nymtech · neacsu · Dec 9, 2025 · Dec 3, 2025 · Dec 5, 2025 · Dec 5, 2025
diff --git a/nym-vpn-app/src-tauri/src/error.rs b/nym-vpn-app/src-tauri/src/error.rs
@@ -129,6 +129,7 @@ pub enum ErrorKey {
     MixnetNoBandwidth,
     // Some specific account management errors
     AccountInvalidMnemonic,
+    AccountInvalidPrivateKey,
     NoAccountStored,
     NoDeviceStored,
     ExistingAccount,

diff --git a/nym-vpn-app/src-tauri/src/vpnd/account_error.rs b/nym-vpn-app/src-tauri/src/vpnd/account_error.rs
@@ -33,6 +33,11 @@ impl From<lib::AccountCommandError> for BackendError {
                 ErrorKey::AccountInvalidMnemonic,
                 format!("invalid mnemonic: {e}"),
             ),
+            lib::AccountCommandError::InvalidPrivateKey(e) => BackendError::with_detail(
+                "invalid private key",
+                ErrorKey::AccountInvalidPrivateKey,
+                format!("invalid private key: {e}"),
+            ),
             lib::AccountCommandError::NyxdConnectionFailure(e) => {
                 BackendError::internal_with_detail("failed to connect to nyxd", e)
             }

diff --git a/nym-vpn-app/src-tauri/src/vpnd/client.rs b/nym-vpn-app/src-tauri/src/vpnd/client.rs
@@ -16,7 +16,7 @@ use super::{
 
 use anyhow::Result;
 use lib::UserAgent;
-use nym_vpn_lib_types as lib;
+use nym_vpn_lib_types::{self as lib};
 use nym_vpn_proto::rpc_client::RpcClient;
 use once_cell::sync::Lazy;
 use std::{
@@ -390,7 +390,9 @@ impl VpndClient {
         let mut vpnd = self.vpnd().await?;
 
         let response = vpnd
-            .store_account(lib::StoreAccountRequest::Vpn { mnemonic })
+            .store_account(lib::StoreAccountRequest::Vpn {
+                secret: lib::LoginSecret::Mnemonic(mnemonic),
+            })
             .await
             .map_err(VpndError::RpcClient)
             .inspect_err(|e| {

diff --git a/nym-vpn-core/CHANGELOG.md b/nym-vpn-core/CHANGELOG.md
@@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 
 - Add custom DNS setting for mobile platforms (https://github.com/nymtech/nym-vpn-client/pull/4106)
+- Login with private key in addition to mnemonic (https://github.com/nymtech/nym-vpn-client/pull/4117)
 
 ### Fixed
 

diff --git a/nym-vpn-core/Cargo.lock b/nym-vpn-core/Cargo.lock
diff --git a/nym-vpn-core/crates/nym-vpn-lib-types/src/account/mod.rs b/nym-vpn-core/crates/nym-vpn-lib-types/src/account/mod.rs
@@ -64,6 +64,9 @@ pub enum AccountCommandError {
 
     #[error("invalid mnemonic: {0}")]
     InvalidMnemonic(String),
+
+    #[error("invalid private key: {0}")]
+    InvalidPrivateKey(String),
 }
 
 impl AccountCommandError {

diff --git a/nym-vpn-core/crates/nym-vpn-lib-types/src/lib.rs b/nym-vpn-core/crates/nym-vpn-lib-types/src/lib.rs
@@ -73,7 +73,7 @@ pub use network::{
 };
 pub use rpc_requests::{
     AccountBalanceResponse, AccountCommandResponse, Coin, DecentralisedObtainTicketbooksRequest,
-    ListGatewaysOptions, StoreAccountRequest,
+    ListGatewaysOptions, LoginSecret, StoreAccountRequest,
 };
 pub use service::{TargetState, VpnServiceConfig, VpnServiceInfo};
 pub use socks5::{HttpRpcSettings, Socks5Settings, Socks5State, Socks5Status};

diff --git a/nym-vpn-core/crates/nym-vpn-lib-types/src/rpc_requests.rs b/nym-vpn-core/crates/nym-vpn-lib-types/src/rpc_requests.rs
@@ -16,11 +16,26 @@ pub struct ListGatewaysOptions {
     pub user_agent: Option<UserAgent>,
 }
 
