Using DON-hosted Secrets in Requests

This tutorial shows you how to send a request to a Decentralized Oracle Network to call the Coinmarketcap API. After OCR completes off-chain computation and aggregation, it returns the BTC/USD asset price to your smart contract. Because the API requires you to provide an API key, this guide will also show you how to encrypt, sign your API key, and share the encrypted secret with a Decentralized Oracle Network (DON).

The encrypted secrets are never stored on-chain. This tutorial uses the threshold encryption feature. The encrypted secrets are stored with the DON. Read the Secrets Management page to learn more.

Before you begin

1. Complete the setup steps in the Getting Started guide: The Getting Started Guide shows you how to set up your environment with the necessary tools for these tutorials. You can re-use the same consumer contract for each of these tutorials.

2. Make sure your subscription has enough LINK to pay for your requests. Also, you must maintain a minimum balance to upload encrypted secrets to the DON (Read the minimum balance for uploading encrypted secrets section to learn more). You can check your subscription details (including the balance in LINK) in the Chainlink Functions frontend. If your subscription runs out of LINK, follow the Fund a Subscription guide. This guide recommends maintaining at least 2 LINK within your subscription.

3. You can locate the scripts used in this tutorial in the examples/5-use-secrets-threshold directory.

4. Get a free API key from CoinMarketCap and note your API key.

5. Run npx env-enc set to add an encrypted COINMARKETCAP_API_KEY to your .env.enc file.

   npx env-enc set

Tutorial

This tutorial is configured to get the BTC/USD price with a request that requires API keys. For a detailed explanation of the code example, read the Examine the code section.

To run the example:

1. Open the file request.js, which is located in the 5-use-secrets-threshold folder.

2. Replace the consumer contract address and the subscription ID with your own values.

   const consumerAddress = "0x8dFf78B7EE3128D00E90611FBeD20A71397064D9" // REPLACE this with your Functions consumer address
   const subscriptionId = 3 // REPLACE this with your subscription ID

3. Make a request:

   node examples/5-use-secrets-threshold/request.js

   The script runs your function in a sandbox environment before making an on-chain transaction:

   $ node examples/5-use-secrets-threshold/request.js
   secp256k1 unavailable, reverting to browser version
   Start simulation...
   Performing simulation with the following versions:
   deno 1.36.3 (release, aarch64-apple-darwin)
   v8 11.6.189.12
   typescript 5.1.6
   
   
   Simulation result {
     capturedTerminalOutput: 'Price: 25878.20 USD\n',
     responseBytesHexstring: '0x0000000000000000000000000000000000000000000000000000000000277cac'
   }
   ✅ Decoded response to uint256:  2587820n
   
   Estimate request costs...
   Duplicate definition of Transfer (Transfer(address,address,uint256,bytes), Transfer(address,address,uint256))
   Fulfillment cost estimated to 0.000000000000215 LINK
   
   Make request...
   Upload encrypted secret to gateways https://01.functions-gateway.testnet.chain.link/user. StorageSlotId 0. Expiration in minutes: 15
   
   ✅ Secrets uploaded properly to gateways https://01.functions-gateway.testnet.chain.link/user! Gateways response:  { version: 1693826965, success: true }
   
   ✅ Functions request sent! Transaction hash 0xfc741bb611fe4a8f2af3e40bb959d65d0f7159a5487f3c34c5500e52f9cf028e -  Request id is 0xbb73c5b9748f8c2434310ceb525f29f3b0e479e90f5863496f0db7c4781d2db5. Waiting for a response...
   See your request in the explorer https://mumbai.polygonscan.com/tx/0xfc741bb611fe4a8f2af3e40bb959d65d0f7159a5487f3c34c5500e52f9cf028e
   
   ✅ Request 0xbb73c5b9748f8c2434310ceb525f29f3b0e479e90f5863496f0db7c4781d2db5 fulfilled with code: 0. Cost is 0.000037474891791426 LINK. Complete response:  {
     requestId: '0xbb73c5b9748f8c2434310ceb525f29f3b0e479e90f5863496f0db7c4781d2db5',
     subscriptionId: 3,
     totalCostInJuels: 37474891791426n,
     responseBytesHexstring: '0x0000000000000000000000000000000000000000000000000000000000277b7a',
     errorString: '',
     returnDataBytesHexstring: '0x',
     fulfillmentCode: 0
   }
   
   ✅ Decoded response to uint256:  2587514n

   The output of the example gives you the following information:

   • Your request is first run on a sandbox environment to ensure it is correctly configured.

   • The fulfillment costs are estimated before making the request.

   • The encrypted secrets were uploaded to the secrets endpoint https://01.functions-gateway.testnet.chain.link/user.

