generation script creates authentication tokens for future time periods.
 ### Running Generation
 
 ```bash
-python3 generate.py [config_file]
+NUM_DAYS=10 python3 generate.py config.json
 ```
 
 If no config file is specified, it defaults to `config.json`.
 
 ### Duration Configuration
 
-You can specify the duration in your config file:
-
-```json
-{
-  "BASE_URL": "https://testnet.zklighter.elliot.ai",
-  "DURATION_IN_DAYS": 7,
-  "ACCOUNTS": [...]
-}
-```
-
-Or modify the default in `generate.py`:
-
-```python
-DURATION_IN_DAYS = 7  # Generate tokens for 7 days
-```
-
-This will generate `4 * DURATION_IN_DAYS` tokens (4 per day, one every 6 hours).
+You can specify the duration in days using the `NUM_DAYS` environment variable, as in the command above.
+If the value is not specified, it defaults to 28 days.
 
 ### Output Format
 
@@ -118,26 +103,7 @@ Where:
 
 ### Looking Up Tokens
 
-Use this code to look up the appropriate token for the current time:
-
-```python
-import json
-import time
-
-# Load pre-generated tokens
-with open('auth-tokens.json') as f:
-    auth_tokens = json.load(f)
-
-# Get current aligned timestamp (6-hour boundary)
-current_timestamp = (int(time.time()) // (6 * 3600)) * (6 * 3600)
-
-# Look up token for specific account
-account_index = 0
-auth_token = auth_tokens[str(account_index)][str(current_timestamp)]
-
-# Use the token for authentication
-# (implementation depends on your API client)
-```
+Check the `get_auth_token.py` script which prints the Auth Token that should be used **at this moment**, as this will be invalidated in at most 8 hours.
 
 ### Time Alignment
 
@@ -158,48 +124,29 @@ Each token is valid for 8 hours from its timestamp:
 ### API Key 253
 
 We use API key index 253 because:
-- It's the last available index (0-255)
-- It's not typically used by other applications
+- It's the last available index [0-253]
+- It's not typically used by trading
 - Easy to remember for this specific use case
+- Easy to change and invalidate all tokens.
 
 ### Invalidating Tokens
 
 To invalidate all existing tokens:
 
 ```bash
-python3 setup.py > config.json
+python3 setup.py config.json
 ```
 
 Re-running the setup script generates new API keys for index 253, which invalidates all previously generated authentication tokens. This is useful if:
 - You suspect your tokens have been compromised
-- You want to rotate your API keys periodically
+- You want to rotate your tokens periodically
 - You need to revoke access immediately
 
 ### Best Practices
 
-1. **Store tokens securely**: The `auth-tokens.json` file contains sensitive authentication data
-2. **Regenerate regularly**: Set up a cron job to regenerate tokens periodically
-3. **Monitor usage**: Keep track of which tokens are being used
-4. **Separate keys**: Use different API keys for different purposes (253 for read-only)
-
-## Example Workflow
-
-Complete workflow for setting up and using pre-generated tokens:
-
-```bash
-# 1. Configure accounts (one-time setup)
-cd examples/read-only-auth
-python3 setup.py > config.json
-
-# 2. Generate tokens for the next 7 days
-python3 generate.py
+1. **Store tokens securely**: The `auth-tokens.json` file contains sensitive data (read only, but still)
+2. **Dedicated API key**: Use API key 253 for read-only token generation, as it can be invalidated easely.
 
-# 3. Use the tokens in your application
-python3 your_app.py  # Uses auth-tokens.json
-
-# 4. Regenerate tokens when needed (e.g., daily cron job)
-python3 generate.py
-```
 
 ## Troubleshooting
 
@@ -214,19 +161,8 @@ This could happen if:
 - Network connectivity issues
 - The account is not active
 
-### "Token not found for timestamp" error
-
-This means you don't have a token for the current time period. Run:
-
-```bash
-python3 generate.py
-```
-
-to generate fresh tokens.
-
 ## Additional Notes
 