+#[derive(zeroize::Zeroize)]
+#[cfg_attr(feature = "uniffi-bindings", derive(uniffi::Enum))]
+#[cfg_attr(
+    feature = "typescript-bindings",
+    derive(TS),
+    ts(export),
+    ts(export_to = "bindings.ts")
+)]
+#[cfg_attr(feature = "serde", derive(Serialize, Deserialize))]
+#[cfg_attr(feature = "typescript-bindings", serde(rename_all = "camelCase"))]
+pub enum LoginSecret {
+    Mnemonic(String),
+    PrivateKeyHex(String),
+}
+
 #[derive(zeroize::Zeroize)]
 #[cfg_attr(feature = "uniffi-bindings", derive(uniffi::Enum))]
 pub enum StoreAccountRequest {
-    Vpn { mnemonic: String },
-    Decentralised { mnemonic: String },
+    Vpn { secret: LoginSecret },
+    Decentralised { secret: LoginSecret },
 }
 
 impl std::fmt::Debug for StoreAccountRequest {

diff --git a/nym-vpn-core/crates/nym-vpn-lib-uniffi/Cargo.toml b/nym-vpn-core/crates/nym-vpn-lib-uniffi/Cargo.toml
@@ -16,6 +16,7 @@ workspace = true
 
 [dependencies]
 async-trait.workspace = true
+hex.workspace = true
 ipnetwork.workspace = true
 itertools.workspace = true
 lazy_static.workspace = true

diff --git a/nym-vpn-core/crates/nym-vpn-lib-uniffi/src/account.rs b/nym-vpn-core/crates/nym-vpn-lib-uniffi/src/account.rs
@@ -11,7 +11,7 @@ use nym_offline_monitor::ConnectivityHandle;
 use nym_vpn_account_controller::{AccountCommandSender, AccountStateReceiver, NyxdClient};
 use nym_vpn_api_client::types::{Platform, VpnAccount};
 use nym_vpn_lib::{new_user_agent, storage::VpnClientOnDiskStorage};
-use nym_vpn_lib_types::{AccountControllerState, RegisterAccountResponse};
+use nym_vpn_lib_types::{AccountControllerState, LoginSecret, RegisterAccountResponse};
 use nym_vpn_network_config::Network;
 use nym_vpn_store::{
     account::Mnemonic,
@@ -198,14 +198,24 @@ pub(super) async fn update_account_state() -> Result<(), VpnError> {
         .map_err(VpnError::from)
 }
 
-async fn parse_mnemonic(mnemonic: &str) -> Result<Mnemonic, VpnError> {
-    Mnemonic::parse(mnemonic).map_err(|err| VpnError::InvalidMnemonic {
+fn parse_secret(secret: &LoginSecret) -> Result<Mnemonic, VpnError> {
+    let ret = match secret {
+        LoginSecret::Mnemonic(mnemonic) => Mnemonic::parse(mnemonic),
+        LoginSecret::PrivateKeyHex(private_key_hex) => {
+            let key_bytes =
+                hex::decode(private_key_hex).map_err(|err| VpnError::InvalidPrivateKey {
+                    details: err.to_string(),
+                })?;
+            Mnemonic::from_entropy(&key_bytes)
+        }
+    };
+    ret.map_err(|err| VpnError::InvalidMnemonic {
         details: err.to_string(),
     })
 }
 
-pub(super) async fn login(mnemonic: &str) -> Result<(), VpnError> {
-    let mnemonic = parse_mnemonic(mnemonic).await?;
+pub(super) async fn login(secret: &LoginSecret) -> Result<(), VpnError> {
+    let mnemonic = parse_secret(secret)?;
     get_command_sender()
         .await?
         .store_account(mnemonic.into())
@@ -313,15 +323,19 @@ pub(crate) mod raw {
         Ok(VpnClientOnDiskStorage::new(path))
     }
 