   • Your request was successfully sent to Chainlink Functions. The transaction in this example is 0xfc741bb611fe4a8f2af3e40bb959d65d0f7159a5487f3c34c5500e52f9cf028e and the request ID is 0xbb73c5b9748f8c2434310ceb525f29f3b0e479e90f5863496f0db7c4781d2db5.

   • The DON successfully fulfilled your request. The total cost was: 0.000037474891791426 LINK.

   • The consumer contract received a response in bytes with a value of 0x0000000000000000000000000000000000000000000000000000000000277b7a. Decoding it off-chain to uint256 gives you a result: 2587514.

Examine the code

FunctionsConsumerExample.sol

// SPDX-License-Identifier: MIT
pragma solidity 0.8.19;

import {FunctionsClient} from "@chainlink/contracts/src/v0.8/functions/dev/v1_0_0/FunctionsClient.sol";
import {ConfirmedOwner} from "@chainlink/contracts/src/v0.8/shared/access/ConfirmedOwner.sol";
import {FunctionsRequest} from "@chainlink/contracts/src/v0.8/functions/dev/v1_0_0/libraries/FunctionsRequest.sol";

/**
 * THIS IS AN EXAMPLE CONTRACT THAT USES HARDCODED VALUES FOR CLARITY.
 * THIS IS AN EXAMPLE CONTRACT THAT USES UN-AUDITED CODE.
 * DO NOT USE THIS CODE IN PRODUCTION.
 */
contract FunctionsConsumerExample is FunctionsClient, ConfirmedOwner {
    using FunctionsRequest for FunctionsRequest.Request;

    bytes32 public s_lastRequestId;
    bytes public s_lastResponse;
    bytes public s_lastError;

    error UnexpectedRequestID(bytes32 requestId);

    event Response(bytes32 indexed requestId, bytes response, bytes err);

    constructor(
        address router
    ) FunctionsClient(router) ConfirmedOwner(msg.sender) {}

    /**
     * @notice Send a simple request
     * @param source JavaScript source code
     * @param encryptedSecretsUrls Encrypted URLs where to fetch user secrets
     * @param donHostedSecretsSlotID Don hosted secrets slotId
     * @param donHostedSecretsVersion Don hosted secrets version
     * @param args List of arguments accessible from within the source code
     * @param bytesArgs Array of bytes arguments, represented as hex strings
     * @param subscriptionId Billing ID
     */
    function sendRequest(
        string memory source,
        bytes memory encryptedSecretsUrls,
        uint8 donHostedSecretsSlotID,
        uint64 donHostedSecretsVersion,
        string[] memory args,
        bytes[] memory bytesArgs,
        uint64 subscriptionId,
        uint32 gasLimit,
        bytes32 jobId
    ) external onlyOwner returns (bytes32 requestId) {
        FunctionsRequest.Request memory req;
        req.initializeRequestForInlineJavaScript(source);
        if (encryptedSecretsUrls.length > 0)
            req.addSecretsReference(encryptedSecretsUrls);
        else if (donHostedSecretsVersion > 0) {
            req.addDONHostedSecrets(
                donHostedSecretsSlotID,
                donHostedSecretsVersion
            );
        }
        if (args.length > 0) req.setArgs(args);
        if (bytesArgs.length > 0) req.setBytesArgs(bytesArgs);
        s_lastRequestId = _sendRequest(
            req.encodeCBOR(),
            subscriptionId,
            gasLimit,
            jobId
        );
        return s_lastRequestId;
    }

    /**
     * @notice Send a pre-encoded CBOR request
     * @param request CBOR-encoded request data
     * @param subscriptionId Billing ID
     * @param gasLimit The maximum amount of gas the request can consume
     * @param jobId ID of the job to be invoked
     * @return requestId The ID of the sent request
     */
    function sendRequestCBOR(
        bytes memory request,
        uint64 subscriptionId,
        uint32 gasLimit,
        bytes32 jobId
    ) external onlyOwner returns (bytes32 requestId) {
        s_lastRequestId = _sendRequest(
            request,
            subscriptionId,
            gasLimit,
            jobId
        );
        return s_lastRequestId;
    }

    /**
     * @notice Store latest result/error
     * @param requestId The request ID, returned by sendRequest()
     * @param response Aggregated response from the user code
     * @param err Aggregated error from the user code or from the execution pipeline
     * Either response or error parameter will be set, but never both
     */
    function fulfillRequest(
        bytes32 requestId,
        bytes memory response,
        bytes memory err
    ) internal override {
        if (s_lastRequestId != requestId) {
            revert UnexpectedRequestID(requestId);
        }
        s_lastResponse = response;
        s_lastError = err;
        emit Response(requestId, s_lastResponse, s_lastError);
    }
}

• To write a Chainlink Functions consumer contract, your contract must import FunctionsClient.sol and FunctionsRequest.sol. You can read the API references: FunctionsClient and FunctionsRequest.

