diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 1c3cacd13..b13a53278 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -98,7 +98,7 @@ jobs:
       - name: Install Playwright Chromium Browser
         run: pnpm exec playwright install chromium
         working-directory: examples/demo-app
-      - name: Run e2e tests
+      - name: Run ERC4337 e2e tests
         run: pnpm nx e2e:erc4337 demo-app
       - uses: actions/upload-artifact@v4
         if: ${{ !cancelled() }}
@@ -106,7 +106,31 @@ jobs:
           name: demo-app-4337-playwright-report
           path: examples/demo-app/playwright-report/
           retention-days: 3
-  
+
+      # Start Auth Server API as a long-lived background service (port 3005)
+      - name: Start Auth Server API
+        run: |
+          nohup pnpm nx dev auth-server-api > /tmp/auth-server-api.log 2>&1 &
+          echo $! > /tmp/auth-server-api.pid
+          echo "Waiting for Auth Server API on 3005..."
+          timeout 60 bash -c 'until nc -z localhost 3005; do echo "Wait-API: Waiting..."; sleep 1; done'
+          echo "Auth Server API ready."
+
+      - name: Show Auth Server API logs on failure
+        if: failure()
+        run: |
+          echo "--- auth-server-api.log (tail) ---"
+          tail -200 /tmp/auth-server-api.log || true
+
+      - name: Run demo-only e2e tests (session + passkey)
+        run: pnpm nx e2e:demo-only demo-app
+      - uses: actions/upload-artifact@v4
+        if: ${{ !cancelled() }}
+        with:
+          name: demo-app-demo-only-playwright-report
+          path: examples/demo-app/playwright-report/
+          retention-days: 3
+
   # e2e-nft-quest:
   #   runs-on: ubuntu-latest
   #   defaults:
@@ -166,4 +190,4 @@ jobs:
   #       with:
   #         name: nft-quest-playwright-report
   #         path: examples/nft-quest/playwright-report/
-  #         retention-days: 3
\ No newline at end of file
+  #         retention-days: 3
diff --git a/docs/paymaster-implementation-plan.md b/docs/paymaster-implementation-plan.md
new file mode 100644
index 000000000..490022e9f
--- /dev/null
+++ b/docs/paymaster-implementation-plan.md
@@ -0,0 +1,254 @@
+# Paymaster Implementation Plan
+
+## Overview
+
+Add General Paymaster support to the ZKsync SSO auth server and SDK, enabling
+gas sponsorship for both regular transactions and session creation. Paymaster
+sponsorship works transparently without requiring UI changes.
+
+## Requirements
+
+### 1. Paymaster Type
+
+- **General Paymaster** (simple sponsorship model)
+- Uses existing `createGeneralPaymaster()` handler from SDK
+- TestPaymaster contract already exists at
+  `packages/erc4337-contracts/src/test/TestPaymaster.sol`
+
+### 2. UI Requirements
+
+- **No extra display** — Paymaster works transparently in the background
+- No fee comparison UI, no sponsorship badges
+- Existing fee displays remain unchanged
+
+### 3. Session Integration
+
+- **No automatic session + paymaster coupling**
+- Sessions and paymasters are independent features
+- **Can create sessions WITH paymaster enabled** — session creation transaction
+  can be sponsored
+- Session fee limits remain independent of paymaster (track actual gas spent,
+  not sponsored amounts)
+
+### 4. Test Requirements
+
+- **Use unfunded accounts** to prove paymaster sponsorship works
+- Transactions that would fail without paymaster must succeed with it
+- Fund test paymaster in `beforeAll()` hook, reuse single instance across tests
+- Add negative test case: verify unfunded account fails without paymaster
+
+### 5. Configuration Options
+
+- **Support both**: paymaster address (simple) and handler function (advanced)
+- Address-only → automatically use General Paymaster handler
+- Custom handler → supports future ZyFi/custom integrations
+
+## Architecture Changes
+
+### SDK-4337 Connector
+
+```typescript
+// packages/sdk-4337/src/connector/index.ts
+export interface ZksyncSsoConnectorParameters {
+  // ... existing params
+  paymaster?: Address | CustomPaymasterHandler;
+}
+```
+
+### Client Creation Flow
+
+```
+zksyncSsoConnector({ paymaster: "0x..." })
+  └→ getClient({ paymasterHandler })
+     └→ createSmartAccountClient({ paymasterHandler })
+        └→ bundler uses handler in getTransactionWithPaymasterData()
+```
+
+### Test Architecture
+
+```
+beforeAll:
+  1. Deploy TestPaymaster contract
+  2. Fund paymaster with 10 ETH from rich account
+  3. Export paymaster address to test config
+
+Tests:
+  1. Create unfunded account (skip fundAccount() call)
+  2. Verify balance = 0
+  3. Send transaction WITH paymaster → Success
+  4. Send transaction WITHOUT paymaster → Fail (insufficient funds)
+  5. Create session WITH paymaster → Success
+  6. Execute session transaction WITH paymaster → Success
+```
+
+## Implementation Tasks
+
+### 1. SDK-4337 Connector Enhancement
+
+- [ ] Add `paymaster?: Address | CustomPaymasterHandler` to connector parameters
+- [ ] Convert address to handler using `createGeneralPaymaster()` if needed
+- [ ] Pass handler through to client creation
+
+**Files**:
+
+- `packages/sdk-4337/src/connector/index.ts`
+- `packages/sdk-4337/src/connector/types.ts`
+
+### 2. Client Creation Threading
+
+- [ ] Accept `paymasterHandler` parameter in `getClient()`
+- [ ] Thread handler to `createSmartAccountClient()`
+- [ ] Ensure handler is applied in bundler's transaction preparation
+
+**Files**:
+
+- `packages/sdk-4337/src/client-auth-server/index.ts`
+- `packages/sdk-4337/src/client-auth-server/client.ts`
+
+### 3. Demo-App Paymaster Deployment
+
+- [ ] Create deployment script for TestPaymaster
+- [ ] Export deployed address to `contracts-anvil.json`
+- [ ] Add funding helper in test utilities
+
+**Files**:
+
+- `examples/demo-app/scripts/deploy-paymaster.ts` (new)
+- `examples/demo-app/contracts-anvil.json`
+
+### 4. Demo-App Connector Configuration
+
+- [ ] Add paymaster address constant
+- [ ] Create `zksyncConnectorWithPaymaster` instance
+- [ ] Optionally add UI toggle for testing (button to connect with/without
+      paymaster)
+
+**Files**:
+
+- `examples/demo-app/pages/index.vue`
+
+### 5. E2E Test Suite: Paymaster Flows
+
+- [ ] Add `beforeAll` hook to deploy and fund paymaster
+- [ ] Helper: `createUnfundedAccount()` (skip funding step)
+- [ ] Test: "Unfunded account transaction fails without paymaster"
+- [ ] Test: "Unfunded account transaction succeeds with paymaster"
+- [ ] Test: "Unfunded account creates session with paymaster"
+- [ ] Test: "Session transaction uses paymaster successfully"
+
+**Files**:
+
+- `examples/demo-app/tests/create-account.spec.ts` (add new test suite)
+- Or create new file: `examples/demo-app/tests/paymaster.spec.ts`
+
+## Key Technical Details
+
+### Paymaster Handler Flow
+
+```typescript
+// SDK already has infrastructure:
+export type CustomPaymasterHandler = (
+  args: CustomPaymasterParameters,
+) => Promise<CustomPaymasterHandlerResponse>;
+
+// Response includes:
+interface CustomPaymasterHandlerResponse {
+  paymaster: Address;
+  paymasterInput: Hex;
+  // Optional fee overrides:
+  maxFeePerGas?: bigint;
+  maxPriorityFeePerGas?: bigint;
+}
+```
+
+### General Paymaster Handler
+
+```typescript
+// Already implemented in packages/sdk-4337/src/handlers/general.ts
+export function createGeneralPaymaster(
+  paymaster: Address,
+): CustomPaymasterHandler {
+  return async (_): Promise<CustomPaymasterHandlerResponse> => {
+    return {
+      paymaster,
+      paymasterInput: getGeneralPaymasterInput({ innerInput: "0x" }),
+    };
+  };
+}
+```
+
+### TestPaymaster Contract
+
+```solidity
+// Already exists at packages/erc4337-contracts/src/test/TestPaymaster.sol
+contract TestPaymaster is IPaymaster {
+  function validatePaymasterUserOp(...) external pure returns (...) {
+    return ("", 0); // Always approves
+  }
+
+  function postOp(...) external {}
+
+  receive() external payable {} // Can receive funds
+}
+```
+
+## Test Validation Strategy
+
+### Proof of Sponsorship
+
+1. **Initial State**: Create account with balance = 0 ETH
+2. **Without Paymaster**: Attempt 0.1 ETH transfer → Expect failure
+   (insufficient funds)
+3. **With Paymaster**: Same transfer → Expect success
+4. **Post-Transaction**: Verify balance still ≈ 0 ETH (paymaster covered gas)
+
+### Session + Paymaster Flow
+
+1. **Create Session**: Unfunded account + paymaster → Session created
+   successfully
+2. **Execute Transaction**: Use session to send ETH → Success without passkey
+3. **Balance Check**: Account balance remains at 0 (all gas sponsored)
+
+### Error Detection
+
+```typescript
+// Check for insufficient funds error
+catch (error) {
+  const errorMessage = error.cause?.details || error.message;
+  expect(errorMessage).toMatch(/insufficient funds|insufficient balance/i);
+}
+```
+
+## Acceptance Criteria
+
+- [ ] Connector accepts `paymaster: Address` parameter
+- [ ] Connector accepts `paymaster: CustomPaymasterHandler` parameter
+- [ ] Unfunded account (0 ETH) can execute transactions with paymaster
+- [ ] Session creation works with paymaster on unfunded account
+- [ ] Unfunded account transactions fail without paymaster (negative test)
+- [ ] No breaking changes to existing flows (paymaster is optional)
+- [ ] E2E tests pass consistently on local anvil
+- [ ] No UI changes required (transparent operation)
+
+## Future Enhancements (Out of Scope)
+
+- [ ] UI indicator for paymaster sponsorship status
+- [ ] Fee comparison display (with/without sponsorship)
+- [ ] ZyFi paymaster integration for conditional sponsorship
+- [ ] Paymaster selection UI (multiple paymasters)
+- [ ] Session-level paymaster configuration (inherit from session)
+- [ ] Analytics/tracking of sponsored transaction volume
+
+## References
+
+- **TestPaymaster Contract**:
+  `packages/erc4337-contracts/src/test/TestPaymaster.sol`
+- **Paymaster Handlers**: `packages/sdk-4337/src/handlers/`
+- **Current E2E Tests**: `examples/demo-app/tests/create-account.spec.ts`
+- **Demo App**: `examples/demo-app/pages/index.vue`
+- **SDK Connector**: `packages/sdk-4337/src/connector/index.ts`
+
+---
+
+**Created**: December 12, 2025  
+**Status**: Ready for Implementation
diff --git a/examples/demo-app/components/SessionCreator.vue b/examples/demo-app/components/SessionCreator.vue
index cfcb368a6..c18cc070b 100644
--- a/examples/demo-app/components/SessionCreator.vue
+++ b/examples/demo-app/components/SessionCreator.vue
@@ -190,6 +190,7 @@ async function createSessionOnChain() {
       address: props.accountAddress as Address,
       signerPrivateKey: props.eoaPrivateKey as `0x${string}`,
       eoaValidatorAddress: props.eoaValidatorAddress as Address,
+      entryPointAddress: contracts.entryPoint as Address,
     });
 
     // eslint-disable-next-line no-console
diff --git a/examples/demo-app/components/SessionTransactionSender.vue b/examples/demo-app/components/SessionTransactionSender.vue
index 325a92687..d60e5cf54 100644
--- a/examples/demo-app/components/SessionTransactionSender.vue
+++ b/examples/demo-app/components/SessionTransactionSender.vue
@@ -187,6 +187,7 @@ async function sendTransaction() {
       bundlerClient,
       chain,
       transport: http(),
+      entryPointAddress: contracts.entryPoint as Address,
     });
 
     // If an allowed recipient is configured, enforce it matches the selected target
diff --git a/examples/demo-app/pages/index.vue b/examples/demo-app/pages/index.vue
index 52cdac2c3..294a87962 100644
--- a/examples/demo-app/pages/index.vue
+++ b/examples/demo-app/pages/index.vue
@@ -5,17 +5,33 @@
     </h1>
     <button
       class="bg-blue-500 hover:bg-blue-700 text-white font-bold py-2 px-4 rounded mr-4"
-      @click="address ? disconnectWallet() : connectWallet(false)"
+      @click="address ? disconnectWallet() : connectWallet('regular')"
     >
       {{ address ? "Disconnect" : "Connect" }}
     </button>
     <button
       v-if="!address"
-      class="bg-blue-500 hover:bg-blue-700 text-white font-bold py-2 px-4 rounded"
-      @click="address ? disconnectWallet() : connectWallet(true)"
+      class="bg-blue-500 hover:bg-blue-700 text-white font-bold py-2 px-4 rounded mr-4"
+      @click="connectWallet('session')"
     >
       Connect with Session
     </button>
+    <button
+      v-if="!address"
+      title="Connect with paymaster sponsorship"
+      class="bg-green-500 hover:bg-green-700 text-white font-bold py-2 px-4 rounded mr-4"
+      @click="connectWallet('paymaster')"
+    >
+      Connect (Paymaster)
+    </button>
+    <button
+      v-if="!address"
+      title="Connect with session and paymaster sponsorship"
+      class="bg-green-500 hover:bg-green-700 text-white font-bold py-2 px-4 rounded"
+      @click="connectWallet('session-paymaster')"
+    >
+      Connect Session (Paymaster)
+    </button>
     <div
       v-if="address"
       class="mt-4"
@@ -96,48 +112,91 @@
 </template>
 
 <script lang="ts" setup>
-import { disconnect, getBalance, watchAccount, sendTransaction, createConfig, connect, reconnect, waitForTransactionReceipt, type GetBalanceReturnType, signTypedData, readContract } from "@wagmi/core";
+import { disconnect, getBalance, watchAccount, sendTransaction, createConfig, connect, waitForTransactionReceipt, type GetBalanceReturnType, signTypedData, readContract } from "@wagmi/core";
 import { createWalletClient, createPublicClient, http, parseEther, type Address, type Hash } from "viem";
 import { zksyncSsoConnector } from "zksync-sso-4337/connector";
 import { privateKeyToAccount } from "viem/accounts";
 import { localhost } from "viem/chains";
+import { onMounted } from "vue";
 import ERC1271CallerContract from "../forge-output-erc1271.json";
+// Load contracts from public JSON at runtime to avoid ESM JSON import issues
+const contractsUrl = "/contracts.json";
+let contractsAnvil: Record<string, unknown> = {};
+let testPaymasterAddress: Address | undefined;
+
+const runtimeConfig = useRuntimeConfig();
+
+// Prime with runtime config so server-side renders can still set it
+testPaymasterAddress = (runtimeConfig.public?.testPaymasterAddress as Address | undefined)
+?? (runtimeConfig.public?.NUXT_PUBLIC_TEST_PAYMASTER as Address | undefined);
+
+if (typeof window !== "undefined") {
+  fetch(contractsUrl)
+    .then((r) => r.json())
+    .then((json) => {
+      contractsAnvil = json;
+      // Prefer contract JSON values when available
+      testPaymasterAddress = (contractsAnvil as { testPaymaster?: Address; TestPaymaster?: Address }).testPaymaster
+      ?? (contractsAnvil as { TestPaymaster?: Address }).TestPaymaster
+      ?? testPaymasterAddress;
+    })
+    .catch(() => undefined);
+}
 
 const chain = localhost;
 
 const testTransferTarget = "0x55bE1B079b53962746B2e86d12f158a41DF294A6";
 
