nymtech · neacsu · Dec 9, 2025 · Dec 3, 2025 · Dec 5, 2025 · Dec 5, 2025
diff --git a/nym-vpn-app/src-tauri/src/error.rs b/nym-vpn-app/src-tauri/src/error.rs
@@ -129,6 +129,7 @@ pub enum ErrorKey {
     MixnetNoBandwidth,
     // Some specific account management errors
     AccountInvalidMnemonic,
+    AccountInvalidSecret,
     NoAccountStored,
     NoDeviceStored,
     ExistingAccount,

diff --git a/nym-vpn-app/src-tauri/src/vpnd/account_error.rs b/nym-vpn-app/src-tauri/src/vpnd/account_error.rs
@@ -33,6 +33,11 @@ impl From<lib::AccountCommandError> for BackendError {
                 ErrorKey::AccountInvalidMnemonic,
                 format!("invalid mnemonic: {e}"),
             ),
+            lib::AccountCommandError::InvalidSecret(e) => BackendError::with_detail(
+                "invalid secret",
+                ErrorKey::AccountInvalidSecret,
+                format!("invalid secret: {e}"),
+            ),
             lib::AccountCommandError::NyxdConnectionFailure(e) => {
                 BackendError::internal_with_detail("failed to connect to nyxd", e)
             }

diff --git a/nym-vpn-app/src-tauri/src/vpnd/client.rs b/nym-vpn-app/src-tauri/src/vpnd/client.rs
@@ -16,7 +16,7 @@ use super::{
 
 use anyhow::Result;
 use lib::UserAgent;
-use nym_vpn_lib_types as lib;
+use nym_vpn_lib_types::{self as lib};
 use nym_vpn_proto::rpc_client::RpcClient;
 use once_cell::sync::Lazy;
 use std::{
@@ -390,7 +390,9 @@ impl VpndClient {
         let mut vpnd = self.vpnd().await?;
 
         let response = vpnd
-            .store_account(lib::StoreAccountRequest::Vpn { mnemonic })
+            .store_account(lib::StoreAccountRequest::Vpn {
+                secret: lib::LoginSecret::Mnemonic(mnemonic),
+            })
             .await
             .map_err(VpndError::RpcClient)
             .inspect_err(|e| {

diff --git a/nym-vpn-core/CHANGELOG.md b/nym-vpn-core/CHANGELOG.md
@@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 
 - Add custom DNS setting for mobile platforms (https://github.com/nymtech/nym-vpn-client/pull/4106)
+- Login with signature string in addition to mnemonic (https://github.com/nymtech/nym-vpn-client/pull/4117)
 
 ### Fixed
 

diff --git a/nym-vpn-core/Cargo.lock b/nym-vpn-core/Cargo.lock
diff --git a/nym-vpn-core/Cargo.toml b/nym-vpn-core/Cargo.toml
@@ -12,6 +12,8 @@ members = [
     "crates/nym-macos",
     "crates/nym-offline-monitor",
     "crates/nym-platform-metadata",
+    "crates/nym-privy",
+    "crates/nym-utils",
     "crates/nym-routing",
     "crates/nym-setup",
     "crates/nym-statistics",
@@ -189,9 +191,12 @@ nym-gateway-directory = { path = "crates/nym-gateway-directory" }
 nym-ipc = { path = "crates/nym-ipc" }
 nym-macos = { path = "crates/nym-macos" }
 nym-offline-monitor = { path = "crates/nym-offline-monitor" }
+nym-platform-metadata = { path = "crates/nym-platform-metadata" }
+nym-privy = { path = "crates/nym-privy" }
 nym-routing = { path = "crates/nym-routing" }
 nym-statistics = { path = "crates/nym-statistics" }
 nym-statistics-api-client = { path = "crates/nym-statistics-api-client" }
+nym-utils = { path = "crates/nym-utils" }
 nym-vpn-account-controller = { path = "crates/nym-vpn-account-controller" }
 nym-vpn-api-client = { path = "crates/nym-vpn-api-client" }
 nym-vpn-lib = { path = "crates/nym-vpn-lib" }
@@ -202,7 +207,6 @@ nym-vpn-store = { path = "crates/nym-vpn-store" }
 nym-wg-go = { path = "crates/nym-wg-go" }
 nym-wg-metadata-client = { path = "crates/nym-wg-metadata-client" }
 nym-windows = { path = "crates/nym-windows" }
-nym-platform-metadata = { path = "crates/nym-platform-metadata" }
 
