validate canons without yatest_common

28 files changed, 4308 insertions, 0 deletions

diff --git a/library/c/tvmauth/README.md b/library/c/tvmauth/README.md
new file mode 100644
index 0000000000..e9bd4b5a47
--- /dev/null
+++ b/library/c/tvmauth/README.md
@@ -0,0 +1,54 @@
+Overview
+===
+This library provides ability to operate with TVM. Library is fast enough to get or check tickets for every request without burning CPU.
+
+[Home page of project](https://wiki.yandex-team.ru/passport/tvm2/)
+
+You can ask questions: [PASSPORTDUTY](https://st.yandex-team.ru/createTicket?queue=PASSPORTDUTY&_form=77618)
+
+TvmClient
+===
+Don't forget to collect logs from client.
+___
+`TvmClient` allowes:
+1. `GetServiceTicketFor()` - to fetch ServiceTicket for outgoing request
+2. `CheckServiceTicket()` - to check ServiceTicket from incoming request
+3. `CheckUserTicket()` - to check UserTicket from incoming request
+
+All methods are thread-safe.
+
+You should check status of `CheckedServiceTicket` or `CheckedUserTicket` for equality 'Ok'. You can get ticket fields (src/uids/scopes) only for correct ticket. Otherwise exception will be thrown.
+___
+You should check status of client with `GetStatus()`:
+* `OK` - nothing to do here
+* `Warning` - **you should trigger your monitoring alert**
+
+      Normal operation of TvmClient is still possible but there are problems with refreshing cache, so it is expiring.
+      Is tvm-api.yandex.net accessible?
+      Have you changed your TVM-secret or your backend (dst) deleted its TVM-client?
+
+* `Error` - **you should trigger your monitoring alert and close this instance for user-traffic**
+
+      TvmClient's cache is already invalid (expired) or soon will be: you can't check valid ServiceTicket or be authenticated by your backends (dsts)
+
+___
+Constructor creates system thread for refreshing cache - so do not fork your proccess after creating `TTvmClient` instance. Constructor leads to network I/O. Other methods always use memory.
+
+Other methods can throw exception only if you try to use unconfigured abilities (for example, you try to get fetched ServiceTicket for some dst but you didn't configured it in settings).
+___
+You can choose way for fetching data for your service operation:
+* http://localhost:{port}/tvm
+* https://tvm-api.yandex.net
+
+TvmTool
+------------
+`TTvmClient` uses local http-interface to get state. This interface can be provided with tvmtool (local daemon) or Qloud/YD (local http api in container).
+See more: https://wiki.yandex-team.ru/passport/tvm2/tvm-daemon/.
+
+`TTvmClient` fetches configuration from tvmtool, so you need only to tell client how to connect to it and tell which alias of tvm id should be used for this `TvmClient` instance.
+
+TvmApi
+------------
+`TvmClient` uses https://tvm-api.yandex.net to get state.
+First of all: please use `SetDiskCacheDir()` - it provides reliability for your service and for tvm-api.
+Please check restrictions of this method.
diff --git a/library/c/tvmauth/a.yaml b/library/c/tvmauth/a.yaml
new file mode 100644
index 0000000000..60e7208d3d
--- /dev/null
+++ b/library/c/tvmauth/a.yaml
@@ -0,0 +1,141 @@
+service: passport_infra
+title: tvmauth (c)
+
+
+arcanum:
+  review:
+     auto_assign: true
+
+     groups:
+        - name: backend-developers
+          roles: developer
+
+     rules:
+        - reviewers:
+            name: backend-developers
+            ship: 2
+            assign: 2
+
+  auto_merge:
+    requirements:
+      - system: pciexpress
+        type: PCI-DSS integrity
+
+
+ci:
+  release-title-source: flow
+  autocheck:
+    fast-targets:
+      - library/c/tvmauth
+    strong: true
+
+  runtime:
+    sandbox-owner: PASSPORT
+  secret: sec-01ekz37bg804cbcsqeftv8v8ec
+
+  releases:
+    tvmauth-c-release:
+      title: tvmauth-c
+      flow: tvmauth-c-release-flow
+      stages:
+        - id: build
+          title: Build
+        - id: stable
+          title: Stable
+      branches:
+        pattern: releases/passport/libtvmauth-${version}
+        auto-create: true
+      filters:
+        - discovery: dir
+          abs-paths:
+            - library/c/tvmauth/**
+            - library/cpp/tvmauth/**
+
+  flows:
+    tvmauth-c-release-flow:
+      jobs:
+        get_version:
+          title: Получение версии из debian/changelog
+          task: common/misc/run_command
+          stage: build
+          input:
+            config:
+              arc_mount_config:
+                enabled: true
+              cmd_line: |
+                head -n 1 $ARCADIA_PATH/library/c/tvmauth/debians/debian/changelog \
+                  | grep -Eo '\(.*\)' \
+                  | sed 's/[\(|\)]//g' \
+                  > $RESULT_RESOURCES_PATH/version
+              result_output:
+                - path: version
+
+        build_deb:
+          needs: get_version
+          title: Сборка через ya package
+          task: common/arcadia/ya_package_2
+          stage: build
+          input:
+            packages: library/c/tvmauth/debians/tvmauth.json;library/c/tvmauth/debians/tvmauth_dev.json
+            package_type: debian
+            run_tests: true
+            publish_to_mapping:
+                library/c/tvmauth/debians/tvmauth.json: yandex-precise;yandex-trusty;yandex-xenial;yandex-bionic;yandex-focal
+                library/c/tvmauth/debians/tvmauth_dev.json: yandex-precise;yandex-trusty;yandex-xenial;yandex-bionic;yandex-focal
+
+        to_stable:
+          stage: stable
+          title: Катим в stable
+          task: dummy
+          needs:
+            - build_deb
+          manual:
+            enabled: true
+
+        conductor_stable_so:
+          needs:
+            - to_stable
+          title: Выкладка через Conductor в stable
+          task: projects/passport/create_conductor_ticket
+          stage: stable
+          input:
+            ticket:
+              branch: stable
+              package: libtvmauth
+              version: ${tasks.get_version.result_output[0].string[0]}
+              comment: |
+                CI: ${context.ci_job_url}
+
+        conductor_stable_dev:
+          needs:
+            - to_stable
+          title: Выкладка через Conductor в stable
+          task: projects/passport/create_conductor_ticket
+          stage: stable
+          input:
+            ticket:
+              branch: stable
+              package: libtvmauth-dev
+              version: ${tasks.get_version.result_output[0].string[0]}
+              comment: |
+                CI: ${context.ci_job_url}
+
+        wait_for_conductor_stable_so:
+          needs: conductor_stable_so
+          title: Ожидание выкладки через Conductor в stable
+          task: projects/passport/wait_for_conductor_ticket
+          stage: stable
+          input:
+            config:
+              ticket_key: ${tasks.conductor_stable_so.result.key}
+              time_to_wait: 172800
+
+        wait_for_conductor_stable_dev:
+          needs: conductor_stable_dev
+          title: Ожидание выкладки через Conductor в stable
+          task: projects/passport/wait_for_conductor_ticket
+          stage: stable
+          input:
+            config:
+              ticket_key: ${tasks.conductor_stable_dev.result.key}
+              time_to_wait: 172800
diff --git a/library/c/tvmauth/build_release.md b/library/c/tvmauth/build_release.md
new file mode 100644
index 0000000000..46b6c75e5a
--- /dev/null
+++ b/library/c/tvmauth/build_release.md
@@ -0,0 +1,6 @@
+Steps:
+1. `dch -i` in debians/ + commit
+2. Run task: https://sandbox.yandex-team.ru/scheduler/43549/view
+3. `ssh dupload.dist.yandex.net`
+4. `for r in bionic xenial precise trusty focal; do sudo dmove yandex-$r stable libtvmauth-dev <version> unstable ; done`
+5. Push package in Conductor OR `for r in bionic xenial precise trusty focal; do sudo dmove yandex-$r stable libtvmauth <version> unstable ; done`
diff --git a/library/c/tvmauth/debians/debian/changelog b/library/c/tvmauth/debians/debian/changelog
new file mode 100644
index 0000000000..a5af5387d9
--- /dev/null
+++ b/library/c/tvmauth/debians/debian/changelog
@@ -0,0 +1,39 @@
+libtvmauth (3.3.0) unstable; urgency=medium
+
+  * Get rid of std::random_device, use generator without global state (PASSP-34185)
+  * Increase random sleep when client status is ok (PASSP-34021)
+  * Save disk cache with mode 600 (PASSP-35444)
+
+ -- Klevanets Igor <cerevra@yandex-team.ru>  Wed, 19 Jan 2022 16:17:08 +0300
+
+libtvmauth (3.2.2) unstable; urgency=medium
+
+  * Reload tvmtool config in backgroud (PASSP-30172)
+  * Fix authtoken for tvmtool: chop spaces (PASSP-32243)
+  * Forbid rewriting of fetch options (PASSP-31681)
+
+ -- Klevanets Igor <cerevra@yandex-team.ru>  Wed, 14 Apr 2021 12:03:45 +0300
+
+libtvmauth (3.2.1) unstable; urgency=medium
+
+  * Remake excluding secret from core dump
+
+ -- Klevanets Igor <cerevra@yandex-team.ru>  Mon, 29 Mar 2021 09:06:17 +0300
+
+libtvmauth (3.2.0) unstable; urgency=medium
+
+  * Exclude secret from core dump (PASSP-31755)
+
+ -- Klevanets Igor <cerevra@yandex-team.ru>  Tue, 16 Mar 2021 09:12:31 +0300
+
+libtvmauth (3.1.0) unstable; urgency=medium
+
+  * Bugfix for disk cache with updated settings (PASSP-31134)
+
+ -- Klevanets Igor <cerevra@yandex-team.ru>  Wed, 13 Jan 2021 19:22:24 +0300
+
+libtvmauth (3.0.0) unstable; urgency=medium
+
+  * Initial release. (PASSP-30510)
+
+ -- Klevanets Igor <cerevra@yandex-team.ru>  Wed, 02 Dec 2020 15:04:38 +0300
diff --git a/library/c/tvmauth/debians/tvmauth.json b/library/c/tvmauth/debians/tvmauth.json
new file mode 100644
index 0000000000..a5925e95da