+const sessionConfig = {
+  feeLimit: parseEther("0.1"),
+  transfers: [
+    {
+      to: testTransferTarget,
+      valueLimit: parseEther("0.1"),
+    },
+  ],
+};
+
+const buildConnector = (mode: "regular" | "session" | "paymaster" | "session-paymaster") => {
+  const baseConfig: Parameters<typeof zksyncSsoConnector>[0] = {
+    authServerUrl: "http://localhost:3002/confirm",
+  };
+
+  if (mode === "session" || mode === "session-paymaster") {
+    baseConfig.session = sessionConfig;
+  }
+
+  if (mode === "paymaster" || mode === "session-paymaster") {
+    baseConfig.paymaster = testPaymasterAddress;
+  }
+
+  return zksyncSsoConnector(baseConfig);
+};
+
 const publicClient = createPublicClient({
   chain: chain,
   transport: http(),
 });
-const zksyncConnectorWithSession = zksyncSsoConnector({
-  authServerUrl: "http://localhost:3002/confirm",
-  session: {
-    feeLimit: parseEther("0.1"),
-    transfers: [
-      {
-        to: testTransferTarget,
-        valueLimit: parseEther("0.1"),
-      },
-    ],
-  },
-});
-const zksyncConnector = zksyncSsoConnector({
-  authServerUrl: "http://localhost:3002/confirm",
-});
 const wagmiConfig = createConfig({
   chains: [chain],
-  connectors: [zksyncConnector],
+  connectors: [buildConnector("regular")],
   transports: {
     [chain.id]: http(),
   },
 });
-reconnect(wagmiConfig);
 
 const address = ref<Address | null>(null);
 const balance = ref<GetBalanceReturnType | null>(null);
 const errorMessage = ref<string | null>(null);
+const isInitializing = ref(true);
+
+// Ensure fresh, unauthenticated state on page load so the connect buttons render
+onMounted(async () => {
+  await disconnect(wagmiConfig).catch(() => undefined);
+  address.value = null;
+  balance.value = null;
+  isInitializing.value = false;
+});
 
 const fundAccount = async () => {
   if (!address.value) throw new Error("Not connected");
@@ -166,7 +225,10 @@ const fundAccount = async () => {
 
 watchAccount(wagmiConfig, {
   async onChange(data) {
-    address.value = data.address || null;
+    // Don't update address during initialization to avoid race with disconnect
+    if (!isInitializing.value) {
+      address.value = data.address || null;
+    }
   },
 });
 
@@ -179,7 +241,12 @@ watch(address, async () => {
   let currentBalance = await getBalance(wagmiConfig, {
     address: address.value,
   });
-  if (currentBalance && currentBalance.value < parseEther("0.2")) {
+
+  // Skip auto-funding if using paymaster (check query param)
+  const urlParams = new URLSearchParams(window.location.search);
+  const skipFunding = urlParams.get("skipFunding") === "true";
+
+  if (!skipFunding && currentBalance && currentBalance.value < parseEther("0.2")) {
     await fundAccount().catch((error) => {
       // eslint-disable-next-line no-console
       console.error("Funding failed:", error);
@@ -192,11 +259,18 @@ watch(address, async () => {
   balance.value = currentBalance;
 }, { immediate: true });
 
-const connectWallet = async (useSession: boolean) => {
+const connectWallet = async (mode: "regular" | "session" | "paymaster" | "session-paymaster") => {
   try {
     errorMessage.value = "";
+    const connector = buildConnector(mode);
+
+    if ((mode === "paymaster" || mode === "session-paymaster") && !testPaymasterAddress) {
+      errorMessage.value = "Paymaster address is not configured.";
+      return;
+    }
+
     connect(wagmiConfig, {
-      connector: useSession ? zksyncConnectorWithSession : zksyncConnector,
+      connector,
       chainId: chain.id,
     });
   } catch (error) {
diff --git a/examples/demo-app/pages/web-sdk-test.vue b/examples/demo-app/pages/web-sdk-test.vue
index 69af87e28..341d14963 100644
--- a/examples/demo-app/pages/web-sdk-test.vue
+++ b/examples/demo-app/pages/web-sdk-test.vue
@@ -653,6 +653,8 @@ function handleSessionCreated() {
 
 // Deploy a new smart account
 async function deployAccount() {
+  // eslint-disable-next-line no-console
+  console.log("🚀 deployAccount() called");
   loading.value = true;
   error.value = "";
   deploymentResult.value = null;
@@ -800,6 +802,14 @@ async function deployAccount() {
     console.log("Account deployed at:", deployedAddress);
 
     // Display the deployment result
+    // eslint-disable-next-line no-console
+    console.log("🎯 Setting deploymentResult.value...", {
+      userId,
+      accountId,
+      address: deployedAddress,
+      eoaSigner: eoaSignerAddress,
+      passkeyEnabled: passkeyConfig.value.enabled,
+    });
     deploymentResult.value = {
       userId,
       accountId,
@@ -807,6 +817,8 @@ async function deployAccount() {
       eoaSigner: eoaSignerAddress,
       passkeyEnabled: passkeyConfig.value.enabled,
     };
+    // eslint-disable-next-line no-console
+    console.log("✅ deploymentResult.value set:", deploymentResult.value);
 
     // If passkey was provided during deployment, it's automatically registered
     if (passkeyConfig.value.enabled) {
@@ -839,8 +851,10 @@ async function deployAccount() {
     console.log("Account deployment result:", deploymentResult.value);
   } catch (err: unknown) {
     // eslint-disable-next-line no-console
-    console.error("Account deployment failed:", err);
+    console.error("❌ Account deployment failed:", err);
     error.value = `Failed to deploy account: ${err instanceof Error ? err.message : String(err)}`;
+    // eslint-disable-next-line no-console
+    console.log("💥 error.value set to:", error.value);
   } finally {
     loading.value = false;
   }
diff --git a/examples/demo-app/playwright.config.ts b/examples/demo-app/playwright.config.ts
index fe54accf4..fa507f1da 100644
--- a/examples/demo-app/playwright.config.ts
+++ b/examples/demo-app/playwright.config.ts
@@ -20,10 +20,13 @@ export default defineConfig({
   forbidOnly: !!process.env.CI,
   /* Retry on CI only */
   retries: process.env.CI ? 2 : 0,
-  /* Opt out of parallel tests on CI. */
-  workers: process.env.CI ? 1 : undefined,
+  /* Run tests sequentially to avoid nonce collision on funding transactions */
+  workers: 1,
   /* Reporter to use. See https://playwright.dev/docs/test-reporters */
-  reporter: "html",
+  reporter: [
+    ["list"],
+    ["html", { open: process.env.CI ? "never" : "on-failure" }],
+  ],
   /* Shared settings for all the projects below. See https://playwright.dev/docs/api/class-testoptions. */
   use: {
     /* Base URL to use in actions like `await page.goto('/')`. */
@@ -41,18 +44,23 @@ export default defineConfig({
     },
   ],
 
-  /* Run your local server before starting the tests */
+  /* Run local servers before starting the tests */
   webServer: [
     {
-      command: "pnpm nx preview demo-app",
-      url: "http://localhost:3004",
+      command:
+        "NUXT_PUBLIC_AUTH_SERVER_API_URL=http://localhost:3005 PORT=3002 pnpm nx dev:no-deploy auth-server",
+      url: "http://localhost:3002",
       reuseExistingServer: !process.env.CI,
+      stdout: "pipe",
+      stderr: "pipe",
       timeout: 180_000,
     },
     {
-      command: "pnpm nx preview auth-server",
-      url: "http://localhost:3002",
+      command: "PORT=3004 pnpm nx dev demo-app",
+      url: "http://localhost:3004",
       reuseExistingServer: !process.env.CI,
+      stdout: "pipe",
+      stderr: "pipe",
       timeout: 180_000,
     },
   ],
diff --git a/examples/demo-app/project.json b/examples/demo-app/project.json
index a7abbf951..f6f17d44c 100644
--- a/examples/demo-app/project.json
+++ b/examples/demo-app/project.json
@@ -91,7 +91,24 @@
       "executor": "nx:run-commands",
       "options": {
         "cwd": "examples/demo-app",
-        "command": "pnpm exec playwright install chromium"
+        "commands": [
+          {
+            "command": "pnpm nx run sdk-4337:build --skip-nx-cache",
+            "prefix": "Rebuild-SDK:"
+          },
+          {
+            "command": "cd ../../packages/auth-server && pnpm nuxt build"
+          },
+          {
+            "command": "pnpm nuxt build"
+          },
+          {
+            "command": "pnpm exec playwright install chromium"
+          },
+          {
+            "command": "cd ../.. && ( cd packages/auth-server && PORT=3002 NUXT_PUBLIC_AUTH_SERVER_API_URL=http://localhost:3005 pnpm nuxt preview > /tmp/auth-server.log 2>&1 & echo $! > /tmp/auth-server.pid ) && ( cd examples/demo-app && PORT=3004 pnpm nuxt preview > /tmp/demo-app.log 2>&1 & echo $! > /tmp/demo-app.pid ) && sleep 10"
+          }
+        ]
       },
       "dependsOn": ["deploy-contracts-erc4337"]
     },
@@ -99,10 +116,71 @@
       "executor": "nx:run-commands",
       "options": {
         "cwd": "examples/demo-app",
-        "command": "playwright test --config=playwright.config.ts"
+        "commands": [
+          {
+            "command": "cd ../.. && ( cd packages/auth-server && PORT=3002 NUXT_PUBLIC_AUTH_SERVER_API_URL=http://localhost:3005 pnpm nuxt preview > /tmp/auth-server.log 2>&1 & echo $! > /tmp/auth-server.pid ) && ( cd examples/demo-app && PORT=3004 pnpm nuxt preview > /tmp/demo-app.log 2>&1 & echo $! > /tmp/demo-app.pid ) && sleep 10",
+            "prefix": "Start-Servers:"
+          },
+          {
+            "command": "playwright test --config=playwright.config.ts",
+            "prefix": "Tests:"
+          }
+        ]
       },
       "dependsOn": ["e2e:setup"]
     },
+    "e2e:demo-only": {
+      "executor": "nx:run-commands",
+      "options": {
+        "cwd": "examples/demo-app",
+        "command": "PW_TEST_HTML_REPORT_OPEN=never playwright test --config=playwright.config.ts"
+      }
+    },
+    "e2e:setup": {
+      "executor": "nx:run-commands",
+      "options": {
+        "cwd": "examples/demo-app",
+        "commands": [
+          {
+            "command": "pnpm nx run sdk-4337:build --skip-nx-cache",
+            "prefix": "Rebuild-SDK:"
+          },
+          {
+            "command": "cd ../../packages/auth-server && pnpm nuxt build"
+          },
+          {
+            "command": "pnpm nuxt build"
+          },
+          {
+            "command": "pnpm exec playwright install chromium"
+          }
+        ]
+      },
+      "dependsOn": ["deploy-contracts-erc4337"]
+    },
+    "dev": {
+      "executor": "nx:run-commands",
+      "options": {
+        "cwd": "examples/demo-app",
+        "command": "PORT=3004 pnpm run dev"
+      }
+    },
+    "redeploy-and-sync": {
+      "executor": "nx:run-commands",
+      "options": {
+        "cwd": "examples/demo-app",
+        "commands": [
+          {
+            "command": "./scripts/deploy-msa-anvil.sh",
+            "prefix": "Deploy-Anvil:"
+          },
+          {
+            "command": "pnpm nx run demo-app:deploy-contracts-erc4337",
+            "prefix": "Stub-ERC4337:"
+          }
+        ]
+      }
+    },
     "e2e:erc4337": {
       "executor": "nx:run-commands",
       "options": {
@@ -111,6 +189,26 @@
       },
       "dependsOn": ["e2e:setup:erc4337"]
     },
+    "e2e:erc4337:demo-only": {
+      "executor": "nx:run-commands",
+      "options": {
+        "cwd": "examples/demo-app",
+        "commands": [
+          {
+            "command": "cd ../.. && ( cd examples/demo-app && PORT=3004 pnpm nuxt preview > /tmp/demo-app.log 2>&1 & echo $! > /tmp/demo-app.pid ) && sleep 5",
+            "prefix": "Start-Demo:"
+          },
+          {
+            "command": "playwright test --config=playwright-erc4337.config.ts",
+            "prefix": "Tests:"
+          },
+          {
+            "command": "kill $(cat /tmp/demo-app.pid) 2>/dev/null || true",
+            "prefix": "Cleanup:"
+          }
+        ]
+      }
+    },
     "ci:erc4337": {
       "executor": "nx:run-commands",
       "options": {
diff --git a/examples/demo-app/scripts/deploy-msa-anvil.sh b/examples/demo-app/scripts/deploy-msa-anvil.sh
index 9a32887a4..8926d6ab3 100755
--- a/examples/demo-app/scripts/deploy-msa-anvil.sh
+++ b/examples/demo-app/scripts/deploy-msa-anvil.sh
@@ -39,10 +39,11 @@ GUARDIAN_EXECUTOR=$(echo "$DEPLOY_OUTPUT" | grep "GuardianExecutor:" | awk '{pri
 ACCOUNT_IMPL=$(echo "$DEPLOY_OUTPUT" | grep "ModularSmartAccount implementation:" | awk '{print $3}')
 BEACON=$(echo "$DEPLOY_OUTPUT" | grep "UpgradeableBeacon:" | awk '{print $2}')
 FACTORY=$(echo "$DEPLOY_OUTPUT" | grep "MSAFactory:" | awk '{print $2}')
+PAYMASTER=$(echo "$DEPLOY_OUTPUT" | grep "TestPaymaster:" | awk '{print $2}')
 
 # Verify all addresses were extracted
 if [ -z "$EOA_VALIDATOR" ] || [ -z "$SESSION_VALIDATOR" ] || [ -z "$WEBAUTHN_VALIDATOR" ] || \
-   [ -z "$GUARDIAN_EXECUTOR" ] || [ -z "$ACCOUNT_IMPL" ] || [ -z "$BEACON" ] || [ -z "$FACTORY" ]; then
+  [ -z "$GUARDIAN_EXECUTOR" ] || [ -z "$ACCOUNT_IMPL" ] || [ -z "$BEACON" ] || [ -z "$FACTORY" ] || [ -z "$PAYMASTER" ]; then
   echo "❌ Failed to extract all contract addresses from deployment output"
   echo "Please check the deployment logs above"
   exit 1
@@ -57,6 +58,7 @@ echo "  GuardianExecutor: $GUARDIAN_EXECUTOR"
 echo "  ModularSmartAccount impl: $ACCOUNT_IMPL"
 echo "  UpgradeableBeacon: $BEACON"
 echo "  MSAFactory: $FACTORY"
+echo "  TestPaymaster: $PAYMASTER"
 