 # For normal development
 nym-authenticator-client = { git = "https://github.com/nymtech/nym", branch = "develop" }

diff --git a/nym-vpn-core/crates/nym-privy/Cargo.toml b/nym-vpn-core/crates/nym-privy/Cargo.toml
@@ -0,0 +1,19 @@
+[package]
+name = "nym-privy"
+version.workspace = true
+authors.workspace = true
+repository.workspace = true
+homepage.workspace = true
+documentation.workspace = true
+edition.workspace = true
+license.workspace = true
+
+[lints]
+workspace = true
+
+[dependencies]
+bip39.workspace = true
+hex.workspace = true
+sha2.workspace = true
+thiserror.workspace = true
+
diff --git a/nym-vpn-core/crates/nym-privy/src/error.rs b/nym-vpn-core/crates/nym-privy/src/error.rs
@@ -0,0 +1,11 @@
+// Copyright 2025 - Nym Technologies SA <[email protected]>
+// SPDX-License-Identifier: GPL-3.0-only
+
+#[derive(thiserror::Error, Debug, Clone, PartialEq)]
+pub enum PrivyError {
+    #[error(transparent)]
+    Hex(#[from] hex::FromHexError),
+
+    #[error(transparent)]
+    Bip39(#[from] bip39::Error),
+}
diff --git a/nym-vpn-core/crates/nym-privy/src/lib.rs b/nym-vpn-core/crates/nym-privy/src/lib.rs
@@ -0,0 +1,38 @@
+// Copyright 2025 - Nym Technologies SA <[email protected]>
+// SPDX-License-Identifier: GPL-3.0-only
+
+use bip39::Mnemonic;
+use sha2::{Digest, Sha256};
+
+use crate::error::PrivyError;
+
+pub mod error;
+
+pub const PRIVY_DERIVATION_MESSAGE: &str = "DeriveAccount:NymVPN";
+
+pub fn message_to_sign() -> String {
+    hex::encode(PRIVY_DERIVATION_MESSAGE.as_bytes())
+}
+
+pub fn hex_signature_to_mnemonic(hex_signature: &str) -> Result<Mnemonic, PrivyError> {
+    let bytes_signature = hex::decode(hex_signature)?;
+
+    let mut hasher = Sha256::new();
+    hasher.update(&bytes_signature);
+    let hashed_signature = hasher.finalize();
+
+    let mnemonic = Mnemonic::from_entropy(&hashed_signature)?;
+
+    Ok(mnemonic)
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn parse_hex_signature() {
+        assert!(hex_signature_to_mnemonic("deadbeef").is_ok());
+        assert!(hex_signature_to_mnemonic("invalidhex").is_err());
+    }
+}
diff --git a/nym-vpn-core/crates/nym-utils/Cargo.toml b/nym-vpn-core/crates/nym-utils/Cargo.toml
@@ -0,0 +1,22 @@
+[package]
+name = "nym-utils"
+version.workspace = true
+authors.workspace = true
+repository.workspace = true
+homepage.workspace = true
+documentation.workspace = true
+edition.workspace = true
+license.workspace = true
+
+[lints]
+workspace = true
+
+[dependencies]
+bip39.workspace = true
+thiserror.workspace = true
+
+nym-privy.workspace = true
+nym-vpn-lib-types.workspace = true
+
+[dev-dependencies]
+bip39 = { workspace = true, features = ["rand"] }
diff --git a/nym-vpn-core/crates/nym-utils/src/error.rs b/nym-vpn-core/crates/nym-utils/src/error.rs
@@ -0,0 +1,8 @@
+#[derive(thiserror::Error, Debug, Clone, PartialEq)]
+pub enum UtilsError {
+    #[error(transparent)]
+    Bip39(#[from] bip39::Error),
+
+    #[error(transparent)]
+    Privy(#[from] nym_privy::error::PrivyError),
+}
diff --git a/nym-vpn-core/crates/nym-utils/src/lib.rs b/nym-vpn-core/crates/nym-utils/src/lib.rs
@@ -0,0 +1,42 @@
+// Copyright 2025 - Nym Technologies SA <[email protected]>
+// SPDX-License-Identifier: GPL-3.0-only
+
+use bip39::Mnemonic;
+use nym_vpn_lib_types::LoginSecret;
+
+use crate::error::UtilsError;
+
+pub mod error;
+
+pub fn parse_secret(secret: &LoginSecret) -> Result<Mnemonic, UtilsError> {
+    let mnemonic = match secret {
+        LoginSecret::Mnemonic(mnemonic) => Mnemonic::parse(mnemonic)?,
+        LoginSecret::PrivyHexSignature(signature) => {
+            nym_privy::hex_signature_to_mnemonic(signature)?
+        }
+    };
+
+    Ok(mnemonic)
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn parse_mnemonic() {
+        let mnemonic = Mnemonic::generate(24).unwrap();
+        let parsed_mnemonic = parse_secret(&LoginSecret::Mnemonic(mnemonic.to_string())).unwrap();
+        assert_eq!(mnemonic, parsed_mnemonic);
+
+        assert!(parse_secret(&LoginSecret::Mnemonic(String::from("invalid mnemonic"))).is_err());
+    }
+
+    #[test]
+    fn parse_hex_signature() {
+        let hex_signature = String::from(
+            "a564a87ccbed5cb5be4929201e555f5b5e26cb01d300d621520d724e57c582c33fa374caf21fd0c5e3118d70d14894845a32acfee47da7f347a0b9a57cba07931c",
+        );
+        assert!(parse_secret(&LoginSecret::PrivyHexSignature(hex_signature)).is_ok());
+    }
+}
diff --git a/nym-vpn-core/crates/nym-vpn-lib-types/src/account/mod.rs b/nym-vpn-core/crates/nym-vpn-lib-types/src/account/mod.rs
@@ -64,6 +64,9 @@ pub enum AccountCommandError {
 