--- /dev/null
+++ b/library/c/tvmauth/debians/tvmauth.json
@@ -0,0 +1,46 @@
+{
+    "meta" : {
+        "name" : "libtvmauth",
+        "maintainer" : "passport-dev@yandex-team.ru",
+        "description" : "tvmauth (ex ticket_parser2) library provides TVM scenerios",
+        "version" : "{changelog_version}",
+        "homepage": "https://a.yandex-team.ru/arc/trunk/arcadia/library/c/tvmauth/README.md"
+    },
+    "build" : {
+        "targets" :  [
+            "library/cpp/tvmauth/",
+            "library/c/tvmauth/src/ut",
+            "library/c/tvmauth/src/ut_export",
+            "library/c/tvmauth/so"
+        ],
+        "flags" : [
+            {
+                "name" : "ALLOCATOR",
+                "value" : "SYSTEM"
+            }
+        ]
+    },
+    "data" : [
+        {
+            "source" : {
+                "type" : "BUILD_OUTPUT",
+                "path" : "library/c/tvmauth/so",
+                "files": [
+                    "libtvmauth.so.3"
+                ]
+            },
+            "destination" : {
+                "path" : "/usr/lib/"
+            }
+        },
+        {
+            "source" : {
+                "type" : "SYMLINK"
+            },
+            "destination" : {
+                "path" : "/usr/lib/libtvmauth.so",
+                "target": "/usr/lib/libtvmauth.so.3"
+            }
+        }
+    ]
+}
diff --git a/library/c/tvmauth/debians/tvmauth_dev.json b/library/c/tvmauth/debians/tvmauth_dev.json
new file mode 100644
index 0000000000..5c5165defb
--- /dev/null
+++ b/library/c/tvmauth/debians/tvmauth_dev.json
@@ -0,0 +1,29 @@
+{
+    "meta" : {
+        "name" : "libtvmauth-dev",
+        "maintainer" : "passport-dev@yandex-team.ru",
+        "depends" : [ "libtvmauth (= {changelog_version})" ],
+        "description" : "tvmauth (ex ticket_parser2) library provides TVM scenerios",
+        "version" : "{changelog_version}",
+        "homepage": "https://a.yandex-team.ru/arc/trunk/arcadia/library/c/tvmauth/README.md"
+    },
+    "data" : [
+        {
+            "source" : {
+                "type" : "ARCADIA",
+                "path" : "library/c/tvmauth",
+                "files" : [
+                    "deprecated.h",
+                    "deprecated_wrapper.h",
+                    "high_lvl_client.h",
+                    "high_lvl_wrapper.h",
+                    "tvmauth.h",
+                    "tvmauth_wrapper.h"
+                ]
+            },
+            "destination" : {
+                "path" : "/usr/include/tvmauth/"
+            }
+        }
+    ]
+}
diff --git a/library/c/tvmauth/deprecated.cpp b/library/c/tvmauth/deprecated.cpp
new file mode 100644
index 0000000000..aac6156b7d
--- /dev/null
+++ b/library/c/tvmauth/deprecated.cpp
@@ -0,0 +1,131 @@
+// DO_NOT_STYLE
+#include "deprecated.h"
+
+#include "src/exception.h"
+#include "src/utils.h"
+
+#include <library/cpp/tvmauth/src/service_impl.h>
+#include <library/cpp/tvmauth/src/user_impl.h>
+#include <library/cpp/tvmauth/src/utils.h>
+
+using namespace NTvmAuth;
+using namespace NTvmAuthC;
+
+TA_EErrorCode TA_CreateServiceContext(
+    uint32_t tvmId,
+    const char* secretBase64,
+    size_t secretBase64Size,
+    const char* tvmKeysResponse,
+    size_t tvmKeysResponseSize,
+    TA_TServiceContext** context) {
+    if ((tvmKeysResponse == nullptr && secretBase64 == nullptr) || context == nullptr)
+        return TA_EC_INVALID_PARAM;
+
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        if (secretBase64Size && tvmKeysResponse) {
+            (*context) = reinterpret_cast<TA_TServiceContext*>(new TServiceContext::TImpl(
+                TStringBuf(secretBase64, secretBase64Size),
+                tvmId,
+                TStringBuf(tvmKeysResponse, tvmKeysResponseSize)));
+        } else if (secretBase64Size) {
+            (*context) = reinterpret_cast<TA_TServiceContext*>(new TServiceContext::TImpl(
+                TStringBuf(secretBase64, secretBase64Size)));
+        } else {
+            (*context) = reinterpret_cast<TA_TServiceContext*>(new TServiceContext::TImpl(
+                tvmId,
+                TStringBuf(tvmKeysResponse, tvmKeysResponseSize)));
+        }
+
+        return TA_EC_OK;
+    });
+}
+
+TA_EErrorCode TA_DeleteServiceContext(
+    TA_TServiceContext* context) {
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        delete reinterpret_cast<TServiceContext::TImpl*>(context);
+        return TA_EC_OK;
+    });
+}
+
+TA_EErrorCode TA_CheckServiceTicket(
+    const TA_TServiceContext* context,
+    const char* ticketBody,
+    size_t ticketBodySize,
+    TA_TCheckedServiceTicket** ticket) {
+    if (context == nullptr || ticketBody == nullptr || ticket == nullptr)
+        return TA_EC_INVALID_PARAM;
+
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        (*ticket) = reinterpret_cast<TA_TCheckedServiceTicket*>(
+            reinterpret_cast<const TServiceContext::TImpl*>(context)->Check(TStringBuf(ticketBody, ticketBodySize)).Release());
+        return NTvmAuthC::NUtils::CppErrorCodeToC(NTvmAuthC::NUtils::Translate(*ticket)->GetStatus());
+    });
+}
+
+TA_EErrorCode TA_SignCgiParamsForTvm(
+    const TA_TServiceContext* context,
+    const char* ts,
+    size_t tsSize,
+    const char* dst,
+    size_t dstSize,
+    const char* scopes,
+    size_t scopesSize,
+    char* sign,
+    size_t* signSize,
+    size_t maxSignatureSize) {
+    if (context == nullptr || scopes == nullptr || sign == nullptr || signSize == nullptr)
+        return TA_EC_INVALID_PARAM;
+
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        const TString signedParams = reinterpret_cast<const TServiceContext::TImpl*>(context)->SignCgiParamsForTvm(
+            TStringBuf(ts, tsSize),
+            TStringBuf(dst, dstSize),
+            TStringBuf(scopes, scopesSize));
+        (*signSize) = signedParams.size();
+        if (maxSignatureSize < *signSize) {
+            return TA_EC_SMALL_BUFFER;
+        }
+        strcpy(sign, signedParams.c_str());
+        return TA_EC_OK;
+    });
+}
+
+TA_EErrorCode TA_CreateUserContext(
+    TA_EBlackboxEnv env,
+    const char* tvmKeysResponse,
+    size_t tvmKeysResponseSize,
+    TA_TUserContext** context) {
+    if (tvmKeysResponse == nullptr || context == nullptr)
+        return TA_EC_INVALID_PARAM;
+
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        (*context) = reinterpret_cast<TA_TUserContext*>(
+            new TUserContext::TImpl(NTvmAuth::EBlackboxEnv(int(env)),
+                                    TStringBuf(tvmKeysResponse, tvmKeysResponseSize)));
+        return TA_EC_OK;
+    });
+}
+
+TA_EErrorCode TA_DeleteUserContext(
+    TA_TUserContext* context) {
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        delete reinterpret_cast<TUserContext::TImpl*>(context);
+        return TA_EC_OK;
+    });
+}
+
+TA_EErrorCode TA_CheckUserTicket(
+    const TA_TUserContext* context,
+    const char* ticketBody,
+    size_t ticketBodySize,
+    TA_TCheckedUserTicket** ticket) {
+    if (context == nullptr || ticket == nullptr)
+        return TA_EC_INVALID_PARAM;
+
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        (*ticket) = reinterpret_cast<TA_TCheckedUserTicket*>(
+            reinterpret_cast<const TUserContext::TImpl*>(context)->Check(TStringBuf(ticketBody, ticketBodySize)).Release());
+        return NTvmAuthC::NUtils::CppErrorCodeToC(NTvmAuthC::NUtils::Translate(*ticket)->GetStatus());
+    });
+}
diff --git a/library/c/tvmauth/deprecated.h b/library/c/tvmauth/deprecated.h
new file mode 100644
index 0000000000..f2e9e843cf
--- /dev/null
+++ b/library/c/tvmauth/deprecated.h
@@ -0,0 +1,123 @@
+#pragma once
+// DO_NOT_STYLE
+
+#ifndef _TVM_AUTH_DEPRECATED_H_
+#define _TVM_AUTH_DEPRECATED_H_
+
+#include "tvmauth.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*!
+ * Please do not use thees types: use TvmClient instead
+ */
+
+struct TA_TServiceContext;
+struct TA_TUserContext;
+
+/*!
+ * Create service context. Serivce contexts are used to store TVM keys and parse service tickets.
+ * @param[in] tvmId Can be 0 if tvmKeysResponse == NULL
+ * @param[in] secretBase64 Secret, can be NULL if param 'tvmKeysResponse' is not NULL. Sign attempt hence raises exception
+ * @param[in] secretBase64Size Size of string containing secret
+ * @param[in] tvmKeysResponse TVM Keys gotten from TVM API, can be NULL if param 'secretBase64' is not NULL. Only for ticket checking
+ * @param[in] tvmKeysResponseSize Size of string containing keys
+ * @param[out] context
+ * @return Error code
+ */
+enum TA_EErrorCode TA_CreateServiceContext(
+    uint32_t tvmId,
+    const char* secretBase64,
+    size_t secretBase64Size,
+    const char* tvmKeysResponse,
+    size_t tvmKeysResponseSize,
+    struct TA_TServiceContext** context);
+
+/*!
+ * Free memory of service context.
+ * @param[in] context
+ * @return Error code
+ */
+enum TA_EErrorCode TA_DeleteServiceContext(struct TA_TServiceContext* context);
+
+/*!
+ * Parse and validate service ticket body then create TCheckedServiceTicket object.
+ * @param[in] context
+ * @param[in] ticketBody Service ticket body as string
+ * @param[in] ticketBodySize Size of string containing service ticket body
+ * @param[out] ticket Service ticket object
+ * @return Error code
+ */
+enum TA_EErrorCode TA_CheckServiceTicket(
+    const struct TA_TServiceContext* context,
+    const char* ticketBody,
+    size_t ticketBodySize,
+    struct TA_TCheckedServiceTicket** ticket);
+
+/*!
+ * Create signature for selected parameters. Allocate at least 512 byte for signature buffer.