 # Create contracts-anvil.json
 echo ""
@@ -75,6 +77,7 @@ cat > contracts-anvil.json << EOF
   "accountImplementation": "$ACCOUNT_IMPL",
   "beacon": "$BEACON",
   "factory": "$FACTORY",
+  "testPaymaster": "$PAYMASTER",
   "entryPoint": "0x4337084D9E255Ff0702461CF8895CE9E3b5Ff108",
   "bundlerUrl": "http://localhost:4337"
 }
@@ -90,6 +93,14 @@ echo "✅ Updated contracts.json to use Anvil addresses"
 cp contracts-anvil.json public/contracts.json
 echo "✅ Copied to public/contracts.json"
 
+# Copy to auth-server stores
+cp contracts-anvil.json "$WORKSPACE_ROOT/packages/auth-server/stores/local-node.json"
+echo "✅ Copied to packages/auth-server/stores/local-node.json"
+
+# Copy to auth-server-api src
+cp contracts-anvil.json "$WORKSPACE_ROOT/packages/auth-server-api/src/contracts.json"
+echo "✅ Copied to packages/auth-server-api/src/contracts.json"
+
 echo ""
 echo "🎉 Deployment complete!"
 echo ""
diff --git a/examples/demo-app/scripts/deploy-paymaster.sh b/examples/demo-app/scripts/deploy-paymaster.sh
new file mode 100755
index 000000000..e0825b964
--- /dev/null
+++ b/examples/demo-app/scripts/deploy-paymaster.sh
@@ -0,0 +1,60 @@
+#!/bin/bash
+set -ex
+
+# Get the directory where this script is located
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+# Navigate to the workspace root (3 levels up from scripts/)
+WORKSPACE_ROOT="$(cd "$SCRIPT_DIR/../../.." && pwd)"
+
+# Configuration
+DEPLOYER_ADDRESS="0xa0Ee7A142d267C1f36714E4a8F75612F20a79720"  # Anvil account #9
+RPC_URL="http://localhost:8545"
+CHAIN_ID=1337
+CONTRACTS_DIR="$WORKSPACE_ROOT/packages/erc4337-contracts"
+CONTRACTS_FILE="$SCRIPT_DIR/../contracts-anvil.json"
+
+echo "🚀 Deploying TestPaymaster to Anvil..."
+echo ""
+echo "📍 Deployer: $DEPLOYER_ADDRESS"
+echo "🌐 RPC URL: $RPC_URL"
+echo ""
+
+cd "$CONTRACTS_DIR"
+
+# Deploy TestPaymaster
+echo "📦 Deploying TestPaymaster..."
+PAYMASTER_OUTPUT=$(forge create \
+  --rpc-url "$RPC_URL" \
+  --private-key "0x2a871d0798f97d79848a013d4936a73bf4cc922c825d33c1cf7073dff6d409c6" \
+  src/test/TestPaymaster.sol:TestPaymaster 2>&1)
+
+echo "$PAYMASTER_OUTPUT"
+
+# Extract paymaster address
+PAYMASTER_ADDRESS=$(echo "$PAYMASTER_OUTPUT" | grep "Deployed to:" | awk '{print $3}')
+
+if [ -z "$PAYMASTER_ADDRESS" ]; then
+  echo "❌ Failed to extract TestPaymaster address"
+  exit 1
+fi
+
+echo ""
+echo "✅ TestPaymaster deployed at: $PAYMASTER_ADDRESS"
+
+# Fund the paymaster with 10 ETH from rich account (Anvil account #0)
+echo ""
+echo "💰 Funding paymaster with 10 ETH..."
+cast send "$PAYMASTER_ADDRESS" \
+  --value 10ether \
+  --rpc-url "$RPC_URL" \
+  --private-key "0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80"
+
+# Update contracts-anvil.json with paymaster address
+echo ""
+echo "📝 Updating contracts-anvil.json..."
+jq ". + {\"testPaymaster\": \"$PAYMASTER_ADDRESS\"}" "$CONTRACTS_FILE" > "$CONTRACTS_FILE.tmp" && mv "$CONTRACTS_FILE.tmp" "$CONTRACTS_FILE"
+
+echo ""
+echo "✅ TestPaymaster setup complete!"
+echo "   Address: $PAYMASTER_ADDRESS"
+echo "   Balance: 10 ETH"
diff --git a/examples/demo-app/tests/create-account.spec.ts b/examples/demo-app/tests/create-account.spec.ts
index c943127bf..358b8ee5c 100644
--- a/examples/demo-app/tests/create-account.spec.ts
+++ b/examples/demo-app/tests/create-account.spec.ts
@@ -1,5 +1,13 @@
+/* eslint-disable no-console */
 import { expect, type Page, test } from "@playwright/test";
 
+type WebAuthnCredential = {
+  credentialId: string;
+  isResidentCredential: boolean;
+  privateKey: string;
+  signCount: number;
+};
+
 async function waitForServicesToLoad(page: Page): Promise<void> {
   const maxRetryAttempts = 10;
   let retryCount = 0;
@@ -45,25 +53,27 @@ test.beforeEach(async ({ page }) => {
 });
 
 test("Create account with session and send ETH", async ({ page }) => {
-  // Click the Connect button
-  await page.getByRole("button", { name: "Connect with Session", exact: true }).click();
+  // Step 1: regular connect to create account with passkey
+  await page.getByRole("button", { name: "Connect", exact: true }).click();
 
-  // Ensure popup is displayed
   await page.waitForTimeout(2000);
   const popup = page.context().pages()[1];
   await expect(popup.getByText("Connect to")).toBeVisible();
   popup.on("console", (msg) => {
-    if (msg.type() === "error")
-      console.log(`Auth server error console: "${msg.text()}"`);
+    if (msg.type() === "error") console.log(`Auth server error console: "${msg.text()}"`);
   });
   popup.on("pageerror", (exception) => {
     console.log(`Auth server uncaught exception: "${exception}"`);
   });
 
-  // Setup webauthn a Chrome Devtools Protocol session
-  // NOTE: This needs to be done for every page of every test that uses WebAuthn
+  // Prepare WebAuthn for passkey creation and capture the credential for later reuse
   const client = await popup.context().newCDPSession(popup);
   await client.send("WebAuthn.enable");
+  let newCredential: WebAuthnCredential | null = null;
+  client.on("WebAuthn.credentialAdded", (credentialAdded) => {
+    console.log("New Passkey credential added");
+    newCredential = credentialAdded.credential;
+  });
   await client.send("WebAuthn.addVirtualAuthenticator", {
     options: {
       protocol: "ctap2",
@@ -75,57 +85,28 @@ test("Create account with session and send ETH", async ({ page }) => {
     },
   });
 
-  // Click Sign Up
   await popup.getByTestId("signup").click();
-
-  // Add session
-  await expect(popup.getByText("Authorize ZKsync SSO Demo")).toBeVisible();
-  await expect(popup.getByText("Act on your behalf")).toBeVisible();
-  await expect(popup.getByText("Expires tomorrow")).toBeVisible();
-  await expect(popup.getByText("Permissions")).toBeVisible();
+  await expect(popup.getByText("Connect to ZKsync SSO Demo")).toBeVisible();
   await popup.getByTestId("connect").click();
 
-  // Waits for session to complete and popup to close
   await page.waitForTimeout(2000);
-
-  // Check address/balance is shown
   await expect(page.getByText("Disconnect")).toBeVisible();
-  await expect(page.getByText("Balance:")).toBeVisible();
-  const startBalance = +(await page.getByText("Balance:").innerText())
-    .replace("Balance: ", "")
-    .replace(" ETH", "");
+  const initialBalanceText = await page.getByText("Balance:").innerText();
+  const initialBalance = +initialBalanceText.replace("Balance: ", "").replace(" ETH", "");
+  await expect(initialBalance, "Balance should be non-zero after initial funding").toBeGreaterThan(0);
 
-  // Send some eth
-  await page.getByRole("button", { name: "Send 0.1 ETH", exact: true }).click();
-  await expect(page.getByRole("button", { name: "Send 0.1 ETH", exact: true })).toBeEnabled();
-  const endBalance = +(await page.getByText("Balance:").innerText())
-    .replace("Balance: ", "")
-    .replace(" ETH", "");
-  await expect(startBalance, "Balance after transfer should be ~0.1 ETH less")
-    .toBeGreaterThan(endBalance + 0.1);
-});
+  // Step 2: disconnect then reconnect with session using the same passkey credential
+  await page.getByRole("button", { name: "Disconnect", exact: true }).click();
+  await expect(page.getByRole("button", { name: "Connect with Session", exact: true })).toBeVisible();
 
-test("Create account with session and send ETH with paymaster", async ({ page }) => {
-  // Click the Connect button
   await page.getByRole("button", { name: "Connect with Session", exact: true }).click();
-
-  // Ensure popup is displayed
   await page.waitForTimeout(2000);
-  const popup = page.context().pages()[1];
-  await expect(popup.getByText("Connect to")).toBeVisible();
-  popup.on("console", (msg) => {
-    if (msg.type() === "error")
-      console.log(`Auth server error console: "${msg.text()}"`);
-  });
-  popup.on("pageerror", (exception) => {
-    console.log(`Auth server uncaught exception: "${exception}"`);
-  });
+  const sessionPopup = page.context().pages()[1];
+  await expect(sessionPopup.getByText("Act on your behalf")).toBeVisible();
 
-  // Setup webauthn a Chrome Devtools Protocol session
-  // NOTE: This needs to be done for every page of every test that uses WebAuthn
-  const client = await popup.context().newCDPSession(popup);
-  await client.send("WebAuthn.enable");
-  await client.send("WebAuthn.addVirtualAuthenticator", {
+  const sessionClient = await sessionPopup.context().newCDPSession(sessionPopup);
+  await sessionClient.send("WebAuthn.enable");
+  const sessionAuthenticator = await sessionClient.send("WebAuthn.addVirtualAuthenticator", {
     options: {
       protocol: "ctap2",
       transport: "usb",
@@ -135,35 +116,27 @@ test("Create account with session and send ETH with paymaster", async ({ page })
       automaticPresenceSimulation: true,
     },
   });
+  await expect(newCredential).not.toBeNull();
+  await sessionClient.send("WebAuthn.addCredential", {
+    authenticatorId: sessionAuthenticator.authenticatorId,
+    credential: newCredential!,
+  });
 
-  // Click Sign Up
-  await popup.getByTestId("signup").click();
-
-  // Add session
-  await expect(popup.getByText("Authorize ZKsync SSO Demo")).toBeVisible();
-  await expect(popup.getByText("Act on your behalf")).toBeVisible();
-  await expect(popup.getByText("Expires tomorrow")).toBeVisible();
-  await expect(popup.getByText("Permissions")).toBeVisible();
-  await popup.getByTestId("connect").click();
+  await expect(sessionPopup.getByText("Authorize ZKsync SSO Demo")).toBeVisible();
+  await sessionPopup.getByTestId("connect").click();
 
-  // Waits for session to complete and popup to close
   await page.waitForTimeout(2000);
-
-  // Check address/balance is shown
   await expect(page.getByText("Disconnect")).toBeVisible();
-  await expect(page.getByText("Balance:")).toBeVisible();
-  const startBalance = +(await page.getByText("Balance:").innerText())
-    .replace("Balance: ", "")
-    .replace(" ETH", "");
+  const sessionBalanceText = await page.getByText("Balance:").innerText();
+  const sessionStartBalance = +sessionBalanceText.replace("Balance: ", "").replace(" ETH", "");
 
-  // Send some eth with paymaster
-  await page.getByRole("button", { name: "Send 0.1 ETH with Paymaster", exact: true }).click();
-  await expect(page.getByRole("button", { name: "Send 0.1 ETH with Paymaster", exact: true })).toBeEnabled();
-  const endBalance = +(await page.getByText("Balance:").innerText())
-    .replace("Balance: ", "")
-    .replace(" ETH", "");
-  await expect(startBalance, "Balance after transfer should be 0.1 ETH less (no fees)")
-    .toEqual(endBalance + 0.1);
+  // Step 3: send ETH under session (no extra signing step expected)
+  await page.getByRole("button", { name: "Send 0.1 ETH", exact: true }).click();
+  await expect(page.getByRole("button", { name: "Send 0.1 ETH", exact: true })).toBeEnabled();
+  const sessionEndBalanceText = await page.getByText("Balance:").innerText();
+  const sessionEndBalance = +sessionEndBalanceText.replace("Balance: ", "").replace(" ETH", "");
+
+  await expect(sessionStartBalance, "Balance after transfer should be ~0.1 ETH less").toBeGreaterThan(sessionEndBalance + 0.09);
 });
 
 test("Create passkey account and send ETH", async ({ page }) => {
@@ -196,7 +169,7 @@ test("Create passkey account and send ETH", async ({ page }) => {
       automaticPresenceSimulation: true,
     },
   });
-  let newCredential = null;
+  let newCredential: WebAuthnCredential | null = null;
   client.on("WebAuthn.credentialAdded", (credentialAdded) => {
     console.log("New Passkey credential added");
     console.log(`Authenticator ID: ${credentialAdded.authenticatorId}`);
@@ -268,26 +241,29 @@ test("Create passkey account and send ETH", async ({ page }) => {
     .toBeGreaterThan(endBalance + 0.1);
 });
 
-test("Create passkey account and send ETH with paymaster", async ({ page }) => {
-  // Click the Connect button
+test("Create account with Paymaster and send ETH (no session)", async ({ page }) => {
+  // Create a basic passkey account without session
   await page.getByRole("button", { name: "Connect", exact: true }).click();
 
-  // Ensure popup is displayed
+  // Ensure popup is displayed and prepare logging
   await page.waitForTimeout(2000);
-  let popup = page.context().pages()[1];
-  await expect(popup.getByText("Connect to")).toBeVisible();
+  const popup = page.context().pages()[1];
+  await expect(popup.getByText(/Connect to|Act on your behalf/)).toBeVisible();
   popup.on("console", (msg) => {
-    if (msg.type() === "error")
-      console.log(`Auth server error console: "${msg.text()}"`);
+    if (msg.type() === "error") console.log(`Auth server error console: "${msg.text()}"`);
   });
   popup.on("pageerror", (exception) => {
     console.log(`Auth server uncaught exception: "${exception}"`);
   });
 
-  // Setup webauthn a Chrome Devtools Protocol session
-  // NOTE: This needs to be done for every page of every test that uses WebAuthn
-  let client = await popup.context().newCDPSession(popup);
+  // Setup WebAuthn virtual authenticator for passkey creation
+  const client = await popup.context().newCDPSession(popup);
   await client.send("WebAuthn.enable");
+  let newCredential: WebAuthnCredential | null = null;
+  client.on("WebAuthn.credentialAdded", (credentialAdded) => {
+    console.log("New Passkey credential added");
+    newCredential = credentialAdded.credential;
+  });
   await client.send("WebAuthn.addVirtualAuthenticator", {
     options: {
       protocol: "ctap2",
@@ -298,147 +274,59 @@ test("Create passkey account and send ETH with paymaster", async ({ page }) => {
       automaticPresenceSimulation: true,
     },
   });
-  let newCredential = null;
-  client.on("WebAuthn.credentialAdded", (credentialAdded) => {
-    console.log("New Passkey credential added");
-    console.log(`Authenticator ID: ${credentialAdded.authenticatorId}`);
-    console.log(`Credential: ${credentialAdded.credential}`);
-    newCredential = credentialAdded.credential;
-  });
-
-  // Click Sign Up
-  await popup.getByTestId("signup").click();
 