-    pub(crate) async fn login_raw(mnemonic: &str, path: &str) -> Result<(), VpnError> {
-        let mnemonic = parse_mnemonic(mnemonic).await?;
+    async fn login_inner(mnemonic: Mnemonic, path: &str) -> Result<(), VpnError> {
         get_account_by_mnemonic_raw(mnemonic.clone()).await?;
         let storage = setup_account_storage(path).await?;
         storage.store_account(mnemonic.into()).await?;
         storage.init_keys(None).await?;
         Ok(())
     }
 
+    pub(crate) async fn login_raw(secret: &LoginSecret, path: &str) -> Result<(), VpnError> {
+        let mnemonic = parse_secret(secret)?;
+        login_inner(mnemonic, path).await
+    }
+
     pub(crate) async fn create_account_raw(path: &str) -> Result<(), VpnError> {
         let (_, mnemonic) = VpnAccount::generate_new().map_err(VpnError::internal)?;
         let storage = setup_account_storage(path).await?;

diff --git a/nym-vpn-core/crates/nym-vpn-lib-uniffi/src/error.rs b/nym-vpn-core/crates/nym-vpn-lib-uniffi/src/error.rs
@@ -49,6 +49,9 @@ pub enum VpnError {
     #[error("failed to parse mnemonic with error: {details}")]
     InvalidMnemonic { details: String },
 
+    #[error("failed to parse private key with error: {details}")]
+    InvalidPrivateKey { details: String },
+
     #[error("invalid account storage path: {details}")]
     InvalidAccountStoragePath { details: String },
 
@@ -120,6 +123,7 @@ impl From<AccountCommandError> for VpnError {
             },
             AccountCommandError::ExistingAccount => Self::ExistingAccount,
             AccountCommandError::InvalidMnemonic(details) => Self::InvalidMnemonic { details },
+            AccountCommandError::InvalidPrivateKey(details) => Self::InvalidPrivateKey { details },
             AccountCommandError::NyxdConnectionFailure(details) => {
                 Self::NyxdConnectionFailure { details }
             }

diff --git a/nym-vpn-core/crates/nym-vpn-lib-uniffi/src/lib.rs b/nym-vpn-core/crates/nym-vpn-lib-uniffi/src/lib.rs
@@ -76,7 +76,7 @@ use sentry::ClientInitGuard;
 use tokio::{runtime::Runtime, sync::Mutex};
 
 use nym_vpn_lib_types::{
-    AccountControllerState, EntryPoint, ExitPoint, Gateway, GatewayType, Network,
+    AccountControllerState, EntryPoint, ExitPoint, Gateway, GatewayType, LoginSecret, Network,
     NetworkCompatibility, ParsedAccountLinks, RegisterAccountResponse, SystemMessage, TunnelEvent,
     UserAgent,
 };
@@ -271,8 +271,8 @@ pub fn getAccountLinksRaw(
 /// Import the account mnemonic
 #[allow(non_snake_case)]
 #[uniffi::export]
-pub fn login(mnemonic: String) -> Result<(), VpnError> {
-    RUNTIME.block_on(account::login(&mnemonic))
+pub fn login(secret: LoginSecret) -> Result<(), VpnError> {
+    RUNTIME.block_on(account::login(&secret))
 }
 
 /// Generate the account mnemonic locally and store it.
@@ -293,8 +293,8 @@ pub fn registerAccount(args: AccountRegistrationArgs) -> Result<RegisterAccountR
 /// This is a version that can be called when the account controller is not running.
 #[allow(non_snake_case)]
 #[uniffi::export]
-pub fn loginRaw(mnemonic: String, path: String) -> Result<(), VpnError> {
-    RUNTIME.block_on(account::raw::login_raw(&mnemonic, &path))
+pub fn loginRaw(secret: LoginSecret, path: String) -> Result<(), VpnError> {
+    RUNTIME.block_on(account::raw::login_raw(&secret, &path))
 }
 