 - Tokens are specific to each account index
 - Each account has its own set of time-aligned tokens
 - The system uses the SignerClient's native `create_auth_token_with_expiry` method
-- No modifications to the core lighter-python SDK are required

examples/read-only-auth/generate.py

@@ -1,18 +1,16 @@
 import asyncio
 import json
 import logging
+import os
 import time
 import sys
 import lighter
 
-logging.basicConfig(level=logging.INFO)
+logging.basicConfig(level=logging.INFO, force=True)
 
-DURATION_IN_DAYS = 7
 
-
-def create_auth_token_for_timestamp(signer_client, timestamp, expiry_hours=8):
-    deadline = timestamp + (expiry_hours * 3600)
-    auth_token, error = signer_client.create_auth_token_with_expiry(deadline)
+def create_auth_token_for_timestamp(signer_client, timestamp, expiry_hours):
+    auth_token, error = signer_client.create_auth_token_with_expiry(expiry_hours * 3600, timestamp=timestamp)
     if error is not None:
         raise Exception(f"Failed to create auth token: {error}")
     return auth_token
@@ -43,9 +41,7 @@ async def generate_tokens_for_account(account_info, base_url, duration_days):
     for i in range(num_tokens):
         timestamp = start_timestamp + (i * interval_seconds)
         try:
-            auth_token = create_auth_token_for_timestamp(
-                signer_client, timestamp, expiry_hours
-            )
+            auth_token = create_auth_token_for_timestamp(signer_client, timestamp, expiry_hours)
             tokens[str(timestamp)] = auth_token
             logging.debug(f"Generated token for timestamp {timestamp}")
         except Exception as e:
@@ -72,9 +68,10 @@ async def main():
         logging.error(f"Invalid JSON in config file: {e}")
         sys.exit(1)
 
+    num_days = int(os.getenv("NUM_DAYS") or 28)
     base_url = config.get("BASE_URL")
     accounts = config.get("ACCOUNTS", [])
-    duration_days = config.get("DURATION_IN_DAYS", DURATION_IN_DAYS)
+    duration_days = config.get("DURATION_IN_DAYS", num_days)
 
     if not base_url:
         logging.error("BASE_URL not found in config")
@@ -87,19 +84,10 @@ async def main():
     logging.info(f"Generating tokens for {len(accounts)} account(s)")
     logging.info(f"Duration: {duration_days} days ({4 * duration_days} tokens per account)")
 
-    tasks = []
-    for account_info in accounts:
-        tasks.append(generate_tokens_for_account(account_info, base_url, duration_days))
-
-    results = await asyncio.gather(*tasks, return_exceptions=True)
-
     auth_tokens = {}
-    for result in results:
-        if isinstance(result, Exception):
-            logging.error(f"Error generating tokens: {result}")
-        else:
-            account_index, tokens = result
-            auth_tokens[str(account_index)] = tokens
+    for account_info in accounts:
+        account_index, tokens = await generate_tokens_for_account(account_info, base_url, duration_days)
+        auth_tokens[str(account_index)] = tokens
 
     output_file = "auth-tokens.json"
     with open(output_file, "w") as f:

examples/read-only-auth/get_auth_token.py

@@ -0,0 +1,30 @@
+import json
+import logging
+import sys
+import time
+
+logging.basicConfig(level=logging.INFO, force=True)
+
+
+def main():
+    if len(sys.argv) == 1:
+        logging.error("No account index specified")
+        return
+
+    account_index = sys.argv[1]
+
+    # Load pre-generated tokens
+    with open('auth-tokens.json') as f:
+        auth_tokens = json.load(f)
+
+    # Get current aligned timestamp (6-hour boundary)
+    current_timestamp = (int(time.time()) // (6 * 3600)) * (6 * 3600)
+
+    # Look up token for specific account
+    auth_token = auth_tokens[account_index][str(current_timestamp)]
+
+    print(f"{auth_token=}")
+
+
+if __name__ == "__main__":
+    main()

examples/read-only-auth/setup.py

@@ -1,18 +1,20 @@
 import asyncio
 import json
 import logging
+import sys
 import time
 import eth_account
 import lighter
 
-logging.basicConfig(level=logging.DEBUG)
+logging.basicConfig(level=logging.INFO, force=True)
 