  These contracts are available in an NPM package, so you can import them from within your project.

  import {FunctionsClient} from "@chainlink/contracts/src/v0.8/functions/dev/v1_0_0/FunctionsClient.sol";
  import {FunctionsRequest} from "@chainlink/contracts/src/v0.8/functions/dev/v1_0_0/libraries/FunctionsRequest.sol";

• Use the FunctionsRequest.sol library to get all the functions needed for building a Chainlink Functions request.

  using FunctionsRequest for FunctionsRequest.Request;

• The latest request id, latest received response, and latest received error (if any) are defined as state variables:

  bytes32 public s_lastRequestId;
  bytes public s_lastResponse;
  bytes public s_lastError;

• We define the Response event that your smart contract will emit during the callback

  event Response(bytes32 indexed requestId, bytes response, bytes err);

• Pass the router address for your network when you deploy the contract:

  constructor(address router) FunctionsClient(router)

• The three remaining functions are:

  • sendRequest for sending a request. It receives the JavaScript source code, encrypted secretsUrls (in case the encrypted secrets are hosted by the user), DON hosted secrets slot id and version (in case the encrypted secrets are hosted by the DON), list of arguments to pass to the source code, subscription id, and callback gas limit as parameters. Then:

    • It uses the FunctionsRequestlibrary to initialize the request and add any passed encrypted secrets reference or arguments. You can read the API Reference for Initializing a request, adding user hosted secrets, adding DON hosted secrets, adding arguments, and adding bytes arguments.

      FunctionsRequest.Request memory req;
      req.initializeRequestForInlineJavaScript(source);
      if (encryptedSecretsUrls.length > 0)
          req.addSecretsReference(encryptedSecretsUrls);
      else if (donHostedSecretsVersion > 0) {
          req.addDONHostedSecrets(
              donHostedSecretsSlotID,
              donHostedSecretsVersion
          );
      }
      if (args.length > 0) req.setArgs(args);
      if (bytesArgs.length > 0) req.setBytesArgs(bytesArgs);

    • It sends the request to the router by calling the FunctionsClient sendRequest function. You can read the API reference for sending a request. Finally, it stores the request id in s_lastRequestId then return it.

      s_lastRequestId = _sendRequest(
          req.encodeCBOR(),
          subscriptionId,
          gasLimit,
          jobId
      );
      return s_lastRequestId;

      Note: _sendRequest accepts requests encoded in bytes. Therefore, you must encode it using encodeCBOR.

  • sendRequestCBOR for sending a request already encoded in bytes. It receives the request object encoded in bytes, subscription id, and callback gas limit as parameters. Then, it sends the request to the router by calling the FunctionsClient sendRequest function. Note: This function is helpful if you want to encode a request off-chain before sending it, saving gas when submitting the request.

• fulfillRequest to be invoked during the callback. This function is defined in FunctionsClient as virtual (read fulfillRequest API reference). So, your smart contract must override the function to implement the callback. The implementation of the callback is straightforward: the contract stores the latest response and error in s_lastResponse and s_lastError before emitting the Response event.

  s_lastResponse = response;
  s_lastError = err;
  emit Response(requestId, s_lastResponse, s_lastError);

JavaScript example

source.js

The Decentralized Oracle Network will run the JavaScript code. The code is self-explanatory and has comments to help you understand all the steps. Note: The custom source code you want to execute in a Functions request can use vanilla Deno but cannot use any require statements or imported modules.

This JavaScript source code uses Functions.makeHttpRequest to make HTTP requests. To request the BTC asset price, the source code calls the https://pro-api.coinmarketcap.com/v1/cryptocurrency/quotes/latest/ URL. If you read the Functions.makeHttpRequest documentation, you see that you must provide the following parameters:

• url: https://pro-api.coinmarketcap.com/v1/cryptocurrency/quotes/latest

• headers: This is an HTTP headers object set to { "X-CMC_PRO_API_KEY": secrets.apiKey }. The apiKey is passed in the secrets, see reques.

• params: The query parameters object:

  {
    convert: currencyCode,
    id: coinMarketCapCoinId
  }

To check the expected API response, run the curl command in your terminal:

curl -X 'GET' \
  'https://pro-api.coinmarketcap.com/v1/cryptocurrency/quotes/latest?id=1&convert=USD' \
  -H 'accept: application/json' \
  -H 'X-CMC_PRO_API_KEY: REPLACE_WITH_YOUR_API_KEY'

The response should be similar to the following example:

{
  ...,
  "data": {
    "1": {
      "id": 1,
      "name": "Bitcoin",
      "symbol": "BTC",
      "slug": "bitcoin",
      ...,
      "quote": {
        "USD": {
          "price": 23036.068560170934,
          "volume_24h": 33185308895.694683,
          "volume_change_24h": 24.8581,
          "percent_change_1h": 0.07027098,
          "percent_change_24h": 1.79073805,
          "percent_change_7d": 10.29859656,
          "percent_change_30d": 38.10735851,
          "percent_change_60d": 39.26624921,
          "percent_change_90d": 11.59835416,
          "market_cap": 443982488416.99316,
          "market_cap_dominance": 42.385,
          "fully_diluted_market_cap": 483757439763.59,
          "tvl": null,
          "last_updated": "2023-01-26T18:27:00.000Z"
        }
      }
    }
  }
}

The price is located at data,1,quote,USD,price.

