Waldrop SDK · API Reference

client.crypto

SEAL threshold encryption. Two methods — encrypt (no wallet signature needed) and decrypt (signs a session-key personal message). Both lazy-load @mysten/seal.

Optional peer dependency

@mysten/seal isn't required for read/upload-plaintext flows. Install it only if you call encrypt or decrypt — otherwise the SDK skips loading the SEAL bundle entirely.

encrypt

client.crypto.encrypt(args: EncryptBlobArgs): Promise<EncryptResult>

Encrypts args.data under a BlobStore's SEAL policy. Returns the ciphertext ready to upload, plus the 16-byte hex marker that goes on the BlobRef.

const { encryptedBytes, sealMarker } = await client.crypto.encrypt({
  data: plaintext,
  blobStoreId: "0x…",
});
// → encryptedBytes: Uint8Array
// → sealMarker:     "0xbde56d92087f77615e76856798ef6421"

Args

Field	Type	Description
`data`	`Uint8Array`	Plaintext to encrypt.
`blobStoreId`	`string`	BlobStore that scopes decryption — only viewers of this store can decrypt later.

Identity layout

The 53-byte SEAL identity is constructed deterministically per call:

identity = store_id (32 bytes)
         || marker  (16 bytes)   ← recorded on BlobRef
         || nonce   (5 bytes)    ← random, uniqueness only

Threshold = 1, encrypted against two verified independent key servers on testnet. Matches the dapp's useSeal.encrypt exactly so ciphertexts round-trip between SDK and dapp.

decrypt

client.crypto.decrypt(args: DecryptBlobArgs): Promise<Uint8Array>

Decrypts SEAL-encrypted bytes. Requires a wallet signer — SEAL needs a signed personal message for the session key. The session key is cached so subsequent decrypts within ~10 minutes don't re-prompt.

const plaintext = await client.crypto.decrypt({
  bytes: ciphertext,            // from client.blob.fetch
  blobStoreId: blob.sealPolicyId!,
  signer,                       // dapp-kit's signer, or Ed25519Keypair
});

Args

Field	Type	Description
`bytes`	`Uint8Array`	SEAL ciphertext (typically from `client.blob.fetch`).
`blobStoreId`	`string`	BlobStore that scoped the encryption.
`signer`	`any`	Compatible with `@mysten/sui`'s signing interface — dapp-kit's signer or `Ed25519Keypair`.

Errors

DecryptionError — wrong policy id, missing access, malformed ciphertext.
SealNotInstalledError — @mysten/seal peer dep not installed.

Edit this page on GitHub ↗

Waldrop · 2026cryptokarigar