-  // Confirm access to your account
-  await expect(popup.getByText("Connect to ZKsync SSO Demo")).toBeVisible();
-  await expect(popup.getByText("localhost:3004")).toBeVisible();
-  await expect(popup.getByText("Let it see your address, balance and activity")).toBeVisible();
+  // Complete signup
+  const signupBtn = popup.getByTestId("signup");
+  if (await signupBtn.isVisible()) {
+    await signupBtn.click();
+    await expect(popup.getByText(/Connect to ZKsync SSO Demo|Authorize ZKsync SSO Demo/)).toBeVisible();
+  }
   await popup.getByTestId("connect").click();
 
-  // Waits for session to complete and popup to close
-  await page.waitForTimeout(2000);
-
-  // Check address/balance is shown
-  await expect(page.getByText("Disconnect")).toBeVisible();
-  await expect(page.getByText("Balance:")).toBeVisible();
-  const startBalance = +(await page.getByText("Balance:").innerText())
-    .replace("Balance: ", "")
-    .replace(" ETH", "");
-
-  // Send some eth with paymaster
-  await page.getByRole("button", { name: "Send 0.1 ETH with Paymaster", exact: true }).click();
+  await expect(newCredential).not.toBeNull();
 
-  // Wait for Auth Server to pop back up
+  // Account created
   await page.waitForTimeout(2000);
-  popup = page.context().pages()[1];
+  await expect(page.getByText("Disconnect")).toBeVisible();
 
-  // We need to recreate the virtual authenticator to match the previous one
-  client = await popup.context().newCDPSession(popup);
-  await client.send("WebAuthn.enable");
-  const result = await client.send("WebAuthn.addVirtualAuthenticator", {
-    options: {
-      protocol: "ctap2",
-      transport: "usb",
-      hasResidentKey: true,
-      hasUserVerification: true,
-      isUserVerified: true,
-      automaticPresenceSimulation: true,
-    },
-  });
-  await expect(newCredential).not.toBeNull();
-  await client.send("WebAuthn.addCredential", {
-    authenticatorId: result.authenticatorId,
-    credential: newCredential!,
-  });
+  // Capture starting balance
+  const startBalanceText = await page.getByText("Balance:").innerText();
+  const startBalance = +startBalanceText.replace("Balance: ", "").replace(" ETH", "");
 
-  // Confirm the transfer
-  await expect(popup.getByText("-0.1")).toBeVisible();
-  await expect(popup.getByText("Sending to")).toBeVisible();
-  await expect(popup.getByText("0x55b...4A6")).toBeVisible();
-  await expect(popup.getByText("Fees")).toBeVisible();
-  await popup.getByTestId("confirm").click();
-
-  // Wait for confirmation to complete and popup to close
-  await page.waitForTimeout(2000);
+  // Send 0.1 ETH (paymaster should sponsor gas)
+  await page.getByRole("button", { name: "Send 0.1 ETH", exact: true }).click();
+  await expect(page.getByRole("button", { name: "Send 0.1 ETH", exact: true })).toBeEnabled();
 
-  // Confirm transfer completed and balance updated
-  await expect(page.getByRole("button", { name: "Send 0.1 ETH with Paymaster", exact: true })).toBeEnabled();
-  const endBalance = +(await page.getByText("Balance:").innerText())
-    .replace("Balance: ", "")
-    .replace(" ETH", "");
-  await expect(startBalance, "Balance after transfer should be 0.1 ETH less (no fees)")
-    .toEqual(endBalance + 0.1);
+  // Validate balance decreased by ~0.1 ETH
+  const endBalanceText = await page.getByText("Balance:").innerText();
+  const endBalance = +endBalanceText.replace("Balance: ", "").replace(" ETH", "");
+  await expect(startBalance, "Balance after transfer should be ~0.1 ETH less").toBeGreaterThan(endBalance + 0.09);
 });
 
-test("Create passkey account and sign typed data", async ({ page }) => {
-  // Click the Connect button
-  await page.getByRole("button", { name: "Connect", exact: true }).click();
+test("Create session account with Paymaster and send ETH", async ({ page }) => {
+  // Trigger session connection with paymaster sponsorship
+  await page.getByRole("button", { name: "Connect Session (Paymaster)", exact: true }).click();
 
-  // Ensure popup is displayed
+  // Ensure popup is displayed and prepare logging
   await page.waitForTimeout(2000);
-  let popup = page.context().pages()[1];
-  await expect(popup.getByText("Connect to")).toBeVisible();
+  const popup = page.context().pages()[1];
+  await expect(popup.getByText(/Connect to|Act on your behalf/)).toBeVisible();
   popup.on("console", (msg) => {
-    if (msg.type() === "error")
-      console.log(`Auth server error console: "${msg.text()}"`);
+    if (msg.type() === "error") console.log(`Auth server error console: "${msg.text()}"`);
   });
   popup.on("pageerror", (exception) => {
     console.log(`Auth server uncaught exception: "${exception}"`);
   });
 
-  // Setup webauthn a Chrome Devtools Protocol session
-  // NOTE: This needs to be done for every page of every test that uses WebAuthn
-  let client = await popup.context().newCDPSession(popup);
+  // Setup WebAuthn virtual authenticator for passkey creation (first-time session)
+  const client = await popup.context().newCDPSession(popup);
   await client.send("WebAuthn.enable");
-  await client.send("WebAuthn.addVirtualAuthenticator", {
-    options: {
-      protocol: "ctap2",
-      transport: "usb",
-      hasResidentKey: true,
-      hasUserVerification: true,
-      isUserVerified: true,
-      automaticPresenceSimulation: true,
-    },
-  });
-  let newCredential = null;
+  let newCredential: WebAuthnCredential | null = null;
   client.on("WebAuthn.credentialAdded", (credentialAdded) => {
     console.log("New Passkey credential added");
-    console.log(`Authenticator ID: ${credentialAdded.authenticatorId}`);
-    console.log(`Credential: ${credentialAdded.credential}`);
     newCredential = credentialAdded.credential;
   });
-
-  // Click Sign Up
-  await popup.getByTestId("signup").click();
-
-  // Confirm access to your account
-  await expect(popup.getByText("Connect to ZKsync SSO Demo")).toBeVisible();
-  await expect(popup.getByText("localhost:3004")).toBeVisible();
-  await expect(popup.getByText("Let it see your address, balance and activity")).toBeVisible();
-  await popup.getByTestId("connect").click();
-
-  // Waits for session to complete and popup to close
-  await page.waitForTimeout(2000);
-
-  // Check address/balance is shown
-  await expect(page.getByText("Disconnect")).toBeVisible();
-  await expect(page.getByText("Balance:")).toBeVisible();
-
-  // Verify typed data section is visible
-  await expect(page.getByText("Typed Data Signature Verification")).toBeVisible();
-  await expect(page.getByRole("button", { name: "Sign Typed Data" })).toBeVisible();
-
-  // Click Sign Typed Data button
-  await page.getByRole("button", { name: "Sign Typed Data" }).click();
-
-  // Wait for Auth Server popup to open
-  await page.waitForTimeout(2000);
-  popup = page.context().pages()[1];
-
-  // We need to recreate the virtual authenticator to match the previous one
-  client = await popup.context().newCDPSession(popup);
-  await client.send("WebAuthn.enable");
-  const result = await client.send("WebAuthn.addVirtualAuthenticator", {
+  await client.send("WebAuthn.addVirtualAuthenticator", {
     options: {
       protocol: "ctap2",
       transport: "usb",
@@ -448,29 +336,33 @@ test("Create passkey account and sign typed data", async ({ page }) => {
       automaticPresenceSimulation: true,
     },
   });
-  await expect(newCredential).not.toBeNull();
-  await client.send("WebAuthn.addCredential", {
-    authenticatorId: result.authenticatorId,
-    credential: newCredential!,
-  });
 
-  // Verify the sign typed data popup content
-  await expect(popup.getByText("Sign Typed Data Request")).toBeVisible();
-  await expect(popup.getByText("Message (TestStruct)", { exact: true })).toBeVisible();
+  // If signup is shown, complete signup before connect; otherwise proceed to authorize/connect
+  const signupBtn = popup.getByTestId("signup");
+  if (await signupBtn.isVisible()) {
+    await signupBtn.click();
+    await expect(popup.getByText(/Connect to ZKsync SSO Demo|Authorize ZKsync SSO Demo/)).toBeVisible();
+  } else {
+    await expect(popup.getByText(/Authorize ZKsync SSO Demo/)).toBeVisible();
+  }
+  await popup.getByTestId("connect").click();
 
-  // Click Sign button in the popup
-  await popup.getByTestId("confirm").click();
+  await expect(newCredential).not.toBeNull();
 
-  // Wait for signature to complete and popup to close
-  await page.waitForTimeout(3000);
+  // Connected via session + paymaster
+  await page.waitForTimeout(2000);
+  await expect(page.getByText("Disconnect")).toBeVisible();
 
-  // Verify signature appears on main page
-  await expect(page.getByText("Signature:")).toBeVisible();
+  // Capture starting balance
+  const startBalanceText = await page.getByText("Balance:").innerText();
+  const startBalance = +startBalanceText.replace("Balance: ", "").replace(" ETH", "");
 
-  // Wait for signature verification to complete
-  await page.waitForTimeout(2000);
+  // Send under session (paymaster should sponsor fees)
+  await page.getByRole("button", { name: "Send 0.1 ETH", exact: true }).click();
+  await expect(page.getByRole("button", { name: "Send 0.1 ETH", exact: true })).toBeEnabled();
 
