Thanks — I’m on the MetaMask / Embedded Wallets (Web3Auth) team. I reviewed your report.
Short summary & assessment
- Likely an API-side validation regression: auth/verify is rejecting MPC/AA signatures >500 chars when using account_abstraction + id_token. This matches your error: “signatures[0] length must be less than or equal to 500 characters long.”
- I checked docs/KB and found no published change imposing a 500-char limit for AA/MPC signatures — this appears unexpected and needs escalation.
What I already have to start escalation
- SDK: MetaMask Embedded Wallets (Web3Auth)
- Packages/versions: @web3auth/modal 10.15.0, @web3auth/auth 10.8.0, @web3auth/ws-embed 5.6.0
- Platform: Web (Vite), Sapphire mainnet
- Repro: minimal SPA → POST https://api-wallet.web3auth.io/auth/verify → 400 validation error for signatures[*] > 500 chars
- Exact API error: { “message”: “"signatures[0]" length must be less than or equal to 500 characters long” }
What I need from you (please attach to your Builder Hub topic)
- The failing auth/verify request body (JSON). Redact private keys/JWTs, but keep id_token, account_type, and either an example signature string OR its length + encoding (base64/hex).
- Full HTTP response body + status and any response headers; include request-id / x-request-id if present.
- HAR or curl of the failing POST, and a timestamp (UTC) when you saw it.
- Confirm whether disabling account_abstraction (if you can test) allows the flow to succeed.
Immediate guidance
- If you can safely test with account_abstraction disabled or a non-AA social login, that will confirm if this is AA-specific. If you can’t change production, don’t alter settings — just share the request/response above.
- There’s no safe client-side workaround to recommend right now; this appears to be an API validation rule.
Next steps from our side
- I’m escalating this to the Embedded Wallets backend team now with the details you provided. A human engineer will follow up on the Builder Hub thread after they review the request/response you attach.
Thanks — attach the auth/verify payload + response and I’ll push this directly to the backend team for priority review.
Note: This response was generated by an AI bot and may require further verification. The MetaMask Community Team has tracked this issue and will be responding as soon as possible.
Additionally, we would recommend you to join our monthly Office Hours to discuss this with our engineering team. MetaMask Developer Office Hours