fix(core): Remove ZkLogin and JWK by jkrvivian · Pull Request #10737 · iotaledger/iota

jkrvivian · 2026-03-17T08:46:50Z

Description of change

Remove ZkLogin authentication and JWK consensus update support from the codebase.
Protocol config fields for zklogin are preserved to maintain compatibility with historical protocol versions.
ZkLogin variants in enums and consensus transaction kinds are kept, ensuring existing data can still be deserialized.

Links to any relevant issues

None

How the change has been tested

Basic tests (linting, compilation, formatting, unit/integration tests)
Patch-specific tests (correctness, functionality coverage)
I have added tests that prove my fix is effective or that my feature works
I have checked that new and existing unit tests pass locally with my changes

Release Notes

Protocol:
- Removed zkLogin authentication support entirely
- zkLogin signatures (including within multisig) are now rejected
- JWK consensus updates no longer occur
Nodes (Validators and Full nodes):
- Removed jwk_fetch_interval_seconds and zklogin_oauth_providers config options
- Removed JWK periodic fetching and consensus submission
Indexer:
JSON-RPC: Breaking schema changes:
- CompressedSignature and PublicKey: zkLogin variant reshaped from { ZkLogin: <bytes|id> } to the string literal ZkLoginDeprecated.
- GenericSignature.ZkLoginAuthenticator renamed to ZkLoginAuthenticatorDeprecated with a null payload.
- IotaTransactionBlockKind drops the AuthenticatorStateUpdateV1 branch; IotaEndOfEpochTransactionKind drops AuthenticatorStateCreate and AuthenticatorStateExpire; TransactionFilter.TransactionKind drops the "AuthenticatorStateUpdateV1" value.
- Removed schema components: ZkLoginAuthenticator,ZkLoginAuthenticatorAsBytes, ZkLoginInputs, ZkLoginProof, ZkLoginPublicIdentifier, Bn254FqElement, Bn254FrElement, Claim, IotaActiveJwk, IotaJWK, IotaJwkId, IotaAuthenticatorStateExpire.
GraphQL: Hard removals from the public schema:
- Query field verifyZkloginSignature.
- Types ActiveJwk, ActiveJwkConnection, ActiveJwkEdge, AuthenticatorStateCreateTransaction, AuthenticatorStateExpireTransaction, AuthenticatorStateUpdateTransaction, ZkLoginVerifyResult.
- Enum ZkLoginIntentScope.
- TransactionBlockKindInput.AUTHENTICATOR_STATE_UPDATE_V1.
- Union members of EndOfEpochTransactionKind and TransactionBlockKind that pointed at the removed types.- [x] CLI:
- Removed keytool commands: zk-login-sign-and-execute-tx, zk-login-enter-token, zk-login-sig-verify, zk-login-insecure-sign-personal-message
- decode-or-verify-tx now shows "zkLogin is not supported" for zkLogin transactions
Rust SDK:

…atureScheme::ZkLoginAuthenticator`, `PublicKey::ZkLogin` and `CompressedSignature::ZkLogin`

…torTrait` and `epoch` from `verify_authenticator`

…shot

…![allow(deprecated)]`

Reorganize match arms for ConsensusTransactionKind in the consensus validator.

…nIssuerCostParams`

github-actions · 2026-04-23T19:56:10Z

✅ Vercel Preview Deployment is ready!

View Preview

github-actions · 2026-04-23T20:26:01Z

✅ Vercel Preview Deployment is ready!

View Preview

Thoralf-M

Approving the changes in files owned by dev-tools

thibault-martinez · 2026-04-24T07:43:54Z

 // SPDX-License-Identifier: Apache-2.0

+// zkLogin/AuthenticatorStateUpdate types are kept (deprecated) for
+// serialization compatibility only.


There are actually no types kept in this file? Did you mean the variants?

github-actions · 2026-04-24T07:55:19Z

✅ Vercel Preview Deployment is ready!

View Preview

alexsporn

LGTM

jkrvivian added the node Issues related to the Core Node team label Mar 17, 2026