 /// Generate the account mnemonic locally and store it.

diff --git a/nym-vpn-core/crates/nym-vpn-proto/proto/nym_vpn_service.proto b/nym-vpn-core/crates/nym-vpn-proto/proto/nym_vpn_service.proto
@@ -572,6 +572,7 @@ message AccountCommandError {
     bool no_device_stored = 6;
     bool existing_account = 7;
     bool offline = 8;
+    string invalid_private_key = 9;
     string invalid_mnemonic = 10;
     string nyxd_connection_failure = 11;
     string nyxd_query_failure = 12;
@@ -674,13 +675,20 @@ message StoreAccountRequest {
   }
 }
 
+message LoginSecret {
+  oneof login_type {
+    string mnemonic = 1;
+    string private_key_hex = 2;
+  }
+}
+
 // VPN variant with mnemonic
 message VpnAccountStoreRequest {
-  string mnemonic = 1;
+  LoginSecret secret = 1;
 }
 
 message DecentralisedAccountStoreRequest {
-  string mnemonic = 1;
+  LoginSecret secret = 1;
 }
 
 message DecentralisedObtainTicketbooksRequest {

diff --git a/nym-vpn-core/crates/nym-vpn-proto/src/conversions/account.rs b/nym-vpn-core/crates/nym-vpn-proto/src/conversions/account.rs
@@ -31,6 +31,9 @@ impl TryFrom<proto::AccountCommandError> for AccountCommandError {
             proto::account_command_error::ErrorDetail::InvalidMnemonic(message) => {
                 Self::InvalidMnemonic(message)
             }
+            proto::account_command_error::ErrorDetail::InvalidPrivateKey(message) => {
+                Self::InvalidPrivateKey(message)
+            }
             proto::account_command_error::ErrorDetail::NyxdConnectionFailure(err) => {
                 Self::NyxdConnectionFailure(err)
             }
@@ -132,6 +135,11 @@ impl From<AccountCommandError> for proto::AccountCommandError {
                     err,
                 )),
             },
+            AccountCommandError::InvalidPrivateKey(err) => proto::AccountCommandError {
+                error_detail: Some(
+                    proto::account_command_error::ErrorDetail::InvalidPrivateKey(err),
+                ),
+            },
             AccountCommandError::NyxdConnectionFailure(err) => proto::AccountCommandError {
                 error_detail: Some(
                     proto::account_command_error::ErrorDetail::NyxdConnectionFailure(err),

diff --git a/nym-vpn-core/crates/nym-vpn-proto/src/conversions/vpnd.rs b/nym-vpn-core/crates/nym-vpn-proto/src/conversions/vpnd.rs
@@ -475,13 +475,47 @@ impl TryFrom<proto::StoreAccountRequest> for StoreAccountRequest {
 