+ * @param[in] context
+ * @param[in] ts Param 'ts' of request to TVM
+ * @param[in] tsSize Size of param 'ts' of request to TVM
+ * @param[in] dst Param 'dst' of request to TVM
+ * @param[in] dstSize Size of param 'dst' of request to TVM
+ * @param[in] scopes Param 'scopes' of request to TVM
+ * @param[in] scopesSize Size of param 'scopes' of request to TVM
+ * @param[out] signature
+ * @param[out] signatureSize
+ * @param[in] maxSignatureSize
+ * @return Error code
+ */
+enum TA_EErrorCode TA_SignCgiParamsForTvm(
+    const struct TA_TServiceContext* context,
+    const char* ts,
+    size_t tsSize,
+    const char* dst,
+    size_t dstSize,
+    const char* scopes,
+    size_t scopesSize,
+    char* signature,
+    size_t* signatureSize,
+    size_t maxSignatureSize);
+
+/*!
+ * Create user context. User contexts are used to store TVM keys and parse user tickets.
+ * @param[in] env
+ * @param[in] tvmKeysResponse
+ * @param[in] tvmKeysResponseSize
+ * @param[out] context
+ * @return Error code
+ */
+enum TA_EErrorCode TA_CreateUserContext(
+    enum TA_EBlackboxEnv env,
+    const char* tvmKeysResponse,
+    size_t tvmKeysResponseSize,
+    struct TA_TUserContext** context);
+
+/*!
+ * Free memory of user context.
+ * @param[in] context
+ * @return Error code
+ */
+enum TA_EErrorCode TA_DeleteUserContext(struct TA_TUserContext* context);
+
+/*!
+ * Parse and validate user ticket body then create TCheckedUserTicket object.
+ * @param[in] context
+ * @param[in] ticketBody Service ticket body as string
+ * @param[in] ticketBodySize Size of string containing service ticket body
+ * @param[out] ticket Service ticket object
+ * @return Error code
+ */
+enum TA_EErrorCode TA_CheckUserTicket(
+    const struct TA_TUserContext* context,
+    const char* ticketBody,
+    size_t ticketBodySize,
+    struct TA_TCheckedUserTicket** ticket);
+
+#ifdef __cplusplus
+}
+#endif
+#endif
diff --git a/library/c/tvmauth/deprecated_wrapper.h b/library/c/tvmauth/deprecated_wrapper.h
new file mode 100644
index 0000000000..e554a01bad
--- /dev/null
+++ b/library/c/tvmauth/deprecated_wrapper.h
@@ -0,0 +1,98 @@
+#pragma once
+// DO_NOT_STYLE
+
+#ifndef _TVM_AUTH_DEPRECATED_WRAPPER_H_
+#define _TVM_AUTH_DEPRECATED_WRAPPER_H_
+
+#include "deprecated.h"
+#include "tvmauth_wrapper.h"
+
+#include <memory>
+#include <string>
+#include <vector>
+
+namespace NTvmAuthWrapper {
+    /*!
+     * Please do not use thees types: use TvmClient instead
+     */
+
+    class TServiceContext {
+    public:
+        TServiceContext(TTvmId tvmId, const std::string& secretBase64, const std::string& tvmKeysResponse)
+            : Ptr(nullptr, TA_DeleteServiceContext) {
+            TA_TServiceContext* rawPtr;
+            ThrowIfFatal(TA_CreateServiceContext(tvmId, secretBase64.c_str(), secretBase64.size(), tvmKeysResponse.c_str(), tvmKeysResponse.size(), &rawPtr));
+            Ptr.reset(rawPtr);
+        }
+
+        static TServiceContext CheckingFactory(TTvmId tvmId, const std::string& tvmKeysResponse) {
+            return TServiceContext(tvmId, tvmKeysResponse);
+        }
+
+        static TServiceContext SigningFactory(const std::string& secretBase64, TTvmId = 0) {
+            TServiceContext ins;
+            TA_TServiceContext* rawPtr;
+            ThrowIfFatal(TA_CreateServiceContext(0, secretBase64.c_str(), secretBase64.size(), nullptr, 0, &rawPtr));
+            ins.Ptr.reset(rawPtr);
+            return ins;
+        }
+
+        TServiceContext(TServiceContext&& o) = default;
+        TServiceContext& operator=(TServiceContext&& o) = default;
+
+        TCheckedServiceTicket Check(const std::string& ticketBody) const {
+            TA_TCheckedServiceTicket* ticketPtr = nullptr;
+            TA_EErrorCode resultCode = TA_CheckServiceTicket(Ptr.get(), ticketBody.c_str(), ticketBody.size(), &ticketPtr);
+            return TCheckedServiceTicket(ticketPtr, resultCode);
+        }
+
+        std::string SignCgiParamsForTvm(const std::string& ts, const std::string& dst, const std::string& scopes) const {
+            char buffer[1024];
+            size_t realSize;
+            ThrowIfFatal(TA_SignCgiParamsForTvm(Ptr.get(), ts.c_str(), ts.size(), dst.c_str(), dst.size(), scopes.c_str(), scopes.size(), buffer, &realSize, 1024));
+            return std::string(buffer, realSize);
+        }
+
+    public:
+        // Use CheckingFactory()
+        TServiceContext(TTvmId tvmId, const std::string& tvmKeysResponse)
+            : Ptr(nullptr, TA_DeleteServiceContext) {
+            TA_TServiceContext* rawPtr;
+            ThrowIfFatal(TA_CreateServiceContext(tvmId, nullptr, 0, tvmKeysResponse.c_str(), tvmKeysResponse.size(), &rawPtr));
+            Ptr.reset(rawPtr);
+        }
+
+    private:
+        TServiceContext()
+            : Ptr(nullptr, TA_DeleteServiceContext)
+        {
+        }
+
+    private:
+        std::unique_ptr<TA_TServiceContext, decltype(&TA_DeleteServiceContext)> Ptr;
+    };
+
+    class TUserContext {
+    public:
+        TUserContext(TA_EBlackboxEnv env, const std::string& tvmKeysResponse)
+            : Ptr(nullptr, TA_DeleteUserContext) {
+            TA_TUserContext* rawPtr;
+            ThrowIfFatal(TA_CreateUserContext(env, tvmKeysResponse.c_str(), tvmKeysResponse.size(), &rawPtr));
+            Ptr.reset(rawPtr);
+        }
+
+        TUserContext(TUserContext&& o) = default;
+        TUserContext& operator=(TUserContext&& o) = default;
+
+        TCheckedUserTicket Check(const std::string& ticketBody) const {
+            TA_TCheckedUserTicket* ticketPtr = nullptr;
+            TA_EErrorCode resultCode = TA_CheckUserTicket(Ptr.get(), ticketBody.c_str(), ticketBody.size(), &ticketPtr);
+            return TCheckedUserTicket(ticketPtr, resultCode);
+        }
+
+    private:
+        std::unique_ptr<TA_TUserContext, decltype(&TA_DeleteUserContext)> Ptr;
+    };
+}
+
+#endif
diff --git a/library/c/tvmauth/high_lvl_client.cpp b/library/c/tvmauth/high_lvl_client.cpp
new file mode 100644
index 0000000000..ae85cefc92
--- /dev/null
+++ b/library/c/tvmauth/high_lvl_client.cpp
@@ -0,0 +1,449 @@
+// DO_NOT_STYLE
+#include "high_lvl_client.h"
+
+#include "tvmauth.h"
+#include "src/exception.h"
+#include "src/logger.h"
+#include "src/utils.h"
+
+#include <library/cpp/tvmauth/client/facade.h>
+#include <library/cpp/tvmauth/client/misc/utils.h>
+#include <library/cpp/tvmauth/client/misc/api/settings.h>
+
+using namespace NTvmAuth;
+using namespace NTvmAuthC;
+
+void TA_NoopLogger(int, const char*) {
+}
+
+TA_EErrorCode TA_TvmToolClientSettings_Create(
+    const char* alias,
+    size_t aliasSize,
+    TA_TTvmToolClientSettings** settings) {
+    if (alias == nullptr ||
+        aliasSize == 0 ||
+        settings == nullptr) {
+        return TA_EC_INVALID_PARAM;
+    }
+
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        *settings = NTvmAuthC::NUtils::Translate(new NTvmTool::TClientSettings(TClientSettings::TAlias(alias, aliasSize)));
+        return TA_EC_OK;
+    });
+}
+
+TA_EErrorCode TA_TvmToolClientSettings_Delete(
+    TA_TTvmToolClientSettings* settings) {
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        delete NTvmAuthC::NUtils::Translate(settings);
+        return TA_EC_OK;
+    });
+}
+
+TA_EErrorCode TA_TvmToolClientSettings_SetPort(
+    TA_TTvmToolClientSettings* settings,
+    uint16_t port) {
+    if (settings == nullptr ||
+        port == 0) {
+        return TA_EC_INVALID_PARAM;
+    }
+
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        NTvmAuthC::NUtils::Translate(settings)->SetPort(port);
+        return TA_EC_OK;
+    });
+}
+
+TA_EErrorCode TA_TvmToolClientSettings_SetHostname(
+    TA_TTvmToolClientSettings* settings,
+    const char* hostname,
+    size_t hostnameSize) {
+    if (settings == nullptr ||
+        hostname == nullptr ||
+        hostnameSize == 0) {
+        return TA_EC_INVALID_PARAM;
+    }
+
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        NTvmAuthC::NUtils::Translate(settings)->SetHostname(TString(hostname, hostnameSize));
+        return TA_EC_OK;
+    });
+}
+
+TA_EErrorCode TA_TvmToolClientSettings_SetAuthToken(
+    TA_TTvmToolClientSettings* settings,
+    const char* authtoken,
+    size_t authtokenSize) {
+    if (settings == nullptr ||
+        authtoken == nullptr ||
+        authtokenSize == 0) {
+        return TA_EC_INVALID_PARAM;
+    }
+
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        NTvmAuthC::NUtils::Translate(settings)->SetAuthToken(TString(authtoken, authtokenSize));
+        return TA_EC_OK;
+    });
+}
+
+TA_EErrorCode TA_TvmToolClientSettings_OverrideBlackboxEnv(
+    TA_TTvmToolClientSettings* settings,
+    TA_EBlackboxEnv env) {
+    if (settings == nullptr) {
+        return TA_EC_INVALID_PARAM;
+    }
+
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        NTvmAuthC::NUtils::Translate(settings)->OverrideBlackboxEnv(NTvmAuth::EBlackboxEnv(int(env)));
+        return TA_EC_OK;
+    });
+}
+
+TA_EErrorCode TA_TvmApiClientSettings_Create(
+    TA_TTvmApiClientSettings** settings) {
+    if (settings == nullptr) {
+        return TA_EC_INVALID_PARAM;
+    }
+
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        *settings = NTvmAuthC::NUtils::Translate(new NTvmApi::TClientSettings);
+        return TA_EC_OK;
+    });
+}
+
+TA_EErrorCode TA_TvmApiClientSettings_Delete(
+    TA_TTvmApiClientSettings* settings) {
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        delete NTvmAuthC::NUtils::Translate(settings);
+        return TA_EC_OK;
+    });
+}
+
+TA_EErrorCode TA_TvmApiClientSettings_SetSelfTvmId(
+    TA_TTvmApiClientSettings* settings,
+    uint32_t selfTvmId) {
+    if (settings == nullptr ||
+        selfTvmId == 0) {
+        return TA_EC_INVALID_PARAM;
+    }
+
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        NTvmAuthC::NUtils::Translate(settings)->SelfTvmId = selfTvmId;
+        return TA_EC_OK;
+    });
+}
+
+TA_EErrorCode TA_TvmApiClientSettings_EnableServiceTicketChecking(
+    TA_TTvmApiClientSettings* settings) {
+    if (settings == nullptr) {
+        return TA_EC_INVALID_PARAM;
+    }
+