-  // Verify signature validation shows as successful
-  await expect(page.getByText("Typed Data Verification Result:")).toBeVisible();
-  await expect(page.getByText("Valid ✓")).toBeVisible();
+  // Validate balance decreased by ~0.1 ETH
+  const endBalanceText = await page.getByText("Balance:").innerText();
+  const endBalance = +endBalanceText.replace("Balance: ", "").replace(" ETH", "");
+  await expect(startBalance, "Balance after transfer should be ~0.1 ETH less").toBeGreaterThan(endBalance + 0.09);
 });
diff --git a/examples/demo-app/tests/paymaster.spec.ts b/examples/demo-app/tests/paymaster.spec.ts
new file mode 100644
index 000000000..f79e84e01
--- /dev/null
+++ b/examples/demo-app/tests/paymaster.spec.ts
@@ -0,0 +1,319 @@
+import { expect, type Page, test } from "@playwright/test";
+import contractsAnvil from "../contracts-anvil.json";
+
+async function waitForServicesToLoad(page: Page): Promise<void> {
+  const maxRetryAttempts = 10;
+  let retryCount = 0;
+
+  // Wait for demo-app to finish loading
+  await page.goto("/");
+  let demoHeader = page.getByText("ZKsync SSO Demo");
+  while (!(await demoHeader.isVisible()) && retryCount < maxRetryAttempts) {
+    await page.waitForTimeout(1000);
+    demoHeader = page.getByText("ZKsync SSO Demo");
+    retryCount++;
+
+    console.log(`Waiting for demo app to load (retry ${retryCount})...`);
+  }
+  console.log("Demo App loaded");
+
+  // Wait for auth server to finish loading
+  retryCount = 0;
+  await page.goto("http://localhost:3002");
+  let authServerHeader = page.getByTestId("signup");
+  while (!(await authServerHeader.isVisible()) && retryCount < maxRetryAttempts) {
+    await page.waitForTimeout(1000);
+    authServerHeader = page.getByTestId("signup");
+    retryCount++;
+
+    console.log(`Waiting for auth server to load (retry ${retryCount})...`);
+  }
+  console.log("Auth Server loaded");
+}
+
+async function setupWebAuthn(page: Page) {
+  const client = await page.context().newCDPSession(page);
+  await client.send("WebAuthn.enable");
+  await client.send("WebAuthn.addVirtualAuthenticator", {
+    options: {
+      protocol: "ctap2",
+      transport: "usb",
+      hasResidentKey: true,
+      hasUserVerification: true,
+      isUserVerified: true,
+      automaticPresenceSimulation: true,
+    },
+  });
+  return client;
+}
+
+test.beforeAll(async () => {
+  // Check if paymaster is deployed
+  if (!(contractsAnvil as unknown).testPaymaster) {
+    throw new Error(
+      "TestPaymaster not deployed. Run: pnpm --filter demo-app deploy:paymaster",
+    );
+  }
+  console.log(`Using TestPaymaster at: ${(contractsAnvil as unknown).testPaymaster}`);
+});
+
+test.beforeEach(async ({ page }) => {
+  page.on("console", (msg) => {
+    if (msg.type() === "error")
+      console.log(`Main page error console: "${msg.text()}"`);
+  });
+  page.on("pageerror", (exception) => {
+    console.log(`Main page uncaught exception: "${exception}"`);
+  });
+
+  await waitForServicesToLoad(page);
+  await page.goto("/");
+  await expect(page.getByText("ZKsync SSO Demo")).toBeVisible();
+});
+
+test("Unfunded account fails without paymaster", async ({ page }) => {
+  // Add skipFunding query param to prevent auto-funding
+  await page.goto("/?skipFunding=true");
+
+  // Connect without paymaster - this should create an unfunded account
+  await page.getByRole("button", { name: "Connect", exact: true }).click();
+
+  // Ensure popup is displayed
+  await page.waitForTimeout(2000);
+  const popup = page.context().pages()[1];
+  await expect(popup.getByText("Connect to")).toBeVisible();
+
+  popup.on("console", (msg) => {
+    if (msg.type() === "error")
+      console.log(`Auth server error console: "${msg.text()}"`);
+  });
+  popup.on("pageerror", (exception) => {
+    console.log(`Auth server uncaught exception: "${exception}"`);
+  });
+
+  // Setup WebAuthn
+  await setupWebAuthn(popup);
+
+  // Click Sign Up
+  await popup.getByTestId("signup").click();
+
+  // Confirm access to your account
+  await expect(popup.getByText("Connect to ZKsync SSO Demo")).toBeVisible();
+  await popup.getByTestId("connect").click();
+
+  // Waits for session to complete and popup to close
+  await page.waitForTimeout(2000);
+
+  // Check address/balance is shown
+  await expect(page.getByText("Disconnect")).toBeVisible();
+  await expect(page.getByText("Balance:")).toBeVisible();
+
+  // Check balance is ~0 (unfunded account)
+  const startBalance = +(await page.getByText("Balance:").innerText())
+    .replace("Balance: ", "")
+    .replace(" ETH", "");
+
+  expect(startBalance).toBeLessThan(0.01); // Should be essentially 0
+
+  // Try to send ETH - this should fail with insufficient funds
+  await page.getByRole("button", { name: "Send 0.1 ETH", exact: true }).click();
+
+  // Wait for popup with transaction confirmation
+  await page.waitForTimeout(2000);
+  const confirmPopup = page.context().pages()[1];
+
+  if (confirmPopup) {
+    // Session flow doesn't need confirmation, regular flow does
+    // Setup WebAuthn again for the new popup
+    await setupWebAuthn(confirmPopup);
+
+    // Confirm transaction
+    await expect(confirmPopup.getByText("-0.1")).toBeVisible();
+    await confirmPopup.getByTestId("confirm").click();
+
+    // Wait for transaction processing
+    await page.waitForTimeout(3000);
+  } else {
+    // Session flow - wait for transaction to process
+    await page.waitForTimeout(3000);
+  }
+
+  // Should show error due to insufficient funds
+  await expect(page.locator(".text-red-800")).toBeVisible();
+  const errorText = await page.locator(".text-red-800").innerText();
+  expect(errorText.toLowerCase()).toMatch(/insufficient|balance|funds/i);
+
+  console.log(`Transaction failed as expected: ${errorText}`);
+});
+
+test("Unfunded account with paymaster succeeds", async ({ page }) => {
+  // Add skipFunding query param to prevent auto-funding
+  await page.goto("/?skipFunding=true");
+
+  // Connect with paymaster
+  await page.getByRole("button", { name: "Connect (Paymaster)", exact: true }).click();
+
+  // Ensure popup is displayed
+  await page.waitForTimeout(2000);
+  const popup = page.context().pages()[1];
+  await expect(popup.getByText("Connect to")).toBeVisible();
+
+  popup.on("console", (msg) => {
+    if (msg.type() === "error")
+      console.log(`Auth server error console: "${msg.text()}"`);
+  });
+  popup.on("pageerror", (exception) => {
+    console.log(`Auth server uncaught exception: "${exception}"`);
+  });
+
+  // Setup WebAuthn
+  let client = await setupWebAuthn(popup);
+  let newCredential = null;
+  client.on("WebAuthn.credentialAdded", (credentialAdded) => {
+    console.log("New Passkey credential added for paymaster test");
+    newCredential = credentialAdded.credential;
+  });
+
+  // Click Sign Up
+  await popup.getByTestId("signup").click();
+
+  // Confirm access to your account
+  await expect(popup.getByText("Connect to ZKsync SSO Demo")).toBeVisible();
+  await popup.getByTestId("connect").click();
+
+  // Waits for session to complete and popup to close
+  await page.waitForTimeout(2000);
+
+  // Check address/balance is shown
+  await expect(page.getByText("Disconnect")).toBeVisible();
+  await expect(page.getByText("Balance:")).toBeVisible();
+
+  // Check balance is ~0 (unfunded account)
+  const startBalance = +(await page.getByText("Balance:").innerText())
+    .replace("Balance: ", "")
+    .replace(" ETH", "");
+
+  expect(startBalance).toBeLessThan(0.01); // Should be essentially 0
+  console.log(`Start balance (unfunded): ${startBalance} ETH`);
+
+  // Try to send ETH - this should SUCCEED with paymaster sponsorship
+  await page.getByRole("button", { name: "Send 0.1 ETH", exact: true }).click();
+
+  // Wait for Auth Server to pop back up
+  await page.waitForTimeout(2000);
+  const confirmPopup = page.context().pages()[1];
+
+  // We need to recreate the virtual authenticator to match the previous one
+  client = await confirmPopup.context().newCDPSession(confirmPopup);
+  await client.send("WebAuthn.enable");
+  const result = await client.send("WebAuthn.addVirtualAuthenticator", {
+    options: {
+      protocol: "ctap2",
+      transport: "usb",
+      hasResidentKey: true,
+      hasUserVerification: true,
+      isUserVerified: true,
+      automaticPresenceSimulation: true,
+    },
+  });
+  await expect(newCredential).not.toBeNull();
+  await client.send("WebAuthn.addCredential", {
+    authenticatorId: result.authenticatorId,
+    credential: newCredential!,
+  });
+
+  // Confirm the transfer
+  await expect(confirmPopup.getByText("-0.1")).toBeVisible();
+  await confirmPopup.getByTestId("confirm").click();
+
+  // Wait for confirmation to complete and popup to close
+  await page.waitForTimeout(3000);
+
+  // Confirm transfer completed - button should be enabled again
+  await expect(page.getByRole("button", { name: "Send 0.1 ETH", exact: true })).toBeEnabled();
+
+  // Balance should STILL be ~0 because paymaster covered gas fees!
+  const endBalance = +(await page.getByText("Balance:").innerText())
+    .replace("Balance: ", "")
+    .replace(" ETH", "");
+
+  console.log(`End balance (with paymaster): ${endBalance} ETH`);
+
+  // Balance should not have changed much (paymaster paid the fees)
+  expect(endBalance).toBeLessThan(0.01);
+
+  // Verify no error message
+  const errorVisible = await page.locator(".text-red-800").isVisible().catch(() => false);
+  expect(errorVisible).toBe(false);
+});
+
+test("Session creation with paymaster on unfunded account", async ({ page }) => {
+  // Add skipFunding query param to prevent auto-funding
+  await page.goto("/?skipFunding=true");
+
+  // Connect with session + paymaster
+  await page.getByRole("button", { name: "Connect Session (Paymaster)", exact: true }).click();
+
+  // Ensure popup is displayed
+  await page.waitForTimeout(2000);
+  const popup = page.context().pages()[1];
+  await expect(popup.getByText("Connect to")).toBeVisible();
+
+  popup.on("console", (msg) => {
+    if (msg.type() === "error")
+      console.log(`Auth server error console: "${msg.text()}"`);
+  });
+  popup.on("pageerror", (exception) => {
+    console.log(`Auth server uncaught exception: "${exception}"`);
+  });
+
+  // Setup WebAuthn
+  await setupWebAuthn(popup);
+
+  // Click Sign Up
+  await popup.getByTestId("signup").click();
+
+  // Session authorization screen
+  await expect(popup.getByText("Authorize ZKsync SSO Demo")).toBeVisible();
+  await expect(popup.getByText("Act on your behalf")).toBeVisible();
+  await expect(popup.getByText("Expires tomorrow")).toBeVisible();
+  await popup.getByTestId("connect").click();
+
+  // Waits for session to complete and popup to close
+  await page.waitForTimeout(2000);
+
+  // Check address/balance is shown
+  await expect(page.getByText("Disconnect")).toBeVisible();
+  await expect(page.getByText("Balance:")).toBeVisible();
+
+  // Check balance is ~0 (unfunded account)
+  const startBalance = +(await page.getByText("Balance:").innerText())
+    .replace("Balance: ", "")
+    .replace(" ETH", "");
+
+  expect(startBalance).toBeLessThan(0.01); // Should be essentially 0
+  console.log(`Start balance (unfunded with session): ${startBalance} ETH`);
+
+  // Send ETH using session - should succeed with paymaster, no popup needed
+  await page.getByRole("button", { name: "Send 0.1 ETH", exact: true }).click();
+
+  // Wait for transaction to process (no confirmation popup for session)
+  await page.waitForTimeout(3000);
+
+  // Confirm transfer completed
+  await expect(page.getByRole("button", { name: "Send 0.1 ETH", exact: true })).toBeEnabled();
+
+  // Balance should STILL be ~0 because paymaster covered gas fees!
+  const endBalance = +(await page.getByText("Balance:").innerText())
+    .replace("Balance: ", "")
+    .replace(" ETH", "");
+
+  console.log(`End balance (session + paymaster): ${endBalance} ETH`);
+
+  // Balance should not have changed (paymaster paid the fees)
+  expect(endBalance).toBeLessThan(0.01);
+
+  // Verify no error message
+  const errorVisible = await page.locator(".text-red-800").isVisible().catch(() => false);
+  expect(errorVisible).toBe(false);
+});
diff --git a/examples/demo-app/tests/web-sdk-test.spec.ts b/examples/demo-app/tests/web-sdk-test.spec.ts
index 763a5cdfd..9408ff0c3 100644
--- a/examples/demo-app/tests/web-sdk-test.spec.ts
+++ b/examples/demo-app/tests/web-sdk-test.spec.ts
@@ -1,4 +1,15 @@
 /* eslint-disable no-console */
+/**
+ * Web SDK Test Suite
+ *
+ * NOTE: To run these tests, use the e2e:erc4337:demo-only target:
+ *   pnpm nx e2e:erc4337:demo-only demo-app
+ *
+ * To run a specific test:
+ *   pnpm nx e2e:erc4337:demo-only demo-app -t "test name"
+ *
+ * This target uses nuxt preview (production build) and the ERC-4337 test configuration.
+ */
 import { expect, type Page, test } from "@playwright/test";
 
 async function waitForServicesToLoad(page: Page): Promise<void> {
@@ -108,6 +119,50 @@ test("Deploy, fund, and transfer from smart account", async ({ page }) => {
   console.log("✅ All steps completed successfully!");
 });
 
+test("Deploy smart account with paymaster and send transaction", async ({ page }) => {
+  // Use Anvil account #5 for this test to avoid nonce conflicts
+  await page.goto("/web-sdk-test?fundingAccount=5");
+  await expect(page.getByText("ZKSync SSO Web SDK Test")).toBeVisible();
+
+  // Wait for SDK to load
+  await expect(page.getByText("SDK Loaded:")).toBeVisible();
+  await expect(page.getByText("Yes")).toBeVisible({ timeout: 10000 });
+
+  // Step 1: Deploy Account (paymaster is configured in the SDK deployment by default)
+  console.log("Step 1: Deploying smart account with paymaster...");
+  await page.getByRole("button", { name: "Deploy Account" }).click();
+
+  // Wait for deployment to complete
+  await expect(page.getByText("Account Deployed Successfully!")).toBeVisible({ timeout: 30000 });
+  await expect(page.getByText("Account Address:")).toBeVisible();
+  await expect(page.getByText("EOA Signer:")).toBeVisible();
+
+  console.log("✓ Smart account deployed successfully with paymaster");
+
+  // Step 2: Fund Smart Account
+  console.log("Step 2: Funding smart account...");
+  const amountInput = page.locator("input[placeholder=\"0.1\"]");
+  await expect(amountInput).toBeVisible();
+  await amountInput.fill("0.1");
+  await page.getByRole("button", { name: "Fund Smart Account" }).click();
+  await expect(page.getByText("Transaction Hash:")).toBeVisible({ timeout: 30000 });
+
+  console.log("✓ Smart account funded successfully");
+
+  // Step 3: Send Transaction from Smart Account
+  console.log("Step 3: Sending transaction from smart account...");
+  await expect(page.getByText("Step 2: Send Transaction from Smart Account")).toBeVisible();
+  const recipientInput = page.getByText("Recipient Address:").locator("..").locator("input");
+  await recipientInput.fill("0x70997970C51812dc3A010C7d01b50e0d17dc79C8");
+  const transferAmountInput = page.getByText("Amount (ETH):").locator("..").locator("input");
+  await transferAmountInput.fill("0.001");
+  await page.getByRole("button", { name: "Send with EOA" }).click();
+  await expect(page.locator("strong:has-text(\"Transaction Hash:\")").nth(1)).toBeVisible({ timeout: 30000 });
+  await expect(page.getByText("Transaction failed: Failed to submit UserOperation:")).not.toBeVisible();
+
+  console.log("✓ Transaction sent from smart account successfully");
+  console.log("✅ All steps completed successfully with paymaster!");
+});
 test("Deploy with passkey and send transaction using passkey", async ({ page }) => {
   // Use Anvil account #3 for this test to avoid nonce conflicts with the first test
   await page.goto("/web-sdk-test?fundingAccount=3");
diff --git a/examples/demo-app/utils/contracts.ts b/examples/demo-app/utils/contracts.ts
index c1115cd6b..4e66dee9d 100644
--- a/examples/demo-app/utils/contracts.ts
+++ b/examples/demo-app/utils/contracts.ts
@@ -16,6 +16,8 @@ export interface ContractsConfig {
   beacon: Address;
   factory: Address;
   bundlerUrl?: string;
+  testPaymaster?: Address;
+  entryPoint?: Address;
 }
 
 let cachedContracts: ContractsConfig | null = null;
diff --git a/packages/auth-server-api/.env.example b/packages/auth-server-api/.env.example
index c2289bc72..9119ae324 100644
--- a/packages/auth-server-api/.env.example
+++ b/packages/auth-server-api/.env.example
@@ -1,8 +1,8 @@
 # Server Configuration
-PORT=3004
+PORT=3005
 
 # CORS Configuration (comma-separated origins)
-CORS_ORIGINS=http://localhost:3003,http://localhost:3002,http://localhost:3000
+CORS_ORIGINS=http://localhost:3004,http://localhost:3003,http://localhost:3002,http://localhost:3000
 
 # Deployer Configuration (Private key with funds for deployment gas)
 # For local development, use the Anvil rich account:
diff --git a/packages/auth-server-api/src/config.ts b/packages/auth-server-api/src/config.ts
index a0a63c857..5b8d9420d 100644
--- a/packages/auth-server-api/src/config.ts
+++ b/packages/auth-server-api/src/config.ts
@@ -30,8 +30,8 @@ try {
 
 // Environment schema with optional contract addresses (can fall back to contracts.json)
 const envSchema = z.object({
-  PORT: z.string().default("3004"),
-  CORS_ORIGINS: z.string().default("http://localhost:3003,http://localhost:3002,http://localhost:3000"),
+  PORT: z.string().default("3005"),
+  CORS_ORIGINS: z.string().default("http://localhost:3004,http://localhost:3003,http://localhost:3002,http://localhost:3000"),
   DEPLOYER_PRIVATE_KEY: z.string().default("0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80"),
   RPC_URL: z.string().default("http://127.0.0.1:8545"),
   BUNDLER_URL: z.string().default("http://127.0.0.1:4337"),
diff --git a/packages/auth-server-api/src/handlers/deploy-account.ts b/packages/auth-server-api/src/handlers/deploy-account.ts
index c1d74b4b8..3d2b5648c 100644
--- a/packages/auth-server-api/src/handlers/deploy-account.ts
+++ b/packages/auth-server-api/src/handlers/deploy-account.ts
@@ -2,6 +2,7 @@ import type { Request, Response } from "express";
 import { type Address, createPublicClient, createWalletClient, type Hex, http } from "viem";
 import { privateKeyToAccount } from "viem/accounts";
 import { waitForTransactionReceipt } from "viem/actions";
+import { getGeneralPaymasterInput } from "viem/zksync";
 import { getAccountAddressFromLogs, prepareDeploySmartAccount } from "zksync-sso-4337/client";
 
 import { env, EOA_VALIDATOR_ADDRESS, FACTORY_ADDRESS, getChain, SESSION_VALIDATOR_ADDRESS, WEBAUTHN_VALIDATOR_ADDRESS } from "../config.js";
@@ -14,14 +15,18 @@ type DeployAccountRequest = {
   originDomain: string;
   userId?: string;
   eoaSigners?: Address[];
+  paymaster?: Address;
 };
 
 // Deploy account endpoint
 export const deployAccountHandler = async (req: Request, res: Response): Promise<void> => {
   try {
+    console.log("[DEBUG] deploy-account handler - Raw request body:", JSON.stringify(req.body, null, 2));
+
     // Validate request body
     const validationResult = deployAccountSchema.safeParse(req.body);
     if (!validationResult.success) {
+      console.log("[DEBUG] Validation failed:", validationResult.error.errors);
       res.status(400).json({
         error: `Invalid parameters: ${validationResult.error.errors.map((e) => e.message).join(", ")}`,
       });
@@ -81,10 +86,18 @@ export const deployAccountHandler = async (req: Request, res: Response): Promise
     // Send transaction
     let txHash: Hex;
     try {
-      txHash = await walletClient.sendTransaction({
+      const txParams: any = {
         to: transaction.to,
         data: transaction.data,
-      });
+      };
+
+      // Add paymaster if provided
+      if (body.paymaster) {
+        txParams.paymaster = body.paymaster;
+        txParams.paymasterInput = getGeneralPaymasterInput({ innerInput: "0x" });
+      }
+
+      txHash = await walletClient.sendTransaction(txParams);
     } catch (error) {
       console.error("Transaction send failed:", error);
       const errorMessage = error instanceof Error ? error.message : "Unknown error";
diff --git a/packages/auth-server-api/src/schemas.ts b/packages/auth-server-api/src/schemas.ts
index d315ed5b1..8ad44e2bc 100644
--- a/packages/auth-server-api/src/schemas.ts
+++ b/packages/auth-server-api/src/schemas.ts
@@ -48,7 +48,9 @@ export const deployAccountSchema = z.object({
     y: z.string().startsWith("0x"),
   }),
   originDomain: z.string(),
-  session: sessionSpecJSONSchema.optional(),
+  // Accept session as either a JSON string (from client helper) or an object
+  session: z.union([z.string(), sessionSpecJSONSchema]).optional(),
   userId: z.string().startsWith("0x").optional(),
   eoaSigners: z.array(z.string().startsWith("0x")).optional(),
+  paymaster: z.string().startsWith("0x").optional(),
 });
diff --git a/packages/auth-server/.env.example b/packages/auth-server/.env.example
index 55524fd50..165f9523b 100644
--- a/packages/auth-server/.env.example
+++ b/packages/auth-server/.env.example
@@ -5,7 +5,7 @@ NUXT_PUBLIC_DEFAULT_CHAIN_ID=1337
 NUXT_PUBLIC_APPKIT_PROJECT_ID=your-appkit-project-id
 