         Ok(match request {
             proto::store_account_request::Request::VpnAccountStore(account) => {
-                StoreAccountRequest::Vpn {
-                    mnemonic: account.mnemonic,
+                match account
+                    .secret
+                    .ok_or(ConversionError::NoValueSet(
+                        "StoreAccountRequest.request.secret",
+                    ))?
+                    .login_type
+                    .ok_or(ConversionError::NoValueSet(
+                        "StoreAccountRequest.request.secret.login_type",
+                    ))? {
+                    proto::login_secret::LoginType::Mnemonic(mnemonic) => {
+                        nym_vpn_lib_types::StoreAccountRequest::Vpn {
+                            secret: nym_vpn_lib_types::LoginSecret::Mnemonic(mnemonic),
+                        }
+                    }
+                    proto::login_secret::LoginType::PrivateKeyHex(private_key_hex) => {
+                        nym_vpn_lib_types::StoreAccountRequest::Vpn {
+                            secret: nym_vpn_lib_types::LoginSecret::PrivateKeyHex(private_key_hex),
+                        }
+                    }
                 }
             }
             proto::store_account_request::Request::DecentralisedAccountStore(account) => {
-                nym_vpn_lib_types::StoreAccountRequest::Decentralised {
-                    mnemonic: account.mnemonic,
+                match account
+                    .secret
+                    .ok_or(ConversionError::NoValueSet(
+                        "StoreAccountRequest.request.secret",
+                    ))?
+                    .login_type
+                    .ok_or(ConversionError::NoValueSet(
+                        "StoreAccountRequest.request.secret.login_type",
+                    ))? {
+                    proto::login_secret::LoginType::Mnemonic(mnemonic) => {
+                        nym_vpn_lib_types::StoreAccountRequest::Decentralised {
+                            secret: nym_vpn_lib_types::LoginSecret::Mnemonic(mnemonic),
+                        }
+                    }
+                    proto::login_secret::LoginType::PrivateKeyHex(private_key_hex) => {
+                        nym_vpn_lib_types::StoreAccountRequest::Decentralised {
+                            secret: nym_vpn_lib_types::LoginSecret::PrivateKeyHex(private_key_hex),
+                        }
+                    }
                 }
             }
         })
@@ -491,16 +525,54 @@ impl TryFrom<proto::StoreAccountRequest> for StoreAccountRequest {
 impl From<StoreAccountRequest> for proto::StoreAccountRequest {
     fn from(value: StoreAccountRequest) -> Self {
         let request = match value {
-            StoreAccountRequest::Vpn { mnemonic } => {
-                proto::store_account_request::Request::VpnAccountStore(
-                    proto::VpnAccountStoreRequest { mnemonic },
-                )
-            }
-            nym_vpn_lib_types::StoreAccountRequest::Decentralised { mnemonic } => {
-                proto::store_account_request::Request::DecentralisedAccountStore(
-                    proto::DecentralisedAccountStoreRequest { mnemonic },
-                )
-            }
+            StoreAccountRequest::Vpn { secret } => match secret {
+                nym_vpn_lib_types::LoginSecret::Mnemonic(mnemonic) => {
+                    proto::store_account_request::Request::VpnAccountStore(
+                        proto::VpnAccountStoreRequest {
+                            secret: Some(proto::LoginSecret {
+                                login_type: Some(proto::login_secret::LoginType::Mnemonic(
+                                    mnemonic,
+                                )),
+                            }),
+                        },
+                    )
+                }
+                nym_vpn_lib_types::LoginSecret::PrivateKeyHex(private_key_hex) => {
+                    proto::store_account_request::Request::VpnAccountStore(
+                        proto::VpnAccountStoreRequest {
+                            secret: Some(proto::LoginSecret {
+                                login_type: Some(proto::login_secret::LoginType::PrivateKeyHex(
+                                    private_key_hex,
+                                )),
+                            }),
+                        },
+                    )
+                }
+            },
+            nym_vpn_lib_types::StoreAccountRequest::Decentralised { secret } => match secret {
+                nym_vpn_lib_types::LoginSecret::Mnemonic(mnemonic) => {
+                    proto::store_account_request::Request::DecentralisedAccountStore(
+                        proto::DecentralisedAccountStoreRequest {
+                            secret: Some(proto::LoginSecret {
+                                login_type: Some(proto::login_secret::LoginType::Mnemonic(
+                                    mnemonic,
+                                )),
+                            }),
+                        },
+                    )
+                }
+                nym_vpn_lib_types::LoginSecret::PrivateKeyHex(private_key_hex) => {
+                    proto::store_account_request::Request::DecentralisedAccountStore(
+                        proto::DecentralisedAccountStoreRequest {
+                            secret: Some(proto::LoginSecret {
+                                login_type: Some(proto::login_secret::LoginType::PrivateKeyHex(
+                                    private_key_hex,
+                                )),
+                            }),
+                        },
+                    )
+                }
+            },
         };
 
         proto::StoreAccountRequest {