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        NTvmAuthC::NUtils::Translate(settings)->CheckServiceTickets = true;
+        return TA_EC_OK;
+    });
+}
+
+TA_EErrorCode TA_TvmApiClientSettings_EnableUserTicketChecking(
+    TA_TTvmApiClientSettings* settings,
+    TA_EBlackboxEnv env) {
+    if (settings == nullptr) {
+        return TA_EC_INVALID_PARAM;
+    }
+
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        NTvmAuthC::NUtils::Translate(settings)->CheckUserTicketsWithBbEnv = NTvmAuth::EBlackboxEnv(int(env));
+        return TA_EC_OK;
+    });
+}
+
+TA_EErrorCode TA_TvmApiClientSettings_EnableServiceTicketsFetchOptionsWithAliases(
+    TA_TTvmApiClientSettings* settings,
+    const char* selfSecret,
+    size_t selfSecretSize,
+    const char* dsts,
+    size_t dstsSize) {
+    if (settings == nullptr ||
+        selfSecret == nullptr ||
+        selfSecretSize == 0 ||
+        dsts == nullptr ||
+        dstsSize == 0) {
+        return TA_EC_INVALID_PARAM;
+    }
+
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        NTvmApi::TClientSettings& s = *NTvmAuthC::NUtils::Translate(settings);
+        s.Secret = TStringBuf(selfSecret, selfSecretSize);
+        s.FetchServiceTicketsForDstsWithAliases = NTvmAuth::NUtils::ParseDstMap(TStringBuf(dsts, dstsSize));
+        return TA_EC_OK;
+    });
+}
+
+TA_EErrorCode TA_TvmApiClientSettings_EnableServiceTicketsFetchOptionsWithTvmIds(
+    TA_TTvmApiClientSettings* settings,
+    const char* selfSecret,
+    size_t selfSecretSize,
+    const char* dsts,
+    size_t dstsSize) {
+    if (settings == nullptr ||
+        selfSecret == nullptr ||
+        selfSecretSize == 0 ||
+        dsts == nullptr ||
+        dstsSize == 0) {
+        return TA_EC_INVALID_PARAM;
+    }
+
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        NTvmApi::TClientSettings& s = *NTvmAuthC::NUtils::Translate(settings);
+        s.Secret = TStringBuf(selfSecret, selfSecretSize);
+        s.FetchServiceTicketsForDsts = NTvmAuth::NUtils::ParseDstVector(TStringBuf(dsts, dstsSize));
+        return TA_EC_OK;
+    });
+}
+
+TA_EErrorCode TA_TvmApiClientSettings_SetDiskCacheDir(
+    TA_TTvmApiClientSettings* settings,
+    const char* path,
+    size_t pathSize) {
+    if (settings == nullptr ||
+        path == nullptr ||
+        pathSize == 0) {
+        return TA_EC_INVALID_PARAM;
+    }
+
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        NTvmAuthC::NUtils::Translate(settings)->DiskCacheDir = TString(path, pathSize);
+        return TA_EC_OK;
+    });
+}
+
+TA_EErrorCode TA_TvmClient_CreateForTvmtool(
+    const TA_TTvmToolClientSettings* settings,
+    TA_TLoggerFunc logger,
+    TA_TTvmClient** client) {
+    if (settings == nullptr ||
+        logger == nullptr ||
+        client == nullptr) {
+        return TA_EC_INVALID_PARAM;
+    }
+
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        // TODO: drop copy: PASSP-37079
+        // We need to disable roles logic: client doesn't allow to use it correctly
+        NTvmTool::TClientSettings settingsCopy = *NTvmAuthC::NUtils::Translate(settings);
+        settingsCopy.ShouldCheckSrc = false;
+        settingsCopy.ShouldCheckDefaultUid = false;
+
+        *client = NTvmAuthC::NUtils::Translate(new TTvmClient(
+                                        settingsCopy,
+                                        MakeIntrusive<TLoggerC>(logger)));
+        return TA_EC_OK;
+    });
+}
+
+TA_EErrorCode TA_TvmClient_Create(
+    const TA_TTvmApiClientSettings* settings,
+    TA_TLoggerFunc logger,
+    TA_TTvmClient** client) {
+    if (settings == nullptr ||
+        logger == nullptr ||
+        client == nullptr) {
+        return TA_EC_INVALID_PARAM;
+    }
+
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        *client = NTvmAuthC::NUtils::Translate(new TTvmClient(
+                                        *NTvmAuthC::NUtils::Translate(settings),
+                                        MakeIntrusive<TLoggerC>(logger)));
+        return TA_EC_OK;
+    });
+}
+
+TA_EErrorCode TA_TvmClient_Delete(
+    TA_TTvmClient* client) {
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        delete NTvmAuthC::NUtils::Translate(client);
+        return TA_EC_OK;
+    });
+}
+
+TA_EErrorCode TA_TvmClient_CheckServiceTicket(
+    const TA_TTvmClient* client,
+    const char* ticket,
+    size_t ticketSize,
+    TA_TCheckedServiceTicket** serviceTicket) {
+    if (client == nullptr ||
+        ticket == nullptr ||
+        ticketSize == 0 ||
+        serviceTicket == nullptr) {
+        return TA_EC_INVALID_PARAM;
+    }
+
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        TCheckedServiceTicket t = NTvmAuthC::NUtils::Translate(client)->CheckServiceTicket(TStringBuf(ticket, ticketSize));
+        ETicketStatus s = t.GetStatus();
+
+        *serviceTicket = NTvmAuthC::NUtils::Translate(NTvmAuth::NInternal::TCanningKnife::GetS(t));
+        return NTvmAuthC::NUtils::CppErrorCodeToC(s);
+    });
+}
+
+TA_EErrorCode TA_TvmClient_CheckUserTicket(
+    const TA_TTvmClient* client,
+    const char* ticket,
+    size_t ticketSize,
+    TA_TCheckedUserTicket** userTicket) {
+    if (client == nullptr ||
+        ticket == nullptr ||
+        ticketSize == 0 ||
+        userTicket == nullptr) {
+        return TA_EC_INVALID_PARAM;
+    }
+
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        TCheckedUserTicket t = NTvmAuthC::NUtils::Translate(client)->CheckUserTicket(TStringBuf(ticket, ticketSize));
+        ETicketStatus s = t.GetStatus();
+
+        *userTicket = NTvmAuthC::NUtils::Translate(NTvmAuth::NInternal::TCanningKnife::GetU(t));
+        return NTvmAuthC::NUtils::CppErrorCodeToC(s);
+    });
+}
+
+TA_EErrorCode TA_TvmClient_CheckUserTicketWithOverridedEnv(
+    const TA_TTvmClient* client,
+    const char* ticket,
+    size_t ticketSize,
+    enum TA_EBlackboxEnv env,
+    TA_TCheckedUserTicket** userTicket) {
+    if (client == nullptr ||
+        ticket == nullptr ||
+        ticketSize == 0 ||
+        userTicket == nullptr) {
+        return TA_EC_INVALID_PARAM;
+    }
+
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        TCheckedUserTicket t = NTvmAuthC::NUtils::Translate(client)->CheckUserTicket(TStringBuf(ticket, ticketSize), NTvmAuth::EBlackboxEnv(int(env)));
+        ETicketStatus s = t.GetStatus();
+
+        *userTicket = NTvmAuthC::NUtils::Translate(NTvmAuth::NInternal::TCanningKnife::GetU(t));
+        return NTvmAuthC::NUtils::CppErrorCodeToC(s);
+    });
+}
+
+TA_EErrorCode TA_TvmClient_GetServiceTicketForAlias(
+    const TA_TTvmClient* client,
+    const char* dst,
+    size_t dstSize,
+    size_t maxTicketSize,
+    char* ticket,
+    size_t* ticketSize) {
+    if (client == nullptr ||
+        dst == nullptr ||
+        dstSize == 0 ||
+        maxTicketSize == 0 ||
+        ticket == nullptr ||
+        ticketSize == nullptr) {
+        return TA_EC_INVALID_PARAM;
+    }
+
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        TString t = NTvmAuthC::NUtils::Translate(client)->GetServiceTicketFor(TClientSettings::TAlias(dst, dstSize));
+
+        (*ticketSize) = t.size();
+        if (maxTicketSize < *ticketSize) {
+            return TA_EC_SMALL_BUFFER;
+        }
+        strcpy(ticket, t.c_str());
+
+        return TA_EC_OK;
+    });
+}
+
+TA_EErrorCode TA_TvmClient_GetServiceTicketForTvmId(
+    const TA_TTvmClient* client,
+    uint32_t dst,
+    size_t maxTicketSize,
+    char* ticket,
+    size_t* ticketSize) {
+    if (client == nullptr ||
+        dst == 0 ||
+        maxTicketSize == 0 ||
+        ticket == nullptr ||
+        ticketSize == nullptr) {
+        return TA_EC_INVALID_PARAM;
+    }
+
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        TString t = NTvmAuthC::NUtils::Translate(client)->GetServiceTicketFor(dst);
+
+        (*ticketSize) = t.size();
+        if (maxTicketSize < *ticketSize) {
+            return TA_EC_SMALL_BUFFER;
+        }
+        strcpy(ticket, t.c_str());
+
+        return TA_EC_OK;
+    });
+}
+
+TA_EErrorCode TA_TvmClient_GetStatus(
+    const TA_TTvmClient* client,
+    TA_TTvmClientStatus** status) {
+    if (client == nullptr ||
+        status == nullptr) {
+        return TA_EC_INVALID_PARAM;
+    }
+
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        std::unique_ptr ret = std::make_unique<TClientStatus>(NTvmAuthC::NUtils::Translate(client)->GetStatus());
+        *status = NTvmAuthC::NUtils::Translate(ret.release());
+        return TA_EC_OK;
+    });
+}
+
+TA_EErrorCode TA_TvmClient_DeleteStatus(
+    TA_TTvmClientStatus* status) {
+    if (status == nullptr) {
+        return TA_EC_INVALID_PARAM;
+    }
+
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        delete NTvmAuthC::NUtils::Translate(status);
+        return TA_EC_OK;
+    });
+}
+
+TA_EErrorCode TA_TvmClient_Status_GetCode(
+    const TA_TTvmClientStatus* status,
+    TA_ETvmClientStatusCode* code) {
+    if (status == nullptr ||
+        code == nullptr) {
+        return TA_EC_INVALID_PARAM;
+    }
+
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        *code = (TA_ETvmClientStatusCode)NTvmAuthC::NUtils::Translate(status)->GetCode();
+        return TA_EC_OK;
+    });
+}
+
+TA_EErrorCode TA_TvmClient_Status_GetLastError(
+    const TA_TTvmClientStatus* status,
+    const char** lastError,
+    size_t* lastErrorSize) {
+    if (status == nullptr ||
+        lastError == nullptr ||
+        lastErrorSize == nullptr) {
+        return TA_EC_INVALID_PARAM;
+    }
+
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        const TString& s = NTvmAuthC::NUtils::Translate(status)->GetLastError();
+
+        *lastError = s.c_str();
+        *lastErrorSize = s.size();
+        return TA_EC_OK;
+    });
+}
diff --git a/library/c/tvmauth/high_lvl_client.h b/library/c/tvmauth/high_lvl_client.h
new file mode 100644
index 0000000000..8d555f2a12
--- /dev/null
+++ b/library/c/tvmauth/high_lvl_client.h
@@ -0,0 +1,382 @@
+#pragma once
+// DO_NOT_STYLE
+
+#ifndef _TVM_AUTH_HIGH_LVL_CLIENT_H_
+#define _TVM_AUTH_HIGH_LVL_CLIENT_H_
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include "tvmauth.h"
+
+/*!