 # Auth Server API URL
-NUXT_PUBLIC_AUTH_SERVER_API_URL=http://localhost:3004
+NUXT_PUBLIC_AUTH_SERVER_API_URL=http://localhost:3005
 
 # Prividium Mode Configuration
 PRIVIDIUM_MODE=false
diff --git a/packages/auth-server/components/views/confirmation/RequestSession.vue b/packages/auth-server/components/views/confirmation/RequestSession.vue
index 1c143d66d..a5467f88d 100644
--- a/packages/auth-server/components/views/confirmation/RequestSession.vue
+++ b/packages/auth-server/components/views/confirmation/RequestSession.vue
@@ -128,9 +128,10 @@
 
 <script lang="ts" setup>
 import { useNow } from "@vueuse/core";
-import { parseEther } from "viem";
-import { generatePrivateKey, privateKeyToAddress } from "viem/accounts";
-import { formatSessionPreferences, type SessionPreferences } from "zksync-sso-4337/client";
+import type { Address } from "viem";
+import { encodePacked, keccak256, pad, parseEther } from "viem";
+import { generatePrivateKey, privateKeyToAccount, privateKeyToAddress } from "viem/accounts";
+import { formatSessionPreferences, getSessionHash, type SessionPreferences } from "zksync-sso-4337/client";
 import { LimitType } from "zksync-sso-4337/client";
 import type { ExtractReturnType, Method, RPCResponseMessage } from "zksync-sso-4337/client-auth-server";
 
@@ -144,7 +145,7 @@ const props = defineProps({
 const { appMeta, appOrigin } = useAppMeta();
 const { login } = useAccountStore();
 const { isLoggedIn } = storeToRefs(useAccountStore());
-const { responseInProgress, requestChainId } = storeToRefs(useRequestsStore());
+const { responseInProgress, requestChainId, requestParams } = storeToRefs(useRequestsStore());
 const { createAccount } = useAccountCreate(requestChainId);
 const { respond, deny } = useRequestsStore();
 const { getClient } = useClientStore();
@@ -278,7 +279,8 @@ const confirmConnection = async () => {
   try {
     if (!isLoggedIn.value) {
       // create a new account with initial session data
-      const accountData = await createAccount(sessionConfig.value);
+      const paymaster = (requestParams.value as { paymaster?: Address } | undefined)?.paymaster;
+      const accountData = await createAccount(sessionConfig.value, paymaster);
       if (!accountData) return;
       login({
         address: accountData.address,
@@ -307,8 +309,21 @@ const confirmConnection = async () => {
         },
       };
 
+      // Proof: sign keccak256(abi.encode(sessionSpec, account)) with the session key
+      const sessionHash = getSessionHash(session.sessionConfig);
+      const digest = keccak256(encodePacked([
+        "bytes32",
+        "bytes32",
+      ], [
+        sessionHash,
+        pad(client.account.address),
+      ]));
+      const sessionSigner = privateKeyToAccount(sessionKey);
+      const proof = await sessionSigner.sign({ hash: digest });
+
       await client.createSession({
         sessionSpec: session.sessionConfig,
+        proof,
         contracts: {
           sessionValidator: contractsByChain[requestChainId.value].sessionValidator,
         },
diff --git a/packages/auth-server/composables/useAccountCreate.ts b/packages/auth-server/composables/useAccountCreate.ts
index 1c89da488..976b1d077 100644
--- a/packages/auth-server/composables/useAccountCreate.ts
+++ b/packages/auth-server/composables/useAccountCreate.ts
@@ -1,3 +1,4 @@
+import type { Address } from "viem";
 import { generatePrivateKey, privateKeyToAddress } from "viem/accounts";
 import type { SessionSpec } from "zksync-sso-4337/client";
 import { sessionSpecToJSON } from "zksync-sso-4337/client";
@@ -9,7 +10,7 @@ export const useAccountCreate = (_chainId: MaybeRef<SupportedChainId>, prividium
   const { fetchAddressAssociationMessage, associateAddress, deleteAddressAssociation } = usePrividiumAddressAssociation();
   const runtimeConfig = useRuntimeConfig();
 
-  const { inProgress: registerInProgress, error: createAccountError, execute: createAccount } = useAsync(async (session?: Omit<SessionSpec, "signer">) => {
+  const { inProgress: registerInProgress, error: createAccountError, execute: createAccount } = useAsync(async (session?: Omit<SessionSpec, "signer">, paymaster?: Address) => {
     const result = await registerPasskey();
     if (!result) {
       throw new Error("Failed to register passkey");
@@ -47,20 +48,24 @@ export const useAccountCreate = (_chainId: MaybeRef<SupportedChainId>, prividium
       throw new Error("Auth Server API URL is not configured");
     }
 
+    const requestBody = {
+      chainId: chainId.value,
+      credentialId,
+      credentialPublicKey,
+      originDomain: window.location.origin,
+      session: sessionData ? sessionSpecToJSON(sessionData) : undefined,
+      userId: credentialId, // Use credential ID as unique user ID
+      eoaSigners: [ownerAddress],
+      paymaster,
+    };
+    console.log("[DEBUG] useAccountCreate - Request body:", JSON.stringify(requestBody, null, 2));
+
     const response = await fetch(`${apiUrl}/api/deploy-account`, {
       method: "POST",
       headers: {
         "Content-Type": "application/json",
       },
-      body: JSON.stringify({
-        chainId: chainId.value,
-        credentialId,
-        credentialPublicKey,
-        originDomain: window.location.origin,
-        session: sessionData ? sessionSpecToJSON(sessionData) : undefined,
-        userId: credentialId, // Use credential ID as unique user ID
-        eoaSigners: [ownerAddress],
-      }),
+      body: JSON.stringify(requestBody),
     });
 
     const data = await response.json();
diff --git a/packages/auth-server/nuxt.config.ts b/packages/auth-server/nuxt.config.ts
index cfe980757..e8756c4bb 100644
--- a/packages/auth-server/nuxt.config.ts
+++ b/packages/auth-server/nuxt.config.ts
@@ -85,7 +85,7 @@ export default defineNuxtConfig({
       chainId: parseInt(process.env.NUXT_PUBLIC_DEFAULT_CHAIN_ID || "") || localhost.id,
       ssoAccountInterfaceId: "0xb9094997",
       appKitProjectId: process.env.NUXT_PUBLIC_APPKIT_PROJECT_ID || "9bc5059f6eed355858cc56a3388e9b50",
-      authServerApiUrl: process.env.NUXT_PUBLIC_AUTH_SERVER_API_URL || "http://localhost:3004",
+      authServerApiUrl: process.env.NUXT_PUBLIC_AUTH_SERVER_API_URL || "http://localhost:3005",
       prividiumMode: process.env.PRIVIDIUM_MODE === "true",
       prividium: {
         clientId: process.env.PRIVIDIUM_CLIENT_ID || "",
diff --git a/packages/auth-server/project.json b/packages/auth-server/project.json
index 57bdbc490..783cb32b9 100644
--- a/packages/auth-server/project.json
+++ b/packages/auth-server/project.json
@@ -6,11 +6,25 @@
       "executor": "nx:run-commands",
       "options": {
         "cwd": "packages/auth-server",
-        "commands": ["pnpm run copy:snarkjs && PORT=3002 nuxt dev", "pnpm nx run auth-server-api:dev"],
+        "commands": [
+          "pnpm run copy:snarkjs && NUXT_PUBLIC_AUTH_SERVER_API_URL=http://localhost:3005 PORT=3002 nuxt dev",
+          "PORT=3005 pnpm nx run auth-server-api:dev"
+        ],
         "parallel": true
       },
       "dependsOn": ["^build", "demo-app:deploy-contracts-erc4337"]
     },
+    "dev:no-deploy": {
+      "executor": "nx:run-commands",
+      "options": {
+        "cwd": "packages/auth-server",
+        "commands": [
+          "pnpm run copy:snarkjs && NUXT_PUBLIC_AUTH_SERVER_API_URL=http://localhost:3005 PORT=3002 nuxt dev"
+        ],
+        "parallel": true
+      },
+      "dependsOn": ["^build"]
+    },
     "dev:all": {
       "executor": "nx:run-commands",
       "options": {
@@ -40,7 +54,7 @@
       "executor": "nx:run-commands",
       "options": {
         "cwd": "packages/auth-server",
-        "command": "pnpm nuxt generate --envName local"
+        "command": "NUXT_PUBLIC_AUTH_SERVER_API_URL=http://localhost:3005 pnpm nuxt generate --envName local"
       },
       "dependsOn": ["copy-snarkjs", "^build"]
     },
@@ -50,11 +64,17 @@
         "cwd": "packages/auth-server",
         "commands": [
           {
-            "command": "PORT=3002 pnpm nuxt preview"
+            "command": "NUXT_PUBLIC_AUTH_SERVER_API_URL=http://localhost:3005 PORT=3002 pnpm nuxt preview",
+            "prefix": "Auth-Server:"
+          },
+          {
+            "command": "PORT=3005 pnpm nx run auth-server-api:dev",
+            "prefix": "Auth-API:"
           }
-        ]
+        ],
+        "parallel": true
       },
-      "dependsOn": ["build:local"]
+      "dependsOn": ["build:local", "^build"]
     },
     "deploy": {
       "executor": "nx:run-commands",
diff --git a/packages/auth-server/stores/client.ts b/packages/auth-server/stores/client.ts
index b101fca50..e8abb5628 100644
--- a/packages/auth-server/stores/client.ts
+++ b/packages/auth-server/stores/client.ts
@@ -49,6 +49,7 @@ type ChainContracts = {
   factory: Address;
   bundlerUrl?: string;
   beacon?: Address; // Optional, for deployment
+  testPaymaster?: Address; // Optional, for paymaster sponsorship
 };
 
 export const contractsByChain: Record<SupportedChainId, ChainContracts> = {
@@ -150,6 +151,7 @@ export const useClientStore = defineStore("client", () => {
       bundlerClient,
       chain,
       transport: createTransport(),
+      paymaster: contracts.testPaymaster, // Enable sponsored transactions
     });
 
     return client;
@@ -210,6 +212,7 @@ export const useClientStore = defineStore("client", () => {
       bundlerClient,
       chain,
       transport: createTransport(),
+      paymaster: contracts.testPaymaster, // Enable sponsored transactions
     });
   };
 
diff --git a/packages/auth-server/stores/local-node.json b/packages/auth-server/stores/local-node.json
index 64ef9dffb..ef22d1474 100644
--- a/packages/auth-server/stores/local-node.json
+++ b/packages/auth-server/stores/local-node.json
@@ -1,8 +1,15 @@
 {
-  "beacon": "0x0efdDbB35e9BBc8c762E5B4a0f627210b6c9A721",
-  "eoaValidator": "0xd2571E989390F4F654572BE25Da2f4Ec41CB2cc8",
-  "sessionValidator": "0xEc5AB17Cc35221cdF54EaEb0868eA82d4D75D9Bf",
-  "webauthnValidator": "0xd512108c249cC5ec5370491AD916Be31bb88Dad2",
-  "factory": "0xbe38809914b552f295cD3e8dF2e77b3DA69cBC8b",
+  "rpcUrl": "http://localhost:8545",
+  "chainId": 1337,
+  "deployer": "0xa0Ee7A142d267C1f36714E4a8F75612F20a79720",
+  "eoaValidator": "0xd71301c72D03b483F74BA569ff1132af81079858",
+  "sessionValidator": "0xD4c76bC6306657FE415Ee6B09Ea61cFA50573848",
+  "webauthnValidator": "0x809eBD30a2357012E6cBaB8776682318568556c1",
+  "guardianExecutor": "0x0356cA3d0350858BCac4De0FC1dEa3Bc6e7c3e3a",
+  "accountImplementation": "0x22734Ec6735533298fdFFFa1392967C1ee895f73",
+  "beacon": "0xAd5FE51C9bD9bb62f9b3DD66717eee6a30D82349",
+  "factory": "0x3a63639F3B216461Cbd39Cc7ccfE5d3bD0D34d90",
+  "testPaymaster": "0x381b72E7d068d4A69AB6f8c4f87fc2Cb203798d0",
+  "entryPoint": "0x4337084D9E255Ff0702461CF8895CE9E3b5Ff108",
   "bundlerUrl": "http://localhost:4337"
 }
diff --git a/packages/sdk-4337/src/client-auth-server/Signer.ts b/packages/sdk-4337/src/client-auth-server/Signer.ts
index 8f7bf71fd..52ffa796c 100644
--- a/packages/sdk-4337/src/client-auth-server/Signer.ts
+++ b/packages/sdk-4337/src/client-auth-server/Signer.ts
@@ -1,5 +1,6 @@
 import { type Address, type Chain, createPublicClient, createWalletClient, custom, type Hash, http, type RpcSchema as RpcSchemaGeneric, type SendTransactionParameters, type Transport, type WalletClient } from "viem";
 import { type BundlerClient, createBundlerClient } from "viem/account-abstraction";
+import type { CustomPaymasterHandler } from "zksync-sso/paymaster";
 
 import { createSessionClient, type SessionClient } from "../client/session/client.js";
 import type { Communicator } from "../communicator/index.js";
@@ -43,6 +44,8 @@ type SignerConstructorParams = {
   // onSessionStateChange?: (event: { address: Address; chainId: number; state: SessionStateEvent }) => void;
   skipPreTransactionStateValidation?: boolean; // Useful if you want to send session transactions really fast
   storage?: StorageLike;
+  paymasterHandler?: CustomPaymasterHandler;
+  paymasterAddress?: Address;
 };
 
 type ChainsInfo = ExtractReturnType<"eth_requestAccounts", AuthServerRpcSchema>["chainsInfo"];
@@ -55,6 +58,8 @@ export class Signer implements SignerInterface {
   private readonly transports: Record<number, Transport> = {};
   private readonly bundlerClients: Record<number, BundlerClient> = {};
   private readonly sessionParameters?: () => (SessionPreferences | Promise<SessionPreferences>);
+  private readonly paymasterHandler?: CustomPaymasterHandler;
+  private readonly paymasterAddress?: Address;
   // private readonly onSessionStateChange?: SignerConstructorParams["onSessionStateChange"];
   // private readonly skipPreTransactionStateValidation?: boolean;
 
@@ -62,7 +67,7 @@ export class Signer implements SignerInterface {
   private _chainsInfo: StorageItem<ChainsInfo>;
   private client: { instance: SessionClient; type: "session" } | { instance: WalletClient; type: "auth-server" } | undefined;
 
