Connecting a decentralized application to a user’s wallet sounds simple and is not. The dApp runs in a browser, the wallet lives on a phone, and the two need to exchange signed transactions securely without trusting the network in between. For QRL 2.0 we built QRL Connect, an open-source SDK that solves this with a self-hosted, end-to-end encrypted, post-quantum channel. This post explains how it works and how you can drop it into your own dApp.<\/p>\n\n\n\n
The obvious question is why not just use WalletConnect. Two reasons. First, WalletConnect v2 depends on third-party cloud infrastructure, and we wanted a transport we fully control and can self-host. Second, generic wallets do not understand QRL 2.0’s Q-prefixed addresses or its post-quantum signature scheme. Since we build both the dApp SDK and the wallet, a purpose-built protocol let us put post-quantum cryptography directly into the transport layer, instead of the classical key exchange WalletConnect relies on.<\/p>\n\n\n\n
Everything between the dApp and the wallet is end-to-end encrypted, and the relay server in the middle only ever sees ciphertext. The building blocks are all NIST-standardized post-quantum or well-established primitives:<\/p>\n\n\n\n
The session key is tied to the entire handshake transcript (a label, the channel id, the public key, and the KEM ciphertext). That binding closes a class of attacks where a malicious peer tries to make two sessions agree on a key while disagreeing about who is who.<\/p>\n\n\n\n
Establishing the channel takes three steps, modeled loosely on a TCP handshake:<\/p>\n\n\n\n
From that point on, every request and response is an AES-256-GCM ciphertext passing through a relay that cannot read it.<\/p>\n\n\n\n
QRL Connect speaks an EIP-1193 style provider interface, so it feels familiar to anyone who has used a browser wallet, but the signing methods are post-quantum native. The methods The SDK is published on npm as Then create a connection, show the URI as a QR code (or open it as a deep link on mobile), and use it like any EIP-1193 provider:<\/p>\n\n\n\n That is the whole flow. Read-only calls such as Sessions persist in the browser’s local storage for seven days. When a user returns to your dApp, the SDK can reconnect to the existing channel without a fresh QR scan. Use The relay is a lightweight message router that only forwards ciphertext, and it is part of our open-source backend. If you would rather run your own, point the SDK at it with a single config option:<\/p>\n\n\n\nqrl_signMessage<\/code> and qrl_signTypedData<\/code> use SHAKE256 hashing and QRL 2.0’s ML-DSA-87 (Dilithium) signatures. They return a rich result that includes the signature, the public key, and the signer, and you can verify it locally with the verifyMessage<\/code> and verifyTypedData<\/code> helpers the package exports. The old Ethereum-flavored signing methods were removed in version 3.0.0.<\/p>\n\n\n\nAdding it to your dApp<\/h4>\n\n\n\n
@qrlwallet\/connect<\/code>. Install it:<\/p>\n\n\n\nnpm install @qrlwallet\/connect<\/code><\/pre>\n\n\n\nimport { QRLConnect } from '@qrlwallet\/connect';\n\nconst qrl = new QRLConnect({\n dappMetadata: { name: 'My QRL dApp', url: 'https:\/\/mydapp.com' },\n});\n\n\/\/ Get the pairing URI\nconst uri = await qrl.getConnectionURI();\n\nif (qrl.isMobile()) {\n window.location.href = uri; \/\/ open the wallet app via deep link\n} else {\n \/\/ render `uri` as a QR code using any QR library\n}\n\nqrl.on('connect', ({ chainId }) => {\n console.log('Wallet connected on chain', chainId);\n});\n\n\/\/ Use it like any EIP-1193 provider\nconst accounts = await qrl.request({ method: 'qrl_requestAccounts' });\n\nconst txHash = await qrl.request({\n method: 'qrl_sendTransaction',\n params: [{ from: accounts[0], to: '0x...', value: '0x2386F26FC10000' }], \/\/ 0.01 QRL\n});<\/code><\/pre>\n\n\n\nqrl_getBalance<\/code> or qrl_blockNumber<\/code> are proxied automatically, while anything that needs approval, like sending a transaction or signing a message, prompts the user inside the wallet.<\/p>\n\n\n\nSessions and reconnection<\/h4>\n\n\n\n
hasStoredSession()<\/code> on page load to decide whether to show a reconnect state, keep one QRLConnect<\/code> instance for the page lifetime, and call newConnection()<\/code> only when the user wants to pair a different wallet. Listen to the statusChanged<\/code> event for UI transitions rather than reaching into internals.<\/p>\n\n\n\nSelf-hosting the relay<\/h4>\n\n\n\n
const qrl = new QRLConnect({\n dappMetadata: { name: 'My dApp', url: 'https:\/\/mydapp.com' },\n relayUrl: 'https:\/\/my-relay-server.com',\n});<\/code><\/pre>\n\n\n\nTry it and read the code<\/h4>\n\n\n\n