+ * Long lived thread-safe object for interacting with TVM.
+ * In 99% cases TvmClient shoud be created at service startup and live for the whole process lifetime.
+ */
+struct TA_TTvmClient;
+
+/*!
+ * Uses local http-interface to get state: http://localhost/tvm/.
+ * This interface can be provided with tvmtool (local daemon) or Qloud/YP (local http api in container).
+ * See more: https://wiki.yandex-team.ru/passport/tvm2/tvm-daemon/.
+ */
+struct TA_TTvmToolClientSettings;
+
+/*!
+ * Uses general way to get state: https://tvm-api.yandex.net.
+ * It is not recomended for Qloud/YP.
+ */
+struct TA_TTvmApiClientSettings;
+
+/*!
+ * Contains info about innternal state of client
+ */
+struct TA_TTvmClientStatus;
+
+enum TA_ETvmClientStatusCode {
+    TA_TCSC_OK = 0,
+    TA_TCSC_WARNING = 1,
+    TA_TCSC_ERROR = 2,
+};
+
+/*!
+ * Logging callback
+ * @param[in] lvl is syslog level: 0(Emergency) ... 7(Debug)
+ * @param[in] msg
+ */
+typedef void (*TA_TLoggerFunc)(int lvl, const char* msg);
+
+/*!
+ * Noop logger: it does nothing.
+ * Please use it only in tests.
+ */
+void TA_NoopLogger(int lvl, const char* msg);
+
+/*!
+ * Create settings struct for tvmtool client
+ * Sets default values:
+ * - hostname: "localhost"
+ * - port: 1
+ * - authToken: environment variable TVMTOOL_LOCAL_AUTHTOKEN (provided with Yandex.Deploy)
+ *                                or QLOUD_TVM_TOKEN (provided with Qloud)
+ * @param[in] self alias
+ * @param[in] self aliasSize
+ * @param[out] client settings
+ * @return Error code
+ */
+enum TA_EErrorCode TA_TvmToolClientSettings_Create(
+    const char* alias,
+    size_t aliasSize,
+    struct TA_TTvmToolClientSettings** settings);
+
+/*!
+ * @param[in] settings
+ * @return Error code
+ */
+enum TA_EErrorCode TA_TvmToolClientSettings_Delete(
+    struct TA_TTvmToolClientSettings* settings);
+
+/*!
+ * Default value: port == 1 - ok for Qloud
+ * @param[in] client settings
+ * @param[in] port
+ * @return Error code
+ */
+enum TA_EErrorCode TA_TvmToolClientSettings_SetPort(
+    struct TA_TTvmToolClientSettings* settings,
+    uint16_t port);
+
+/*!
+ * Default value: hostname == "localhost"
+ * @param[in] client settings
+ * @param[in] hostname
+ * @param[in] hostnameSize
+ * @return Error code
+ */
+enum TA_EErrorCode TA_TvmToolClientSettings_SetHostname(
+    struct TA_TTvmToolClientSettings* settings,
+    const char* hostname,
+    size_t hostnameSize);
+
+/*!
+ * Default value: token == environment variable TVMTOOL_LOCAL_AUTHTOKEN - ok for Yandex.Deploy
+ *                                           or QLOUD_TVM_TOKEN - ok for Qloud
+ * @param[in] client settings
+ * @param[in] authtoken
+ * @param[in] authtokenSize
+ * @return Error code
+ */
+enum TA_EErrorCode TA_TvmToolClientSettings_SetAuthToken(
+    struct TA_TTvmToolClientSettings* settings,
+    const char* authtoken,
+    size_t authtokenSize);
+
+/*!
+ * Blackbox environmet is provided by tvmtool for client.
+ * You can override it for your purpose with limitations:
+ *   (env from tvmtool) -> (override)
+ *  - Prod/ProdYateam -> Prod/ProdYateam
+ *  - Test/TestYateam -> Test/TestYateam
+ *  - Stress -> Stress
+ * You can contact tvm-dev@yandex-team.ru if limitations are too strict
+ *
+ * @param[in] client settings
+ * @param[in] env
+ * @return Error code
+ */
+enum TA_EErrorCode TA_TvmToolClientSettings_OverrideBlackboxEnv(
+    struct TA_TTvmToolClientSettings* settings,
+    enum TA_EBlackboxEnv env);
+
+/*!
+ * Create settings struct for tvm client
+ * At least one of them is required:
+ *   TA_TvmApiClientSettings_EnableServiceTicketChecking()
+ *   TA_TvmApiClientSettings_EnableUserTicketChecking()
+ * @param[out] client settings
+ * @return Error code
+ */
+enum TA_EErrorCode TA_TvmApiClientSettings_Create(
+    struct TA_TTvmApiClientSettings** settings);
+
+/*!
+ * @param[in] settings
+ * @return Error code
+ */
+enum TA_EErrorCode TA_TvmApiClientSettings_Delete(
+    struct TA_TTvmApiClientSettings* settings);
+
+/*!
+ * @param[in] client settings
+ * @param[in] selfTvmId - cannot be 0
+ * @return Error code
+ */
+enum TA_EErrorCode TA_TvmApiClientSettings_SetSelfTvmId(
+    struct TA_TTvmApiClientSettings* settings,
+    uint32_t selfTvmId);
+
+/*!
+ * Requieres TA_TvmApiClientSettings_SetSelfTvmId()
+ * @param[in] settings
+ * @return Error code
+ */
+enum TA_EErrorCode TA_TvmApiClientSettings_EnableServiceTicketChecking(
+    struct TA_TTvmApiClientSettings* settings);
+
+/*!
+ * @param[in] settings
+ * @param[in] env
+ * @return Error code
+ */
+enum TA_EErrorCode TA_TvmApiClientSettings_EnableUserTicketChecking(
+    struct TA_TTvmApiClientSettings* settings,
+    enum TA_EBlackboxEnv env);
+
+/*!
+ * Overrides result of TA_TvmApiClientSettings_EnableServiceTicketsFetchOptionsWithTvmIds()
+ * Prerequires:
+ *  TA_TvmApiClientSettings_SetSelfTvmId()
+ * @param[in] settings
+ * @param[in] selfSecret
+ * @param[in] selfSecretSize
+ * @param[in] dsts - serialized map of dst-pairs: alias -> tvm_id (delimeters: ":;"). Example: "mpfs:127;blackbox:242"
+ * @param[in] dstsSize
+ * @return Error code
+ */
+enum TA_EErrorCode TA_TvmApiClientSettings_EnableServiceTicketsFetchOptionsWithAliases(
+    struct TA_TTvmApiClientSettings* settings,
+    const char* selfSecret,
+    size_t selfSecretSize,
+    const char* dsts,
+    size_t dstsSize);
+
+/*!
+ * Overrides result of TA_TvmApiClientSettings_EnableServiceTicketsFetchOptionsWithAliases()
+ * Prerequires:
+ *  TA_TvmApiClientSettings_SetSelfTvmId()
+ * @param[in] settings
+ * @param[in] selfSecret
+ * @param[in] selfSecretSize
+ * @param[in] dsts - serialized list of dst-tvm_id (delimeter is ";"). Example: "13;242"
+ * @param[in] dstsSize
+ * @return Error code
+ */
+enum TA_EErrorCode TA_TvmApiClientSettings_EnableServiceTicketsFetchOptionsWithTvmIds(
+    struct TA_TTvmApiClientSettings* settings,
+    const char* selfSecret,
+    size_t selfSecretSize,
+    const char* dsts,
+    size_t dstsSize);
+
+/*!
+ * Set path to directory for disk cache
+ * Requires read/write permissions. Checks permissions
+ * WARNING: The same directory can be used only:
+ *            - for TVM clients with the same settings
+ *          OR
+ *            - for new client replacing previous - with another config.
+ *          System user must be the same for processes with these clients inside.
+ *          Implementation doesn't provide other scenarios.
+ * @param[in] settings
+ * @param[in] path
+ * @param[in] pathSize
+ * @return Error code
+ */
+enum TA_EErrorCode TA_TvmApiClientSettings_SetDiskCacheDir(
+    struct TA_TTvmApiClientSettings* settings,
+    const char* path,
+    size_t pathSize);
+
+/*!
