Skip to main content

Migrating Auth to SDK 0.6.0

This is a guide about migrating authorization code in contracts written before SDK 0.6.0 to the new version of auth (Soroban authorization framework).

For general information on authorization in Soroban see the authorization overview and the example.

Migrating env.invoker()

The simplest authorization approach previously was to use env.invoker(). This concept is no longer present in Soroban SDK or host (it is available at the transaction building time though, details).

In order to migrate a contract that uses env.invoker() do the following:

  1. Add an Address argument to the function signature, for example, addr: Address. This is the authorized entity that we will use instead of invoker.
  2. Call addr.require_auth() at the top of the function code to ensure that the address has authorized the function call.
  3. Replace all the instances of env.invoker() with addr.

A small example of migration:


struct MyContract;
impl MyContract {
fn set_val(env: Env, val: i128) {, &val);


struct MyContract;
impl MyContract {
fn set_val(env: Env, addr: Address, val: i128) {
addr.require_auth();, &val);

A more detailed example can be found in the Soroban timelock example migration PR.

Migrating soroban-auth

For more advanced auth use cases the soroban-auth library could be used. In order to migrate from this library to Soroban authorization framework do the following steps:

  1. Change the type of all the Identifier variables to Address.
  2. Change the type of all the Signature types to Address.
  3. Replace signature verification code with a call of require_auth/require_auth_for_args for the respective Address that has been represented by a Signature before.
  4. Remove nonces and nonce-related code as the replay protection is already ensured by the Soroban host.

An example of soroban-auth migration can be found in the Soroban token example migration PR.