The main steps of the scripts are:

• Fetch the currencyCode and coinMarketCapCoinId from args.
• Construct the HTTP object coinMarketCapRequest using Functions.makeHttpRequest.
• Make the HTTP call.
• Read the asset price from the response.
• Return the result as a buffer using the helper function: Functions.encodeUint256. Note: Because solidity doesn't support decimals, we multiply the result by 100 and round the result to the nearest integer. Note: Read this article if you are new to Javascript Buffers and want to understand why they are important.

request.js

This explanation focuses on the request.js script and shows how to use the Chainlink Functions NPM package in your own JavaScript/TypeScript project to send requests to a DON. The code is self-explanatory and has comments to help you understand all the steps.

The script imports:

• path and fs : Used to read the source file.
• ethers: Ethers.js library, enables the script to interact with the blockchain.
• @chainlink/functions-toolkit: Chainlink Functions NPM package. All its utilities are documented in the NPM README.
• @chainlink/env-enc: A tool for loading and storing encrypted environment variables. Read the official documentation to learn more.
• ../abi/functionsClient.json: The abi of the contract your script will interact with. Note: The script was tested with this FunctionsConsumerExample contract.

The script has two hardcoded values that you have to change using your own Functions consumer contract and subscription ID:

const consumerAddress = "0x8dFf78B7EE3128D00E90611FBeD20A71397064D9" // REPLACE this with your Functions consumer address
const subscriptionId = 3 // REPLACE this with your subscription ID

The primary function that the script executes is makeRequestMumbai. This function can be broken into six main parts:

1. Definition of necessary identifiers:

   • routerAddress: Chainlink Functions router address on Polygon Mumbai.
   • donId: Identifier of the DON that will fulfill your requests on Polygon Mumbai.
   • gatewayUrls: The secrets endpoint URL to which you will upload the encrypted secrets.
   • explorerUrl: Block explorer url of Polygon Mumbai.
   • source: The source code must be a string object. That's why we use fs.readFileSync to read source.js and then call toString() to get the content as a string object.
   • args: During the execution of your function, These arguments are passed to the source code. The args value is ["1", "USD"], which fetches the BTC/USD price.
   • secrets: The secrets object that will be encrypted.
   • slotIdNumber: Slot ID at the DON where to upload the encrypted secrets.
   • expirationTimeMinutes: Expiration time in minutes of the encrypted secrets.
   • gasLimit: Maximum gas that Chainlink Functions can use when transmitting the response to your contract.
   • Initialization of ethers signer and provider objects. The signer is used to make transactions on the blockchain, and the provider reads data from the blockchain.

2. Simulating your request in a local sandbox environment:

   • Use simulateScript from the Chainlink Functions NPM package.
   • Read the response of the simulation. If successful, use the Functions NPM package decodeResult function and ReturnType enum to decode the response to the expected returned type (ReturnType.uint256 in this example).

3. Estimating the costs:

   • Initialize a SubscriptionManager from the Functions NPM package, then call the estimateFunctionsRequestCost function.
   • The response is returned in Juels (1 LINK = 10**18 Juels). Use the ethers.utils.formatEther utility function to convert the output to LINK.

4. Encrypt the secrets, then upload the encrypted secrets to the DON. This is done in two steps:

   • Initialize a SecretsManager instance from the Functions NPM package, then call the encryptSecrets function.
   • Call the uploadEncryptedSecretsToDON function of the SecretsManager instance. This function returns an object containing a success boolean as long as version, the secret version on the DON storage. Note: When making the request, you must pass the slot ID and version to tell the DON where to fetch the encrypted secrets.

5. Making a Chainlink Functions request:

   • Initialize your functions consumer contract using the contract address, abi, and ethers signer.
   • Make a static call to the sendRequest function of your consumer contract to return the request ID that Chainlink Functions will generate.
   • Call the sendRequest function of your consumer contract.

6. Waiting for the response:

   • Initialize a ResponseListener from the Functions NPM package and then call the listenForResponse function to wait for a response. By default, this function waits for five minutes.
   • Upon reception of the response, use the Functions NPM package decodeResult function and ReturnType enum to decode the response to the expected returned type (ReturnType.uint256 in this example).