-  constructor({ metadata, communicator, updateListener, session, chains, transports, bundlerClients, /* onSessionStateChange, skipPreTransactionStateValidation, */ storage }: SignerConstructorParams) {
+  constructor({ metadata, communicator, updateListener, session, chains, transports, bundlerClients, /* onSessionStateChange, skipPreTransactionStateValidation, */ storage, paymasterHandler, paymasterAddress }: SignerConstructorParams) {
     if (!chains.length) throw new Error("At least one chain must be included in the config");
 
     this.getMetadata = metadata;
@@ -72,6 +77,8 @@ export class Signer implements SignerInterface {
     this.chains = chains;
     this.transports = transports || {};
     this.bundlerClients = bundlerClients || {};
+    this.paymasterHandler = paymasterHandler;
+    this.paymasterAddress = paymasterAddress;
     // this.onSessionStateChange = onSessionStateChange;
     // this.skipPreTransactionStateValidation = skipPreTransactionStateValidation;
 
@@ -199,6 +206,7 @@ export class Signer implements SignerInterface {
           bundlerClient,
           chain,
           transport: this.transports[chain.id] || http(),
+          paymasterHandler: this.paymasterHandler,
           /* onSessionStateChange: (event: SessionStateEvent) => {
             if (!this.onSessionStateChange) return;
             this.onSessionStateChange({
@@ -249,6 +257,7 @@ export class Signer implements SignerInterface {
       params: {
         metadata,
         sessionPreferences,
+        paymaster: this.paymasterAddress,
       },
     });
     const handshakeData = responseMessage.content.result!;
diff --git a/packages/sdk-4337/src/client-auth-server/WalletProvider.ts b/packages/sdk-4337/src/client-auth-server/WalletProvider.ts
index d97e9f3c4..85566a183 100644
--- a/packages/sdk-4337/src/client-auth-server/WalletProvider.ts
+++ b/packages/sdk-4337/src/client-auth-server/WalletProvider.ts
@@ -2,6 +2,7 @@ import { EventEmitter } from "eventemitter3";
 import type { Address, Chain, Transport } from "viem";
 import { toHex } from "viem";
 import type { BundlerClient } from "viem/account-abstraction";
+import type { CustomPaymasterHandler } from "zksync-sso/paymaster";
 
 import type { Communicator } from "../communicator/index.js";
 import { PopupCommunicator } from "../communicator/PopupCommunicator.js";
@@ -29,13 +30,15 @@ export type WalletProviderConstructorOptions = {
   // skipPreTransactionStateValidation?: boolean; // Useful if you want to send session transactions really fast
   customCommunicator?: Communicator;
   storage?: StorageLike;
+  paymasterHandler?: CustomPaymasterHandler;
+  paymasterAddress?: Address;
 };
 
 export class WalletProvider extends EventEmitter implements ProviderInterface {
   readonly isZksyncSso = true;
   private signer: Signer;
 
-  constructor({ metadata, chains, transports, bundlerClients, session, authServerUrl, /* onSessionStateChange, skipPreTransactionStateValidation, */ customCommunicator, storage }: WalletProviderConstructorOptions) {
+  constructor({ metadata, chains, transports, bundlerClients, session, authServerUrl, /* onSessionStateChange, skipPreTransactionStateValidation, */ customCommunicator, storage, paymasterHandler, paymasterAddress }: WalletProviderConstructorOptions) {
     super();
     const communicator = customCommunicator ?? new PopupCommunicator(authServerUrl || DEFAULT_AUTH_SERVER_URL);
     this.signer = new Signer({
@@ -53,6 +56,8 @@ export class WalletProvider extends EventEmitter implements ProviderInterface {
       // onSessionStateChange,
       // skipPreTransactionStateValidation,
       storage,
+      paymasterHandler,
+      paymasterAddress,
     });
   }
 
diff --git a/packages/sdk-4337/src/client-auth-server/rpc.ts b/packages/sdk-4337/src/client-auth-server/rpc.ts
index 7a1b5c9bc..89ac186bb 100644
--- a/packages/sdk-4337/src/client-auth-server/rpc.ts
+++ b/packages/sdk-4337/src/client-auth-server/rpc.ts
@@ -13,6 +13,7 @@ export type AuthServerRpcSchema = [
     Parameters: {
       metadata: AppMetadata;
       sessionPreferences?: SessionPreferences;
+      paymaster?: Address;
     };
     ReturnType: {
       account: {
diff --git a/packages/sdk-4337/src/client/common/paymaster-middleware.ts b/packages/sdk-4337/src/client/common/paymaster-middleware.ts
new file mode 100644
index 000000000..64581a47d
--- /dev/null
+++ b/packages/sdk-4337/src/client/common/paymaster-middleware.ts
@@ -0,0 +1,37 @@
+import type { Address } from "viem";
+import type { BundlerClient } from "viem/account-abstraction";
+
+/**
+ * Wraps a bundler client to automatically inject paymaster address into all sendUserOperation calls.
+ * This enables sponsored transactions without requiring callers to pass paymaster on every call.
+ *
+ * @param bundlerClient - The original bundler client
+ * @param paymasterAddress - The paymaster contract address
+ * @returns A wrapped bundler client that injects paymaster into sendUserOperation
+ */
+export function createPaymasterBundlerClient(
+  bundlerClient: BundlerClient,
+  paymasterAddress: Address,
+): BundlerClient {
+  // Create a proxy that intercepts sendUserOperation to add paymaster
+  return new Proxy(bundlerClient, {
+    get(target, prop, receiver) {
+      if (prop === "sendUserOperation") {
+        return async (args: Parameters<BundlerClient["sendUserOperation"]>[0]) => {
+          // Inject paymaster if not already provided
+          const argsWithPaymaster = {
+            ...args,
+            paymaster: args.paymaster ?? paymasterAddress,
+          };
+          console.log(`[Paymaster Middleware] Injecting paymaster: ${paymasterAddress}`);
+          console.log("[Paymaster Middleware] Args with paymaster:", {
+            hasPaymaster: !!argsWithPaymaster.paymaster,
+            paymaster: argsWithPaymaster.paymaster,
+          });
+          return target.sendUserOperation(argsWithPaymaster);
+        };
+      }
+      return Reflect.get(target, prop, receiver);
+    },
+  }) as BundlerClient;
+}
diff --git a/packages/sdk-4337/src/client/ecdsa/account.ts b/packages/sdk-4337/src/client/ecdsa/account.ts
index 21f5fdd3d..44219fa9a 100644
--- a/packages/sdk-4337/src/client/ecdsa/account.ts
+++ b/packages/sdk-4337/src/client/ecdsa/account.ts
@@ -10,6 +10,7 @@ import {
 import {
   entryPoint08Abi,
   entryPoint08Address,
+  getUserOperationHash,
   toSmartAccount,
   type ToSmartAccountReturnType,
 } from "viem/account-abstraction";
@@ -17,8 +18,6 @@ import {
   decode_nonce_result,
   encode_execute_call_data,
   encode_get_nonce_call_data,
-  encode_get_user_operation_hash_call_data,
-  EncodeGetUserOperationHashParams,
   generate_eoa_stub_signature,
   sign_eoa_message,
   sign_eoa_user_operation_hash,
@@ -36,6 +35,8 @@ export type ToEcdsaSmartAccountParams<
   address: Address;
   /** EOA validator contract address (required for stub signature generation). */
   eoaValidatorAddress: Address;
+  /** Optional override for EntryPoint address (defaults to viem's entryPoint08Address). */
+  entryPointAddress?: Address;
 };
 
 /**
@@ -49,12 +50,14 @@ export async function toEcdsaSmartAccount<
   signerPrivateKey,
   address,
   eoaValidatorAddress,
+  entryPointAddress,
 }: ToEcdsaSmartAccountParams<TTransport, TChain>): Promise<ToSmartAccountReturnType> {
+  const epAddress = entryPointAddress ?? entryPoint08Address;
   return toSmartAccount({
     client,
     entryPoint: {
       abi: entryPoint08Abi,
-      address: entryPoint08Address,
+      address: epAddress,
       version: "0.8",
     },
     async getNonce() {
@@ -65,7 +68,7 @@ export async function toEcdsaSmartAccount<
 
       // Viem makes the network call
       const result = await client.call({
-        to: entryPoint08Address,
+        to: epAddress,
         data: calldata,
       // eslint-disable-next-line @typescript-eslint/no-explicit-any
       } as any);
@@ -128,30 +131,28 @@ export async function toEcdsaSmartAccount<
     },
     async signUserOperation(params) {
       const sender = await this.getAddress();
-
-      // Encode call data for EntryPoint.getUserOpHash() using Rust SDK
-      const callData = encode_get_user_operation_hash_call_data(
-        new EncodeGetUserOperationHashParams(
+      // Compute user operation hash locally with full fields (including paymaster)
+      const userOpHash = getUserOperationHash({
+        chainId: Number(client.chain!.id),
+        entryPointAddress: this.entryPoint.address,
+        entryPointVersion: "0.8",
+        userOperation: {
           sender,
-          params.nonce.toString(),
-          params.callData,
-          params.callGasLimit.toString(),
-          params.verificationGasLimit.toString(),
-          params.preVerificationGas.toString(),
-          params.maxFeePerGas.toString(),
-          params.maxPriorityFeePerGas.toString(),
-        ),
-      ) as Hex;
-
-      // Result is the bytes32 hash from EntryPoint.getUserOpHash()
-      const { data: userOpHash } = await client.call({
-        to: this.entryPoint.address,
-        data: callData,
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      } as any);
+          nonce: params.nonce,
+          initCode: (params.initCode ?? "0x") as Hex,
+          callData: (params.callData ?? "0x") as Hex,
+          callGasLimit: params.callGasLimit,
+          verificationGasLimit: params.verificationGasLimit,
+          preVerificationGas: params.preVerificationGas,
+          maxFeePerGas: params.maxFeePerGas,
+          maxPriorityFeePerGas: params.maxPriorityFeePerGas,
+          paymasterAndData: (params.paymasterAndData ?? "0x") as Hex,
+          signature: "0x",
+        },
+      } as any) as Hex;
 
       const signature = sign_eoa_user_operation_hash(
-        userOpHash!,
+        userOpHash,
         signerPrivateKey,
         eoaValidatorAddress,
       ) as Hex;
diff --git a/packages/sdk-4337/src/client/ecdsa/client.ts b/packages/sdk-4337/src/client/ecdsa/client.ts
index 365a9b8a4..75ca808bb 100644
--- a/packages/sdk-4337/src/client/ecdsa/client.ts
+++ b/packages/sdk-4337/src/client/ecdsa/client.ts
@@ -16,6 +16,7 @@ import {
 } from "viem";
 import type { BundlerClient } from "viem/account-abstraction";
 
+import { createPaymasterBundlerClient } from "../common/paymaster-middleware.js";
 import type { ToEcdsaSmartAccountParams } from "./account.js";
 import {
   type EcdsaClientActions,
@@ -37,6 +38,8 @@ export type CreateEcdsaClientParams<
     signerPrivateKey: Hash;
     /** EOA validator contract address (required for signature formatting). */
     eoaValidatorAddress: Address;
+    /** Optional override for EntryPoint address used by the account implementation. */
+    entryPointAddress?: Address;
   };
 
   /** Bundler client instance (created externally by user) */
@@ -48,6 +51,9 @@ export type CreateEcdsaClientParams<
   /** Transport for public RPC calls */
   transport: TTransport;
 
+  /** Optional paymaster address for sponsored transactions */
+  paymaster?: Address;
+
   /** Optional client metadata */
   key?: string;
   name?: string;
@@ -139,7 +145,12 @@ export function createEcdsaClient<
 >(
   params: CreateEcdsaClientParams<TTransport, TChain>,
 ): EcdsaClient<TTransport, TChain, TRpcSchema> {
-  const { account: accountConfig, bundlerClient, chain, transport } = params;
+  const { account: accountConfig, bundlerClient, chain, transport, paymaster } = params;
+
+  // Wrap bundler client to inject paymaster if provided
+  const wrappedBundlerClient = paymaster
+    ? createPaymasterBundlerClient(bundlerClient, paymaster)
+    : bundlerClient;
 
   // Create public client for RPC calls
   const publicClient = createPublicClient({
@@ -153,6 +164,7 @@ export function createEcdsaClient<
     address: accountConfig.address,
     signerPrivateKey: accountConfig.signerPrivateKey,
     eoaValidatorAddress: accountConfig.eoaValidatorAddress,
+    entryPointAddress: accountConfig.entryPointAddress,
   };
 
   // Create the client with all actions
@@ -170,13 +182,13 @@ export function createEcdsaClient<
     .extend((client) =>
       ecdsaClientActions({
         client,
-        bundler: bundlerClient,
+        bundler: wrappedBundlerClient,
         ecdsaAccount: ecdsaAccountParams,
         accountAddress: accountConfig.address,
       }),
     )
     .extend(() => ({
-      bundler: bundlerClient,
+      bundler: wrappedBundlerClient,
     }));
 
   return client as EcdsaClient<TTransport, TChain, TRpcSchema>;
diff --git a/packages/sdk-4337/src/client/passkey/account.ts b/packages/sdk-4337/src/client/passkey/account.ts
index bd421209b..b9795fee0 100644
--- a/packages/sdk-4337/src/client/passkey/account.ts
+++ b/packages/sdk-4337/src/client/passkey/account.ts
@@ -8,6 +8,7 @@ import {
 import {
   entryPoint08Abi,
   entryPoint08Address,
+  getUserOperationHash,
   toSmartAccount,
   type ToSmartAccountReturnType,
 } from "viem/account-abstraction";
@@ -15,8 +16,6 @@ import {
   decode_nonce_result,
   encode_execute_call_data,
   encode_get_nonce_call_data,
-  encode_get_user_operation_hash_call_data,
-  EncodeGetUserOperationHashParams,
   generate_passkey_stub_signature,
 } from "zksync-sso-web-sdk/bundler";
 
@@ -38,6 +37,8 @@ export type ToPasskeySmartAccountParams<
   rpId: string;
   /** Origin URL (for WebAuthn verification). */
   origin: string;
+  /** Optional override for EntryPoint address (defaults to viem's entryPoint08Address). */
+  entryPointAddress?: Address;
 };
 
 /**
@@ -55,12 +56,14 @@ export async function toPasskeySmartAccount<
   credentialId,
   rpId,
   origin,
+  entryPointAddress,
 }: ToPasskeySmartAccountParams<TTransport, TChain>): Promise<ToSmartAccountReturnType> {
+  const epAddress = entryPointAddress ?? entryPoint08Address;
   return toSmartAccount({
     client,
     entryPoint: {
       abi: entryPoint08Abi,
-      address: entryPoint08Address,
+      address: epAddress,
       version: "0.8",
     },
     async getNonce() {
@@ -71,7 +74,7 @@ export async function toPasskeySmartAccount<
 