+ * Create client for tvmtool. Starts thread for updating of cache in background
+ * @param[in] settings - please, delete by yourself
+ * @param[in] logger - may be NULL
+ * @param[out] client
+ * @return Error code
+ */
+enum TA_EErrorCode TA_TvmClient_CreateForTvmtool(
+    const struct TA_TTvmToolClientSettings* settings,
+    TA_TLoggerFunc logger,
+    struct TA_TTvmClient** client);
+
+/*!
+ * Create client for tvm-api. Starts thread for updating of cache in background
+ * Reads cache from disk if specified
+ * @param[in] settings - please, delete by yourself
+ * @param[in] logger - may be NULL
+ * @param[out] client
+ * @return Error code
+ */
+enum TA_EErrorCode TA_TvmClient_Create(
+    const struct TA_TTvmApiClientSettings* settings,
+    TA_TLoggerFunc logger,
+    struct TA_TTvmClient** client);
+
+/*!
+ * @param[in] client
+ * @return Error code
+ */
+enum TA_EErrorCode TA_TvmClient_Delete(
+    struct TA_TTvmClient* client);
+
+/*!
+ * @param[in] client
+ * @param[in] ticket
+ * @param[in] ticketSize
+ * @param[out] serviceTicket
+ * @return Error code
+ */
+enum TA_EErrorCode TA_TvmClient_CheckServiceTicket(
+    const struct TA_TTvmClient* client,
+    const char* ticket,
+    size_t ticketSize,
+    struct TA_TCheckedServiceTicket** serviceTicket);
+
+/*!
+ * @param[in] client
+ * @param[in] ticket
+ * @param[in] ticketSize
+ * @param[out] userTicket
+ * @return Error code
+ */
+enum TA_EErrorCode TA_TvmClient_CheckUserTicket(
+    const struct TA_TTvmClient* client,
+    const char* ticket,
+    size_t ticketSize,
+    struct TA_TCheckedUserTicket** userTicket);
+
+/*!
+ * @param[in] client
+ * @param[in] ticket
+ * @param[in] ticketSize
+ * @param[in] env
+ * @param[out] userTicket
+ * @return Error code
+ */
+enum TA_EErrorCode TA_TvmClient_CheckUserTicketWithOverridedEnv(
+    const struct TA_TTvmClient* client,
+    const char* ticket,
+    size_t ticketSize,
+    enum TA_EBlackboxEnv env,
+    struct TA_TCheckedUserTicket** userTicket);
+
+/*!
+ * Allocate at least 512 byte for ticket buffer.
+ * Prerequires:
+ *  TA_TvmApiClientSettings_EnableServiceTicketsFetchOptionsWithAliases()
+ * @param[in] client
+ * @param[in] dst - must be specified in TA_TTvmClientSettings
+ * @param[in] dstSize
+ * @param[out] ticket
+ * @param[out] ticketSize
+ * @return Error code
+ */
+enum TA_EErrorCode TA_TvmClient_GetServiceTicketForAlias(
+    const struct TA_TTvmClient* client,
+    const char* dst,
+    size_t dstSize,
+    size_t maxTicketSize,
+    char* ticket,
+    size_t* ticketSize);
+
+/*!
+ * Allocate at least 512 byte for ticket buffer.
+ * Prerequires:
+ *  TA_TvmApiClientSettings_EnableServiceTicketsFetchOptionsWithTvmIds() OR
+ *  TA_TvmApiClientSettings_EnableServiceTicketsFetchOptionsWithAliases()
+ * @param[in] client
+ * @param[in] dst - must be specified in TA_TTvmClientSettings
+ * @param[out] ticket
+ * @param[out] ticketSize
+ * @return Error code
+ */
+enum TA_EErrorCode TA_TvmClient_GetServiceTicketForTvmId(
+    const struct TA_TTvmClient* client,
+    uint32_t dst,
+    size_t maxTicketSize,
+    char* ticket,
+    size_t* ticketSize);
+
+/*!
+ * @param[in] client
+ * @param[out] client status
+ * @return Error code
+ */
+enum TA_EErrorCode TA_TvmClient_GetStatus(
+    const struct TA_TTvmClient* client,
+    struct TA_TTvmClientStatus** status);
+
+/*!
+ * Free memory owned by status
+ * @param[in] status
+ * @return Error code
+ */
+enum TA_EErrorCode TA_TvmClient_DeleteStatus(
+    struct TA_TTvmClientStatus* status);
+
+/*!
+ * @param[in] status
+ * @param[out] code
+ * @return Error code
+ */
+enum TA_EErrorCode TA_TvmClient_Status_GetCode(
+    const struct TA_TTvmClientStatus* status,
+    enum TA_ETvmClientStatusCode* code);
+
+/*!
+ * Do not free lastError
+ * @param[in] status
+ * @param[out] lastError
+ * @param[out] lastErrorSize
+ * @return Error code
+ */
+enum TA_EErrorCode TA_TvmClient_Status_GetLastError(
+    const struct TA_TTvmClientStatus* status,
+    const char** lastError,
+    size_t* lastErrorSize);
+
+#ifdef __cplusplus
+}
+#endif
+#endif
diff --git a/library/c/tvmauth/high_lvl_wrapper.h b/library/c/tvmauth/high_lvl_wrapper.h
new file mode 100644
index 0000000000..0ccda61a97
--- /dev/null
+++ b/library/c/tvmauth/high_lvl_wrapper.h
@@ -0,0 +1,335 @@
+#pragma once
+// DO_NOT_STYLE
+
+#ifndef _TVM_AUTH_HIGH_LVL_WRAPPER_H_
+#define _TVM_AUTH_HIGH_LVL_WRAPPER_H_
+
+#include "high_lvl_client.h"
+#include "tvmauth_wrapper.h"
+
+#include <map>
+
+namespace NTvmAuthWrapper {
+    /*!
+     * Uses local http-interface to get state: http://localhost/tvm/.
+     * This interface can be provided with tvmtool (local daemon) or Qloud/YP (local http api in container).
+     * See more: https://wiki.yandex-team.ru/passport/tvm2/tvm-daemon/.
+     */
+    class TTvmToolClientSettings {
+    public:
+        /*!
+         * Create settings struct for tvmtool client
+         * Sets default values:
+         * - hostname: "localhost"
+         * - port detected with env["DEPLOY_TVM_TOOL_URL"] (provided with Yandex.Deploy),
+         *      otherwise port == 1 (it is ok for Qloud)
+         * - authToken: env["TVMTOOL_LOCAL_AUTHTOKEN"] (provided with Yandex.Deploy),
+         *      otherwise env["QLOUD_TVM_TOKEN"] (provided with Qloud)
+         *
+         * AuthToken is protection from SSRF.
+         *
+         * @param selfAias - alias for your TVM client, which you specified in tvmtool or YD interface
+         */
+        TTvmToolClientSettings(const std::string& selfAlias)
+            : Ptr(nullptr, TA_TvmToolClientSettings_Delete)
+        {
+            TA_TTvmToolClientSettings* rawPtr;
+            ThrowIfFatal(TA_TvmToolClientSettings_Create(selfAlias.data(), selfAlias.size(), &rawPtr));
+            Ptr.reset(rawPtr);
+        }
+
+        /*!
+         * Look at comment for ctor
+         */
+        void SetPort(uint16_t port) {
+            ThrowIfFatal(TA_TvmToolClientSettings_SetPort(Ptr.get(), port));
+        }
+
+        /*!
+         * Default value: hostname == "localhost"
+         */
+        void SetHostname(const std::string& hostname) {
+            ThrowIfFatal(TA_TvmToolClientSettings_SetHostname(Ptr.get(), hostname.data(), hostname.size()));
+        }
+
+        /*!
+         * Look at comment for ctor
+         */
+        void SetAuthtoken(const std::string& authtoken) {
+            ThrowIfFatal(TA_TvmToolClientSettings_SetAuthToken(Ptr.get(), authtoken.data(), authtoken.size()));
+        }
+
+        /*!
+          * Blackbox environmet is provided by tvmtool for client.
+          * You can override it for your purpose with limitations:
+          *   (env from tvmtool) -> (override)
+          *  - Prod/ProdYateam -> Prod/ProdYateam
+          *  - Test/TestYateam -> Test/TestYateam
+          *  - Stress -> Stress
+          *
+          * You can contact tvm-dev@yandex-team.ru if limitations are too strict
+          * @param[in] env
+          */
+        void OverrideBlackboxEnv(TA_EBlackboxEnv env) {
+            ThrowIfFatal(TA_TvmToolClientSettings_OverrideBlackboxEnv(Ptr.get(), env));
+        }
+
+    private:
+        friend class TTvmClient;
+        std::unique_ptr<TA_TTvmToolClientSettings, decltype(&TA_TvmToolClientSettings_Delete)> Ptr;
+    };
+
+    /*!
+     * Uses general way to get state: https://tvm-api.yandex.net.
+     * It is not recomended for Qloud/YP.
+     */
+    class TTvmApiClientSettings {
+    public:
+        /**
+         * Settings for TVM client
+         * At least one of them is required: EnableServiceTicketChecking(), EnableUserTicketChecking()
+         */
+        TTvmApiClientSettings()
+            : Ptr(nullptr, TA_TvmApiClientSettings_Delete)
+        {
+            TA_TTvmApiClientSettings* rawPtr;
+            ThrowIfFatal(TA_TvmApiClientSettings_Create(&rawPtr));
+            Ptr.reset(rawPtr);
+        }
+
+        void SetSelfTvmId(TTvmId selfTvmId) {
+            if (selfTvmId == 0) {
+                throw std::runtime_error("selfTvmId cannot be 0");
+            }
+            ThrowIfFatal(TA_TvmApiClientSettings_SetSelfTvmId(Ptr.get(), selfTvmId));
+        }
+
+        /*!
+         * Prerequieres SetSelfTvmId()
+         */
+        void EnableServiceTicketChecking() {
+            ThrowIfFatal(TA_TvmApiClientSettings_EnableServiceTicketChecking(Ptr.get()));
+        }
+
+        void EnableUserTicketChecking(TA_EBlackboxEnv env) {
+            ThrowIfFatal(TA_TvmApiClientSettings_EnableUserTicketChecking(Ptr.get(), env));
+        }
+
+        class TDst {
+        public:
+            TDst(TTvmId id)
+                : Id_(id)
+            {
+                if (id == 0) {
+                    throw std::runtime_error("TvmId cannot be 0");
+                }
+            }
+
+            const TTvmId Id_;
+        };
+        using TAlias = std::string;
+        using TDstMap = std::map<TAlias, TDst>;
+        using TDstVector = std::vector<TDst>;
+
+        /**
+         * Alias is internal name of destination in your code. It allowes not to bring destination's
+         *  tvm_id to each calling point. Useful for several environments: prod/test/etc.