     #[error("invalid mnemonic: {0}")]
     InvalidMnemonic(String),
+
+    #[error("invalid secret: {0}")]
+    InvalidSecret(String),
 }
 
 impl AccountCommandError {

diff --git a/nym-vpn-core/crates/nym-vpn-lib-types/src/lib.rs b/nym-vpn-core/crates/nym-vpn-lib-types/src/lib.rs
@@ -39,6 +39,7 @@ mod gateway;
 mod log_path;
 mod network;
 mod network_stats;
+mod privy;
 mod rpc_requests;
 mod service;
 mod socks5;
@@ -74,9 +75,10 @@ pub use network::{
     SystemConfiguration, SystemMessage, ValidatorDetails,
 };
 pub use network_stats::{NetworkStatisticsConfig, NetworkStatisticsIdentity};
+pub use privy::PrivyDerivationMessage;
 pub use rpc_requests::{
     AccountBalanceResponse, AccountCommandResponse, Coin, DecentralisedObtainTicketbooksRequest,
-    ListGatewaysOptions, StoreAccountRequest,
+    ListGatewaysOptions, LoginSecret, StoreAccountRequest,
 };
 pub use service::{TargetState, VpnServiceConfig, VpnServiceInfo};
 pub use socks5::{HttpRpcSettings, Socks5Settings, Socks5State, Socks5Status};

diff --git a/nym-vpn-core/crates/nym-vpn-lib-types/src/privy.rs b/nym-vpn-core/crates/nym-vpn-lib-types/src/privy.rs
@@ -0,0 +1,16 @@
+// Copyright 2025 - Nym Technologies SA <[email protected]>
+// SPDX-License-Identifier: GPL-3.0-only
+
+#[derive(Clone, Debug)]
+#[cfg_attr(feature = "uniffi-bindings", derive(uniffi::Record))]
+#[cfg_attr(
+    feature = "typescript-bindings",
+    derive(TS),
+    ts(export),
+    ts(export_to = "bindings.ts")
+)]
+#[cfg_attr(feature = "serde", derive(serde::Serialize, serde::Deserialize))]
+#[cfg_attr(feature = "typescript-bindings", serde(rename_all = "camelCase"))]
+pub struct PrivyDerivationMessage {
+    pub message: String,
+}
diff --git a/nym-vpn-core/crates/nym-vpn-lib-types/src/rpc_requests.rs b/nym-vpn-core/crates/nym-vpn-lib-types/src/rpc_requests.rs
@@ -16,11 +16,26 @@ pub struct ListGatewaysOptions {
     pub user_agent: Option<UserAgent>,
 }
 
+#[derive(zeroize::Zeroize)]
+#[cfg_attr(feature = "uniffi-bindings", derive(uniffi::Enum))]
+#[cfg_attr(
+    feature = "typescript-bindings",
+    derive(TS),
+    ts(export),
+    ts(export_to = "bindings.ts")
+)]
+#[cfg_attr(feature = "serde", derive(Serialize, Deserialize))]
+#[cfg_attr(feature = "typescript-bindings", serde(rename_all = "camelCase"))]
+pub enum LoginSecret {
+    Mnemonic(String),
+    PrivyHexSignature(String),
+}
+
 #[derive(zeroize::Zeroize)]
 #[cfg_attr(feature = "uniffi-bindings", derive(uniffi::Enum))]
 pub enum StoreAccountRequest {
-    Vpn { mnemonic: String },
-    Decentralised { mnemonic: String },
+    Vpn { secret: LoginSecret },
+    Decentralised { secret: LoginSecret },
 }
 
 impl std::fmt::Debug for StoreAccountRequest {

diff --git a/nym-vpn-core/crates/nym-vpn-lib-uniffi/Cargo.toml b/nym-vpn-core/crates/nym-vpn-lib-uniffi/Cargo.toml
@@ -42,6 +42,7 @@ nym-sdk.workspace = true
 nym-statistics.workspace = true
 nym-statistics-api-client.workspace = true
 nym-offline-monitor.workspace = true
+nym-privy.workspace = true
 nym-vpn-lib.workspace = true
 nym-vpn-lib-types = { workspace = true, features = [
     "uniffi-bindings",
@@ -55,6 +56,7 @@ nym-http-api-client.workspace = true
 nym-common.workspace = true
 nym-gateway-directory.workspace = true
 nym-platform-metadata.workspace = true
+nym-utils.workspace = true
 
 [target.'cfg(target_os = "macos")'.dependencies]
 nym-vpn-proto = { workspace = true, features = ["rpc_client"] }