Interactions with the TDK API typically require an authenticated user to make the requests from the client side. However, the nature of Treasure Connect’s on-chain session creation also allows games to act on a Treasure Account’s behalf through the backend only for the duration and scope of the session.

Setup

1

Get backend wallet

Check in with the Treasure team to receive your backend wallet address (used in your app client and backend) and AWS KMS key ARN (used in the next step and your backend).

2

Create AWS role

Create a new IAM role in your AWS account with the following policy attached, filling in the AWS KMS key ARN from the previous step:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowKmsTdBackendWalletAccess",
            "Effect": "Allow",
            "Action": [
                "kms:GetPublicKey",
                "kms:Verify",
                "kms:Sign"
            ],
            "Resource": "<awsKmsKeyArn>"
        }
    ]
}

Provide the Treasure team with the new role’s ARN to complete the setup process.

Prerequisites

  • TDK Core library installed in your project.
  • The Treasure Account you want to act on behalf of must have already created a session through the client-side TDK with the same backendWallet address that will be used to sign the backend-to-backend request. See here for more information on starting sessions from a React-based application.

Usage

import { generateAccountSignature, TDKAPI } from "@treasure-dev/tdk-core";

const tdk = new TDKAPI({
  baseUri: "https://tdk-api.spellcaster.lol",
  chainId: 421614,
  backendWallet: "...", // The backend wallet address provided by the Treasure team
});

const accountAddress = "..."; // The Treasure Account address you want to act on behalf of
const kmsKey = "..."; // The AWS KMS key ARN provided by the Treasure team

await tdk.transaction.create(
  {
    address: "0x55d0cf68a1afe0932aff6f36c87efa703508191c",
    abi: [
      {
        type: "function",
        name: "transfer",
        stateMutability: "nonpayable",
        inputs: [
          {
            name: "recipient",
            type: "address",
          },
          {
            name: "amount",
            type: "uint256",
          },
        ],
        outputs: [
          {
            type: "bool",
          },
        ],
      },
    ] as const,
    functionName: "transfer",
    args: [
      "...", // recipient address
      1000000000000000000000n, // 1,000
    ],
  },
  {
    accountAddress,
    accountSignature: await generateAccountSignature({
      accountAddress,
      kmsKey,
    }),
  },
);

The key change in the above flow is that the TDKAPI client doesn’t need to be created with a user’s auth token. Instead, the account address is specified in the transaction options, along with a payload signed by the backend wallet that will be verified by the TDK API.

See full generateAccountSignature function documentation for more AWS KMS client configuration options.

Getting StartedauthenticateWallet