+         * Overrides result of any other call of EnableServiceTicketsFetchOptions()
+         * @example:
+         *      // init
+         *      static const TString MY_BACKEND = "my backend";
+         *      TDstMap map = {{MY_BACKEND, TDst(config.get("my_back_tvm_id"))}};
+         *      ...
+         *      // per request
+         *      TString t = tvmClient.GetServiceTicket(MY_BACKEND);
+         */
+        void EnableServiceTicketsFetchOptions(const std::string& selfSecret,
+                                              const TDstMap& dsts) {
+            std::string d;
+            for (const auto& p : dsts) {
+                d.append(p.first).push_back(':');
+                d.append(std::to_string(p.second.Id_)).push_back(';');
+            }
+
+            ThrowIfFatal(TA_TvmApiClientSettings_EnableServiceTicketsFetchOptionsWithAliases(
+                             Ptr.get(),
+                             selfSecret.data(),
+                             selfSecret.size(),
+                             d.data(),
+                             d.size()));
+        }
+
+        void EnableServiceTicketsFetchOptions(const std::string& selfSecret,
+                                              const TDstVector& dsts) {
+            std::string d;
+            for (const TDst& dst : dsts) {
+                d.append(std::to_string(dst.Id_)).push_back(';');
+            }
+
+            ThrowIfFatal(TA_TvmApiClientSettings_EnableServiceTicketsFetchOptionsWithTvmIds(
+                             Ptr.get(),
+                             selfSecret.data(),
+                             selfSecret.size(),
+                             d.data(),
+                             d.size()));
+        }
+
+        /*!
+         * Set path to directory for disk cache
+         * Requires read/write permissions. Checks permissions
+         * WARNING: The same directory can be used only:
+         *            - for TVM clients with the same settings
+         *          OR
+         *            - for new client replacing previous - with another config.
+         *          System user must be the same for processes with these clients inside.
+         *          Implementation doesn't provide other scenarios.
+         * @param[in] dir
+         */
+        void SetDiskCacheDir(const std::string& dir) {
+            ThrowIfFatal(TA_TvmApiClientSettings_SetDiskCacheDir(Ptr.get(), dir.data(), dir.size()));
+        }
+
+    private:
+        friend class TTvmClient;
+        std::unique_ptr<TA_TTvmApiClientSettings, decltype(&TA_TvmApiClientSettings_Delete)> Ptr;
+    };
+
+    struct TClientStatus {
+        TA_ETvmClientStatusCode Code = TA_TCSC_OK;
+        std::string LastError;
+    };
+
+    /**
+     * In 99% cases TvmClient shoud be created at service startup and live for the whole process lifetime.
+     * @brief Long lived thread-safe object for interacting with TVM.
+     */
+    class TTvmClient {
+    public:
+        /*!
+         * Create client for tvmtool. Starts thread for updating of cache in background
+         * @param[in] settings
+         * @param[in] logger is usefull for monitoring and debuging
+         */
+        TTvmClient(const TTvmToolClientSettings& settings, TA_TLoggerFunc logger)
+            : Ptr(nullptr, TA_TvmClient_Delete) {
+            TA_TTvmClient* rawPtr;
+            ThrowIfFatal(TA_TvmClient_CreateForTvmtool(settings.Ptr.get(), logger, &rawPtr));
+            Ptr.reset(rawPtr);
+        }
+
+        /*!
+         * Starts thread for updating of in-memory cache in background
+         * Reads cache from disk if specified
+         * @param[in] settings
+         * @param[in] logger is usefull for monitoring and debuging
+         */
+        TTvmClient(const TTvmApiClientSettings& settings, TA_TLoggerFunc logger)
+            : Ptr(nullptr, TA_TvmClient_Delete) {
+            TA_TTvmClient* rawPtr;
+            ThrowIfFatal(TA_TvmClient_Create(settings.Ptr.get(), logger, &rawPtr));
+            Ptr.reset(rawPtr);
+        }
+
+        TTvmClient(TTvmClient&&) = default;
+        TTvmClient& operator=(TTvmClient&&) = default;
+
+        TClientStatus GetStatus() const {
+            TA_TTvmClientStatus* s = nullptr;
+            ThrowIfFatal(TA_TvmClient_GetStatus(Ptr.get(), &s));
+
+            std::unique_ptr<TA_TTvmClientStatus, decltype(&TA_TvmClient_DeleteStatus)> ptr(
+                s, TA_TvmClient_DeleteStatus);
+
+            TClientStatus res;
+            ThrowIfFatal(TA_TvmClient_Status_GetCode(ptr.get(), &res.Code));
+
+            const char* msg = nullptr;
+            size_t size = 0;
+            ThrowIfFatal(TA_TvmClient_Status_GetLastError(ptr.get(), &msg, &size));
+            res.LastError = std::string(msg, size);
+
+            return res;
+        }
+
+        /*!
+         * Chekcing must be enabled in TClientSettings
+         * Can throw exception if cache is out of date or wrong config
+         * @param[in] ticket
+         */
+        TCheckedServiceTicket CheckServiceTicket(const std::string& ticket) const {
+            TA_TCheckedServiceTicket* ticketPtr = nullptr;
+            TA_EErrorCode resultCode = TA_TvmClient_CheckServiceTicket(Ptr.get(), ticket.data(), ticket.size(), &ticketPtr);
+            TCheckedServiceTicket t(ticketPtr, resultCode);
+            ThrowIfFatal(resultCode);
+            return t;
+        }
+
+        /*!
+         * Blackbox enviroment must be cofingured in TClientSettings
+         * Can throw exception if cache is out of date or wrong config
+         * @param[in] ticket
+         */
+        TCheckedUserTicket CheckUserTicket(const std::string& ticket) const {
+            TA_TCheckedUserTicket* ticketPtr = nullptr;
+            TA_EErrorCode resultCode = TA_TvmClient_CheckUserTicket(Ptr.get(), ticket.data(), ticket.size(), &ticketPtr);
+            TCheckedUserTicket t(ticketPtr, resultCode);
+            ThrowIfFatal(resultCode);
+            return t;
+        }
+
+        /*!
+         * Blackbox enviroment must be cofingured in TClientSettings
+         * Can throw exception if cache is out of date or wrong config
+         * @param[in] ticket
+         * @param[in] env - allowes to overwrite env from settings
+         */
+        TCheckedUserTicket CheckUserTicket(const std::string& ticket, TA_EBlackboxEnv env) const {
+            TA_TCheckedUserTicket* ticketPtr = nullptr;
+            TA_EErrorCode resultCode = TA_TvmClient_CheckUserTicketWithOverridedEnv(Ptr.get(), ticket.data(), ticket.size(), env, &ticketPtr);
+            TCheckedUserTicket t(ticketPtr, resultCode);
+            ThrowIfFatal(resultCode);
+            return t;
+        }
+
+        /*!
+         * Requires fetchinig options (from TClientSettings or Qloud/YP/tvmtool settings)
+         * Can throw exception if cache is invalid or wrong config
+         * @param[in] dst
+         */
+        std::string GetServiceTicketFor(const TTvmApiClientSettings::TAlias& dst) {
+            char buffer[512];
+            size_t realSize = 0;
+            TA_EErrorCode code = TA_TvmClient_GetServiceTicketForAlias(Ptr.get(), dst.data(), dst.size(), sizeof(buffer), buffer, &realSize);
+            if (code == TA_EC_SMALL_BUFFER) {
+                std::string res(realSize, 0);
+                ThrowIfFatal(TA_TvmClient_GetServiceTicketForAlias(Ptr.get(), dst.data(), dst.size(), realSize, (char*)res.data(), &realSize));
+                return res;
+            }
+            ThrowIfFatal(code);
+            return std::string(buffer, realSize);
+        }
+
+        /*!
