Social Login using JWT ZK proofs and account abstraction

Zero Knowledge & Account Abstraction

What is SUMO?

Powered by zero-knowledge and account abstraction, the SUMO SDK allows users to create and manage smart wallets with an easy one-click experience. Sign in with any Web2 OAuth provider such as Google, Discord, Apple, WeChat, and many others.

Behind the scenes, SUMO uses session keys to manage accounts. These are stored client-side, ensuring full user sovereignty without the hassle of handling seed phrases.

With your Google account, sign in to your wallet from any device—PC, mobile, or tablet—while maintaining continuous access and control.

How Does it Work?

Users log in with their Google account. The result is a JSON Web Token (JWT) cryptographically signed by their identity provider. This JWT, along with additional data, is sent to a service that generates a zkProof, confirming the user’s account ownership without exposing credentials on-chain. The zkProof, paired with the ephemeral key, works as a two-factor authentication (2FA) and grants access to their blockchain smart wallet.

Flowchart showing how sumo works

Flow Explanation

Generate Session Keys: The SUMO application generates a pair of ephemeral session keys (esk, epk) for the user’s session. These are created client-side and are short-lived.

OAuth Request: SUMO sends a request to the OAuth provider (Google) including the ephemeral public key, block limit and some randomness inside the nonce.

OAuth Nonce: The nonce is sent along with the login request. Once the user is authenticated by the OAuth provider (Google), the provider returns a JWT (JSON Web Token) containing all the user’s authentication data. This includes the signed nonce, which is crucial for verifying the validity of the session keys later on.

Create Account: Using the JWT, SUMO computes a unique smart account address for the user. This address remains consistent for future sessions, ensuring users always interact with the same account, even after logging in with new sessions.

Start Session: with JWT, SUMO generates a zero-knowledge (ZK) proof. This proof establishes ownership of both the JWT and the ephemeral session keys, without revealing sensitive information publicly.

Sign Transaction: Users can now sign blockchain transactions (like token swaps) using the ZK proof and the ephemeral session key signature, ensuring secure and seamless interaction with the blockchain.

Send Transaction: Once signed, the user sends the transaction.

Session Continuity: Even if the user logs out, they can log in again later using Google OAuth and retain access to the same smart account. The system ensures session continuity while maintaining security and user control.