protocol 27 - V2 credential opt in#1450
Merged
Merged
Conversation
quietbits
approved these changes
Jun 10, 2026
| By default the SDK still uses the legacy `ADDRESS` credential: simulation is | ||
| asked for `ADDRESS` entries and `authorizeInvocation` builds them. `ADDRESS_V2` | ||
| is only valid on networks that have upgraded to protocol 27, so it is **opt-in** until | ||
| the protocol makes it mandatory (at which point the default flips). Opt in with |
Contributor
There was a problem hiding this comment.
Should we mention that Protocol 28 will make this mandatory and not the current Protocol 27 (if I understood it correctly)?
There was a problem hiding this comment.
Pull request overview
This PR makes Soroban auth credential emission default back to legacy SOROBAN_CREDENTIALS_ADDRESS (V1), with CAP-71 SOROBAN_CREDENTIALS_ADDRESS_V2 available only via an explicit opt-in, keeping SDK behavior compatible with networks that haven’t activated protocol 27 yet.
Changes:
- Add an
authV2opt-in torpc.Server.simulateTransactionand omitauthV2from the JSON-RPC request unless enabled. - Add
authV2toauthorizeInvocationparams to choose between emitting V1 vs V2 credentials. - Thread
MethodOptions.authV2throughcontract.Client/AssembledTransaction.simulate(), and update tests + docs + changelog accordingly.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| test/unit/server/soroban/simulate_transaction.test.ts | Updates auth entry construction to V1 and adds coverage asserting authV2 is omitted by default / sent when opted in. |
| test/unit/base/auth.test.ts | Updates default credential expectations to V1 and adds explicit authV2: true coverage for V2 emission. |
| src/rpc/server.ts | Adds authV2 param (default false) and conditionally includes the JSON-RPC authV2 request flag. |
| src/contract/types.ts | Introduces MethodOptions.authV2 for higher-level contract client users. |
| src/contract/assembled_transaction.ts | Threads options.authV2 into server.simulateTransaction(...). |
| src/base/auth.ts | Adds AuthorizeInvocationParams.authV2 and switches emission default to legacy ADDRESS credentials. |
| docs/reference/network-rpc.md | Regenerated reference docs reflecting the new authV2 argument on simulation methods. |
| docs/reference/core-soroban-primitives.md | Regenerated reference docs describing authorizeInvocation and new authV2 param. |
| docs/reference/contracts-client.md | Regenerated reference docs reflecting MethodOptions.authV2. |
| docs/guides/00-migration.md | Updates migration guidance for protocol 27 defaults and opt-in usage. |
| CHANGELOG.md | Adds an Unreleased entry documenting the default flip to V1 and the new opt-in points. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+390
to
+394
| the `authV2` flag — on | ||
| `rpc.Server.simulateTransaction`, | ||
| on `authorizeInvocation`'s params, or via `authV2` in | ||
| [`contract.Client`](/reference/contracts-client/#contractclient) / | ||
| `MethodOptions` — when your target network supports it. |
Comment on lines
396
to
+400
| SDK-driven signing ([`contract.Client`](/reference/contracts-client/#contractclient), | ||
| [`basicNodeSigner`](/reference/contracts-client/#contractbasicnodesigner), | ||
| [`authorizeEntry`](/reference/core-soroban-primitives/#authorizeentry), | ||
| [`signAuthEntries`](/reference/contracts-client/#contractassembledtransaction)) is | ||
| forward-compatible with no code change: it signs whichever credential simulation | ||
| returns. The entries below break only code that reads the credential arm or | ||
| builds the signature payload by hand. | ||
| forward-compatible with no code change: it signs whichever credential the entry |
| with `.address()`. | ||
|
|
||
| ```ts del={1-4} ins={5-8} | ||
| ```ts del={1-4} ins={5-7} |
| To build a CAP-71 `ADDRESS_V2` entry instead, pass `authV2: true` and read the | ||
| result with `.addressV2()`. Only do this on networks that have upgraded to protocol 27. | ||
|
|
||
| ```ts ins={6} |
This was referenced Jun 11, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Soroban auth now defaults to the legacy
SOROBAN_CREDENTIALS_ADDRESS(V1) credential, with CAP-71SOROBAN_CREDENTIALS_ADDRESS_V2available behind an opt-in instead of forced on. Three opt-in points, all defaulting tofalse:rpc.Server.simulateTransactiongains a 4th optional arg,authV2. TheauthV2request flag is now omitted from the JSON-RPCbody unless set, so simulation returns legacy
ADDRESSentries by default andADDRESS_V2only when opted in. (PreviouslyauthV2: truewas hardcoded.)authorizeInvocationgains anauthV2field on its params object, selecting between buildingADDRESSandADDRESS_V2credentials. (Previously it always built
ADDRESS_V2.)MethodOptions.authV2is threaded throughAssembledTransaction.simulate(), so high-levelcontract.Clientusers can opt intoo — not just direct RPC callers.
The V2 signing/handling path is unchanged:
authorizeEntryandbuildAuthorizationEntryPreimagealready select the correct (legacy vs. address-bound) preimage off whichever credential the entry carries, so the SDK still consumes V2 transparently. Only emission is gated.Includes test updates (default-path assertions flipped to V1, new
authV2: truecoverage, and a simulate request-body test), a CHANGELOG entry, and migration-guide + regenerated reference-doc updates.Why
p27 adds the ability to submit
ADDRESS_V2; p28 makes it mandatory. But V2 credentials are not valid on-network until p27 activates, so anything the SDK emits as V2 before activation fails submission. The branch currently forces V2 everywhere with no escape hatch, which means users on any not-yet-activated network — and testnet/futurenet/mainnet activate at different times — would hit failed submissions without a way to fall back.Defaulting to V1 keeps the SDK valid on every network regardless of activation state and matches upstream's posture (RPC simulation and the sibling SDKs default to V1 with V2 opt-in); a client shouldn't emit a stricter default than its own upstream. The opt-in still lets early adopters exercise V2 against networks that already support it.
The default will flip to V2 at p28 when it becomes mandatory — a mechanical change (flip the two defaults; the opt-in params stay so anyone on a pre-p28 network can pin to V1 during the transition)