       // Viem makes the network call
       const result = await client.call({
-        to: entryPoint08Address,
+        to: epAddress,
         data: calldata,
       // eslint-disable-next-line @typescript-eslint/no-explicit-any
       } as any);
@@ -135,27 +138,25 @@ export async function toPasskeySmartAccount<
     },
     async signUserOperation(params) {
       const sender = await this.getAddress();
-
-      // Encode call data for EntryPoint.getUserOpHash() using Rust SDK
-      const callData = encode_get_user_operation_hash_call_data(
-        new EncodeGetUserOperationHashParams(
+      // Compute user operation hash locally with full fields (including paymaster)
+      const userOpHash = getUserOperationHash({
+        chainId: Number(client.chain!.id),
+        entryPointAddress: this.entryPoint.address,
+        entryPointVersion: "0.8",
+        userOperation: {
           sender,
-          params.nonce.toString(),
-          params.callData,
-          params.callGasLimit.toString(),
-          params.verificationGasLimit.toString(),
-          params.preVerificationGas.toString(),
-          params.maxFeePerGas.toString(),
-          params.maxPriorityFeePerGas.toString(),
-        ),
-      ) as Hex;
-
-      // Result is the bytes32 hash from EntryPoint.getUserOpHash()
-      const { data: userOpHash } = await client.call({
-        to: this.entryPoint.address,
-        data: callData,
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      } as any);
+          nonce: params.nonce,
+          initCode: (params.initCode ?? "0x") as Hex,
+          callData: (params.callData ?? "0x") as Hex,
+          callGasLimit: params.callGasLimit,
+          verificationGasLimit: params.verificationGasLimit,
+          preVerificationGas: params.preVerificationGas,
+          maxFeePerGas: params.maxFeePerGas,
+          maxPriorityFeePerGas: params.maxPriorityFeePerGas,
+          paymasterAndData: (params.paymasterAndData ?? "0x") as Hex,
+          signature: "0x",
+        },
+      } as any) as Hex;
 
       // Sign with WebAuthn (browser API) and get complete signature
       // signWithPasskey handles:
diff --git a/packages/sdk-4337/src/client/passkey/client.ts b/packages/sdk-4337/src/client/passkey/client.ts
index 7844779ef..8f6d24773 100644
--- a/packages/sdk-4337/src/client/passkey/client.ts
+++ b/packages/sdk-4337/src/client/passkey/client.ts
@@ -17,6 +17,7 @@ import {
 } from "viem";
 import type { BundlerClient } from "viem/account-abstraction";
 
+import { createPaymasterBundlerClient } from "../common/paymaster-middleware.js";
 import type { ToPasskeySmartAccountParams } from "./account.js";
 import {
   type PasskeyClientActions,
@@ -42,6 +43,8 @@ export type CreatePasskeyClientParams<
     rpId: string;
     /** Origin URL (for WebAuthn verification). */
     origin: string;
+    /** Optional override for EntryPoint address used by the account implementation. */
+    entryPointAddress?: Address;
   };
 
   /** Bundler client instance (created externally by user) */
@@ -53,6 +56,9 @@ export type CreatePasskeyClientParams<
   /** Transport for public RPC calls */
   transport: TTransport;
 
+  /** Optional paymaster address for sponsored transactions */
+  paymaster?: Address;
+
   /** Optional client metadata */
   key?: string;
   name?: string;
@@ -150,7 +156,12 @@ export function createPasskeyClient<
 >(
   params: CreatePasskeyClientParams<TTransport, TChain>,
 ): PasskeyClient<TTransport, TChain, TRpcSchema> {
-  const { account: accountConfig, bundlerClient, chain, transport } = params;
+  const { account: accountConfig, bundlerClient, chain, transport, paymaster } = params;
+
+  // Wrap bundler client to inject paymaster if provided
+  const wrappedBundlerClient = paymaster
+    ? createPaymasterBundlerClient(bundlerClient, paymaster)
+    : bundlerClient;
 
   // Create public client for RPC calls
   const publicClient = createPublicClient({
@@ -166,6 +177,7 @@ export function createPasskeyClient<
     credentialId: accountConfig.credentialId,
     rpId: accountConfig.rpId,
     origin: accountConfig.origin,
+    entryPointAddress: accountConfig.entryPointAddress,
   };
 
   // Create the client with all actions
@@ -183,14 +195,14 @@ export function createPasskeyClient<
     .extend((client) =>
       passkeyClientActions({
         client,
-        bundler: bundlerClient,
+        bundler: wrappedBundlerClient,
         passkeyAccount: passkeyAccountParams,
         accountAddress: accountConfig.address,
         validatorAddress: accountConfig.validatorAddress,
       }),
     )
     .extend(() => ({
-      bundler: bundlerClient,
+      bundler: wrappedBundlerClient,
     }));
 
   return client as PasskeyClient<TTransport, TChain, TRpcSchema>;
diff --git a/packages/sdk-4337/src/client/session/account.ts b/packages/sdk-4337/src/client/session/account.ts
index 0e71f725c..3a3ed15a8 100644
--- a/packages/sdk-4337/src/client/session/account.ts
+++ b/packages/sdk-4337/src/client/session/account.ts
@@ -9,15 +9,15 @@ import {
 import {
   entryPoint08Abi,
   entryPoint08Address,
+  getUserOperationHash,
   toSmartAccount,
   type ToSmartAccountReturnType,
 } from "viem/account-abstraction";
+import type { CustomPaymasterHandler } from "zksync-sso/paymaster";
 import {
   decode_nonce_result,
   encode_get_nonce_call_data,
-  encode_get_user_operation_hash_call_data,
   encode_session_execute_call_data,
-  EncodeGetUserOperationHashParams,
   generate_session_stub_signature_wasm,
   keyed_nonce_decimal,
   session_signature_no_validation_wasm,
@@ -47,6 +47,10 @@ export type ToSessionSmartAccountParams<
   currentTimestamp?: bigint;
   /** Session required contracts. */
   contracts: SessionRequiredContracts;
+  /** Optional paymaster handler for sponsored transactions. */
+  paymasterHandler?: CustomPaymasterHandler;
+  /** Optional override for EntryPoint address (defaults to viem's entryPoint08Address). */
+  entryPointAddress?: Address;
 };
 
 /**
@@ -63,15 +67,17 @@ export async function toSessionSmartAccount<
   contracts,
   sessionSpec,
   currentTimestamp,
+  entryPointAddress,
 }: ToSessionSmartAccountParams<TTransport, TChain>): Promise<ToSmartAccountReturnType> {
   // Precompute session spec JSON once
   const sessionSpecJSON = sessionSpecToJSON(sessionSpec);
+  const epAddress = entryPointAddress ?? entryPoint08Address;
 
   return toSmartAccount({
     client,
     entryPoint: {
       abi: entryPoint08Abi,
-      address: entryPoint08Address,
+      address: epAddress,
       version: "0.8",
     },
     async getNonce() {
@@ -85,7 +91,7 @@ export async function toSessionSmartAccount<
 
       // Call EntryPoint
       const result = await client.call({
-        to: entryPoint08Address,
+        to: epAddress,
         data: calldata,
         // eslint-disable-next-line @typescript-eslint/no-explicit-any
       } as any);
@@ -117,8 +123,8 @@ export async function toSessionSmartAccount<
 
       return encoded;
     },
-    // eslint-disable-next-line @typescript-eslint/no-unused-vars
-    async decodeCalls(data) {
+
+    async decodeCalls() {
       throw new Error("decodeCalls is not supported yet for session accounts.");
     },
 
@@ -149,8 +155,8 @@ export async function toSessionSmartAccount<
         `signMessage is not supported for session accounts. Message: ${String(message)}`,
       );
     },
-    // eslint-disable-next-line @typescript-eslint/no-unused-vars
-    async signTypedData({ domain, types, primaryType, message }) {
+
+    async signTypedData() {
       throw new Error("signTypedData is not supported for session accounts");
     },
     async signUserOperation(params) {
@@ -163,6 +169,7 @@ export async function toSessionSmartAccount<
       const preVerificationGas = params.preVerificationGas ?? 0n;
       const maxFeePerGas = params.maxFeePerGas ?? 0n;
       const maxPriorityFeePerGas = params.maxPriorityFeePerGas ?? 0n;
+      const paymasterAndData = (params.paymasterAndData ?? "0x") as Hex;
 
       // Debug: Log effective gas & nonce passed into signing to diagnose zero-gas AA23 issues
       console.debug(
@@ -177,26 +184,25 @@ export async function toSessionSmartAccount<
         },
       );
 
-      // Encode call data for EntryPoint.getUserOpHash()
-      const callData = encode_get_user_operation_hash_call_data(
-        new EncodeGetUserOperationHashParams(
+      // Compute user operation hash locally using viem helper (includes paymasterAndData)
+      const userOpHash = getUserOperationHash({
+        chainId: Number(client.chain!.id),
+        entryPointAddress: this.entryPoint.address,
+        entryPointVersion: "0.8",
+        userOperation: {
           sender,
-          nonce.toString(),
-          (params.callData ?? "0x") as Hex,
-          callGasLimit.toString(),
-          verificationGasLimit.toString(),
-          preVerificationGas.toString(),
-          maxFeePerGas.toString(),
-          maxPriorityFeePerGas.toString(),
-        ),
-      ) as Hex;
-
-      // Get user operation hash from EntryPoint
-      const { data: userOpHash } = await client.call({
-        to: this.entryPoint.address,
-        data: callData,
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      } as any);
+          nonce,
+          initCode: (params.initCode ?? "0x") as Hex,
+          callData: (params.callData ?? "0x") as Hex,
+          callGasLimit,
+          verificationGasLimit,
+          preVerificationGas,
+          maxFeePerGas,
+          maxPriorityFeePerGas,
+          paymasterAndData,
+          signature: "0x",
+        },
+      } as any) as Hex;
 
       // Parse target and selector from callData for validation
       // The callData is already encoded by encodeCalls, so we need to extract execute() params
@@ -210,7 +216,7 @@ export async function toSessionSmartAccount<
         sessionKeyPrivateKey,
         contracts.sessionValidator,
         sessionSpecJSON,
-        userOpHash!,
+        userOpHash,
         timestampStr,
       ) as Hex;
 
diff --git a/packages/sdk-4337/src/client/session/client.ts b/packages/sdk-4337/src/client/session/client.ts
index 714cf5e24..cb92672f6 100644
--- a/packages/sdk-4337/src/client/session/client.ts
+++ b/packages/sdk-4337/src/client/session/client.ts
@@ -15,6 +15,7 @@ import {
   type WalletRpcSchema,
 } from "viem";
 import type { BundlerClient } from "viem/account-abstraction";
+import type { CustomPaymasterHandler } from "zksync-sso/paymaster";
 
 import type { SessionRequiredContracts, ToSessionSmartAccountParams } from "./account.js";
 import { type SessionClientActions, sessionClientActions } from "./client-actions.js";
@@ -39,8 +40,12 @@ export type CreateSessionClientParams<
   chain: TChain;
   /** Transport for public RPC */
   transport: TTransport;
+  /** Optional paymaster handler for sponsored transactions */
+  paymasterHandler?: CustomPaymasterHandler;
   /** Optional timestamp override for signature generation */
   currentTimestamp?: bigint;
+  /** Optional override for EntryPoint address used by the account implementation. */
+  entryPointAddress?: Address;
   /** Optional client metadata */
   key?: string;
   name?: string;
@@ -98,6 +103,8 @@ export function createSessionClient<
     sessionKeyPrivateKey,
     sessionSpec,
     currentTimestamp,
+    paymasterHandler: params.paymasterHandler,
+    entryPointAddress: params.entryPointAddress,
   };
 
   const client = createClient({
diff --git a/packages/sdk-4337/src/connector/index.ts b/packages/sdk-4337/src/connector/index.ts
index 7480b4801..773d87139 100644
--- a/packages/sdk-4337/src/connector/index.ts
+++ b/packages/sdk-4337/src/connector/index.ts
@@ -8,6 +8,7 @@ import {
 } from "@wagmi/core";
 import type { Compute } from "@wagmi/core/internal";
 import {
+  type Address,
   type Client,
   getAddress,
   SwitchChainError,
@@ -15,6 +16,8 @@ import {
   UserRejectedRequestError,
 } from "viem";
 import type { BundlerClient } from "viem/account-abstraction";
+import type { CustomPaymasterHandler } from "zksync-sso/paymaster";
+import { createGeneralPaymaster } from "zksync-sso/paymaster";
 
 import type { SessionClient, SessionPreferences } from "../client/index.js";
 import type { ProviderInterface } from "../client-auth-server/index.js";
@@ -37,6 +40,7 @@ export type ZksyncSsoConnectorOptions = {
   communicator?: Communicator;
   provider?: ProviderInterface;
   connectorMetadata?: ConnectorMetadata;
+  paymaster?: Address | CustomPaymasterHandler;
 };
 
 export const zksyncSsoConnector = (parameters: ZksyncSsoConnectorOptions) => {
@@ -141,6 +145,18 @@ export const zksyncSsoConnector = (parameters: ZksyncSsoConnectorOptions) => {
     },
     async getProvider() {
       if (!walletProvider) {
+        // Convert paymaster address to handler if needed
+        let paymasterHandler: CustomPaymasterHandler | undefined;
+        let paymasterAddress: Address | undefined;
+        if (parameters.paymaster) {
+          if (typeof parameters.paymaster === "string") {
+            paymasterAddress = parameters.paymaster as Address;
+            paymasterHandler = createGeneralPaymaster(paymasterAddress);
+          } else {
+            paymasterHandler = parameters.paymaster;
+          }
+        }
+
         walletProvider = parameters.provider ?? new WalletProvider({
           metadata: {
             name: parameters.metadata?.name,
@@ -153,6 +169,8 @@ export const zksyncSsoConnector = (parameters: ZksyncSsoConnectorOptions) => {
           bundlerClients: parameters.bundlerClients,
           chains: config.chains,
           customCommunicator: parameters.communicator,
+          paymasterHandler,
+          paymasterAddress,
         });
       }
       return walletProvider;
diff --git a/packages/sdk-4337/tsconfig.build.json b/packages/sdk-4337/tsconfig.build.json
index 76472cce8..fe3f63601 100644
--- a/packages/sdk-4337/tsconfig.build.json
+++ b/packages/sdk-4337/tsconfig.build.json
@@ -8,7 +8,9 @@
     "baseUrl": ".",
     "paths": {
       "zksync-sso-web-sdk/bundler": ["../sdk-platforms/web/dist/bundler.d.ts"],
-      "zksync-sso-web-sdk/node": ["../sdk-platforms/web/dist/node.d.ts"]
+      "zksync-sso-web-sdk/node": ["../sdk-platforms/web/dist/node.d.ts"],
+      "zksync-sso/paymaster": ["../../node_modules/zksync-sso/dist/_types/paymaster/index.d.ts"],
+      "zksync-sso/paymaster/*": ["../../node_modules/zksync-sso/dist/_types/paymaster/*"]
     },
     "sourceMap": true,
     "rootDir": "./src"
diff --git a/packages/sdk-4337/tsconfig.json b/packages/sdk-4337/tsconfig.json
index efdb0963d..cffed499c 100644
--- a/packages/sdk-4337/tsconfig.json
+++ b/packages/sdk-4337/tsconfig.json
@@ -6,6 +6,6 @@
   "compilerOptions": {
     "baseUrl": ".",
     "composite": true,
-    "module": "nodenext"
+    "module": "NodeNext"
   }
 }
diff --git a/packages/sdk/tsconfig.json b/packages/sdk/tsconfig.json
index efdb0963d..cffed499c 100644
--- a/packages/sdk/tsconfig.json
+++ b/packages/sdk/tsconfig.json
@@ -6,6 +6,6 @@
   "compilerOptions": {
     "baseUrl": ".",
     "composite": true,
-    "module": "nodenext"
+    "module": "NodeNext"
   }
 }