+# use https://mainnet.zklighter.elliot.ai for mainnet
 BASE_URL = "https://testnet.zklighter.elliot.ai"
 ETH_PRIVATE_KEY = "1234567812345678123456781234567812345678123456781234567812345678"
 API_KEY_INDEX = 253
 
 
-async def setup_account(eth_address, eth_private_key, account_index, base_url, api_key_index):
+async def setup_account(eth_private_key, account_index, base_url, api_key_index):
     private_key, public_key, err = lighter.create_api_key()
     if err is not None:
         return None, f"Failed to create API key for account {account_index}: {err}"
@@ -49,6 +51,10 @@ async def setup_account(eth_address, eth_private_key, account_index, base_url, a
 
 
 async def main():
+    config_file = "config.json"
+    if len(sys.argv) > 1:
+        config_file = sys.argv[1]
+
     api_client = lighter.ApiClient(configuration=lighter.Configuration(host=BASE_URL))
     eth_acc = eth_account.Account.from_key(ETH_PRIVATE_KEY)
     eth_address = eth_acc.address
@@ -73,46 +79,32 @@ async def main():
 
     logging.info(f"Found {len(response.sub_accounts)} account(s)")
 
-    tasks = []
+    # don't do this async
+    accounts = []
     for sub_account in response.sub_accounts:
         logging.info(f"Setting up account index: {sub_account.index}")
-        tasks.append(
-            setup_account(
-                eth_address,
-                ETH_PRIVATE_KEY,
-                sub_account.index,
-                BASE_URL,
-                API_KEY_INDEX,
-            )
+        result, err = await setup_account(
+            ETH_PRIVATE_KEY,
+            sub_account.index,
+            BASE_URL,
+            API_KEY_INDEX,
         )
 
-    results = await asyncio.gather(*tasks, return_exceptions=True)
-
-    accounts = []
-    errors = []
-    for i, result in enumerate(results):
-        if isinstance(result, Exception):
-            errors.append(f"Account {response.sub_accounts[i].index}: {str(result)}")
-        elif result[1] is not None:
-            errors.append(result[1])
+        if err is not None:
+            logging.error(err)
         else:
-            accounts.append(result[0])
-
-    if errors:
-        for error in errors:
-            logging.error(error)
+            accounts.append(result)
 
     if not accounts:
         print("error: failed to setup any accounts", file=__import__('sys').stderr)
         await api_client.close()
         return
 
-    output = {
-        "BASE_URL": BASE_URL,
-        "ACCOUNTS": accounts,
-    }
-
-    print(json.dumps(output, indent=2))
+    with open(config_file, "w", encoding="utf-8") as f:
+        json.dump({
+            "BASE_URL": BASE_URL,
+            "ACCOUNTS": accounts,
+        }, f, ensure_ascii=False, indent=2)
 
     await api_client.close()
 

lighter/signer_client.py

@@ -532,12 +532,15 @@ def sign_update_leverage(self, market_index, fraction, margin_mode, nonce=-1):
         error = result.err.decode("utf-8") if result.err else None
         return tx_info, error
 
-    def create_auth_token_with_expiry(self, deadline: int = DEFAULT_10_MIN_AUTH_EXPIRY):
+    def create_auth_token_with_expiry(self, deadline: int = DEFAULT_10_MIN_AUTH_EXPIRY, *, timestamp: int = None):
         if deadline == SignerClient.DEFAULT_10_MIN_AUTH_EXPIRY:
-            deadline = int(time.time() + 10 * SignerClient.MINUTE)
+            deadline = 10 * SignerClient.MINUTE
+        if timestamp is None:
+            timestamp = int(time.time())
+
         self.signer.CreateAuthToken.argtypes = [ctypes.c_longlong]
         self.signer.CreateAuthToken.restype = StrOrErr
-        result = self.signer.CreateAuthToken(deadline)
+        result = self.signer.CreateAuthToken(timestamp + deadline)
 
         auth = result.str.decode("utf-8") if result.str else None
         error = result.err.decode("utf-8") if result.err else None