+         * Requires fetchinig options (from TClientSettings or Qloud/YP/tvmtool settings)
+         * Can throw exception if cache is invalid or wrong config
+         * @param[in] dst
+         */
+        std::string GetServiceTicketFor(TTvmId dst) {
+            char buffer[512];
+            size_t realSize = 0;
+            TA_EErrorCode code = TA_TvmClient_GetServiceTicketForTvmId(Ptr.get(), dst, sizeof(buffer), buffer, &realSize);
+            if (code == TA_EC_SMALL_BUFFER) {
+                std::string res(realSize, 0);
+                ThrowIfFatal(TA_TvmClient_GetServiceTicketForTvmId(Ptr.get(), dst, realSize, (char*)res.data(), &realSize));
+                return res;
+            }
+            ThrowIfFatal(code);
+            return std::string(buffer, realSize);
+        }
+
+    private:
+        std::unique_ptr<TA_TTvmClient, decltype(&TA_TvmClient_Delete)> Ptr;
+    };
+}
+
+#endif
diff --git a/library/c/tvmauth/so/tvmauth.exports b/library/c/tvmauth/so/tvmauth.exports
new file mode 100644
index 0000000000..df9296cc0c
--- /dev/null
+++ b/library/c/tvmauth/so/tvmauth.exports
@@ -0,0 +1,55 @@
+C TA_BlackboxTvmIdMimino
+C TA_BlackboxTvmIdProd
+C TA_BlackboxTvmIdProdYateam
+C TA_BlackboxTvmIdStress
+C TA_BlackboxTvmIdTest
+C TA_BlackboxTvmIdTestYateam
+C TA_CheckServiceTicket
+C TA_CheckUserTicket
+C TA_CreateServiceContext
+C TA_CreateUserContext
+C TA_DeleteServiceContext
+C TA_DeleteServiceTicket
+C TA_DeleteUserContext
+C TA_DeleteUserTicket
+C TA_ErrorCodeToString
+C TA_GetServiceTicketDebugInfo
+C TA_GetServiceTicketIssuerUid
+C TA_GetServiceTicketSrc
+C TA_GetUserTicketDebugInfo
+C TA_GetUserTicketDefaultUid
+C TA_GetUserTicketScope
+C TA_GetUserTicketScopesCount
+C TA_GetUserTicketUid
+C TA_GetUserTicketUidsCount
+C TA_HasUserTicketScope
+C TA_LibVersion
+C TA_NoopLogger
+C TA_RemoveTicketSignature
+C TA_SignCgiParamsForTvm
+C TA_TvmApiClientSettings_Create
+C TA_TvmApiClientSettings_Delete
+C TA_TvmApiClientSettings_EnableServiceTicketChecking
+C TA_TvmApiClientSettings_EnableServiceTicketsFetchOptionsWithAliases
+C TA_TvmApiClientSettings_EnableServiceTicketsFetchOptionsWithTvmIds
+C TA_TvmApiClientSettings_EnableUserTicketChecking
+C TA_TvmApiClientSettings_SetDiskCacheDir
+C TA_TvmApiClientSettings_SetSelfTvmId
+C TA_TvmClient_CheckServiceTicket
+C TA_TvmClient_CheckUserTicket
+C TA_TvmClient_CheckUserTicketWithOverridedEnv
+C TA_TvmClient_Create
+C TA_TvmClient_CreateForTvmtool
+C TA_TvmClient_Delete
+C TA_TvmClient_DeleteStatus
+C TA_TvmClient_GetServiceTicketForAlias
+C TA_TvmClient_GetServiceTicketForTvmId
+C TA_TvmClient_GetStatus
+C TA_TvmClient_Status_GetCode
+C TA_TvmClient_Status_GetLastError
+C TA_TvmToolClientSettings_Create
+C TA_TvmToolClientSettings_Delete
+C TA_TvmToolClientSettings_OverrideBlackboxEnv
+C TA_TvmToolClientSettings_SetAuthToken
+C TA_TvmToolClientSettings_SetHostname
+C TA_TvmToolClientSettings_SetPort
diff --git a/library/c/tvmauth/src/c_validation.c b/library/c/tvmauth/src/c_validation.c
new file mode 100644
index 0000000000..44836643d0
--- /dev/null
+++ b/library/c/tvmauth/src/c_validation.c
@@ -0,0 +1,7 @@
+#include <library/c/tvmauth/deprecated.h>
+#include <library/c/tvmauth/high_lvl_client.h>
+#include <library/c/tvmauth/tvmauth.h>
+
+/*
+ * We need this file only to validate header for C compiler
+ */
diff --git a/library/c/tvmauth/src/exception.h b/library/c/tvmauth/src/exception.h
new file mode 100644
index 0000000000..ecda6b3e38
--- /dev/null
+++ b/library/c/tvmauth/src/exception.h
@@ -0,0 +1,42 @@
+#pragma once
+
+#include <library/c/tvmauth/tvmauth.h>
+
+#include <library/cpp/tvmauth/exception.h>
+#include <library/cpp/tvmauth/client/exception.h>
+
+#include <util/generic/yexception.h>
+
+#include <exception>
+#include <string>
+
+namespace NTvmAuthC {
+    template <class T>
+    TA_EErrorCode CatchExceptions(T lambda) {
+        using namespace NTvmAuth;
+
+        try {
+            return lambda();
+        } catch (const TEmptyTvmKeysException&) {
+            return TA_EC_EMPTY_TVM_KEYS;
+        } catch (const TMalformedTvmKeysException&) {
+            return TA_EC_MALFORMED_TVM_KEYS;
+        } catch (const TMalformedTvmSecretException&) {
+            return TA_EC_MALFORMED_TVM_SECRET;
+        } catch (const TNotAllowedException&) {
+            return TA_EC_NOT_ALLOWED;
+        } catch (const TBrokenTvmClientSettings&) {
+            return TA_EC_BROKEN_TVM_CLIENT_SETTINGS;
+        } catch (const TPermissionDenied&) {
+            return TA_EC_PERMISSION_DENIED_TO_CACHE_DIR;
+        } catch (const TMissingServiceTicket&) {
+            return TA_EC_UNEXPECTED_ERROR;
+        } catch (const TNonRetriableException&) {
+            return TA_EC_FAILED_TO_START_TVM_CLIENT;
+        } catch (const TRetriableException&) {
+            return TA_EC_FAILED_TO_START_TVM_CLIENT;
+        } catch (...) {
+            return TA_EC_UNEXPECTED_ERROR;
+        }
+    }
+}
diff --git a/library/c/tvmauth/src/logger.h b/library/c/tvmauth/src/logger.h
new file mode 100644
index 0000000000..d33333abaf
--- /dev/null
+++ b/library/c/tvmauth/src/logger.h
@@ -0,0 +1,25 @@
+#pragma once
+
+#include <library/c/tvmauth/high_lvl_client.h>
+
+#include <library/cpp/tvmauth/client/logger.h>
+
+#include <util/generic/string.h>
+
+namespace NTvmAuthC {
+    class TLoggerC: public NTvmAuth::ILogger {
+    public:
+        TLoggerC(TA_TLoggerFunc f)
+            : F_(f)
+        {
+        }
+
+    private:
+        void Log(int lvl, const TString& msg) override {
+            F_(lvl, msg.c_str());
+        }
+
+    private:
+        TA_TLoggerFunc F_;
+    };
+}
diff --git a/library/c/tvmauth/src/ut/c_interface_ut.cpp b/library/c/tvmauth/src/ut/c_interface_ut.cpp
new file mode 100644
index 0000000000..0e77072ac8
--- /dev/null
+++ b/library/c/tvmauth/src/ut/c_interface_ut.cpp
@@ -0,0 +1,408 @@
+// DO_NOT_STYLE
+#include <library/c/tvmauth/deprecated.h>
+#include <library/c/tvmauth/tvmauth.h>
+
+#include <library/cpp/testing/unittest/registar.h>
+#include <library/cpp/tvmauth/unittest.h>
+
+#include <chrono>
+#include <string>
+
+using namespace NTvmAuth;
+
+Y_UNIT_TEST_SUITE(CInterfaceServiceTestSuite) {
+    static const TString EMPTY_TVM_KEYS = "1:CpgCCpMCCAEQABqIAjCCAQQCggEAcLEXeH67FQESFUn4_7wnX7wN0PUrBoUsm3QQ4W5vC-qz6sXaEjSwnTV8w1o-z6X9KPLlhzMQvuS38NCNfK4uvJ4Zvfp3YsXJ25-rYtbnrYJHNvHohD-kPCCw_yZpMp21JdWigzQGuV7CtrxUhF-NNrsnUaJrE5-OpEWNt4X6nCItKIYeVcSK6XJUbEWbrNCRbvkSc4ak2ymFeMuHYJVjxh4eQbk7_ZPzodP0WvF6eUYrYeb42imVEOR8ofVLQWE5DVnb1z_TqZm4i1XkS7jMwZuBxBRw8DGdYei0lT_sAf7KST2jC0590NySB3vsBgWEVs1OdUUWA6r-Dvx9dsOQtSCVkQYQAAqZAgqUAggCEAAaiQIwggEFAoIBAQDhEBM5-6YsPWfogKtbluJoCX1WV2KdzOaQ0-OlRbBzeCzw-eQKu12c8WakHBbeCMd1I1TU64SDkDorWjXGIa_2xT6N3zzNAE50roTbPCcmeQrps26woTYfYIuqDdoxYKZNr0lvNLLW47vBr7EKqo1S4KSj7aXK_XYeEvUgIgf3nVIcNrio7VTnFmGGVQCepaL1Hi1gN4yIXjVZ06PBPZ-DxSRu6xOGbFrfKMJeMPs7KOyE-26Q3xOXdTIa1X-zYIucTd_bxUCL4BVbwW2AvbbFsaG7ISmVdGu0XUTmhXs1KrEfUVLRJhE4Dx99hAZXm1_HlYMUeJcMQ_oHOhV94ENFIJaRBhACCpYBCpEBCAMQABqGATCBgwKBgF9t2YJGAJkRRFq6fWhi3m1TFW1UOE0f6ZrfYhHAkpqGlKlh0QVfeTNPpeJhi75xXzCe6oReRUm-0DbqDNhTShC7uGUv1INYnRBQWH6E-5Fc5XrbDFSuGQw2EYjNfHy_HefHJXxQKAqPvxBDKMKkHgV58WtM6rC8jRi9sdX_ig2NIJeRBhABCpYBCpEBCAQQABqGATCBgwKBgGB4d6eLGUBv-Q6EPLehC4S-yuE2HB-_rJ7WkeYwyp-xIPolPrd-PQme2utHB4ZgpXHIu_OFksDe_0bPgZniNRSVRbl7W49DgS5Ya3kMfrYB4DnF5Fta5tn1oV6EwxYD4JONpFTenOJALPGTPawxXEfon_peiHOSBuQMu3_Vn-l1IJiRBhADCpcBCpIBCAUQABqHATCBhAKBgQCTJMKIfmfeZpaI7Q9rnsc29gdWawK7TnpVKRHws1iY7EUlYROeVcMdAwEqVM6f8BVCKLGgzQ7Gar_uuxfUGKwqEQzoppDraw4F75J464-7D5f6_oJQuGIBHZxqbMONtLjBCXRUhQW5szBLmTQ_R3qaJb5vf-h0APZfkYhq1cTttSCZkQYQBAqWAQqRAQgLEAAahgEwgYMCgYBvvGVH_M2H8qxxv94yaDYUTWbRnJ1uiIYc59KIQlfFimMPhSS7x2tqUa2-hI55JiII0Xym6GNkwLhyc1xtWChpVuIdSnbvttbrt4weDMLHqTwNOF6qAsVKGKT1Yh8yf-qb-DSmicgvFc74mBQm_6gAY1iQsf33YX8578ClhKBWHSCVkQYQAAqXAQqSAQgMEAAahwEwgYQCgYEAkuzFcd5TJu7lYWYe2hQLFfUWIIj91BvQQLa_Thln4YtGCO8gG1KJqJm-YlmJOWQG0B7H_5RVhxUxV9KpmFnsDVkzUFKOsCBaYGXc12xPVioawUlAwp5qp3QQtZyx_se97YIoLzuLr46UkLcLnkIrp-Jo46QzYi_QHq45WTm8MQ0glpEGEAIKlwEKkgEIDRAAGocBMIGEAoGBAIUzbxOknXf_rNt17_ir8JlWvrtnCWsQd1MAnl5mgArvavDtKeBYHzi5_Ak7DHlLzuA6YE8W175FxLFKpN2hkz-l-M7ltUSd8N1BvJRhK4t6WffWfC_1wPyoAbeSN2Yb1jygtZJQ8wGoXHcJQUXiMit3eFNyylwsJFj1gzAR4JCdIJeRBhABCpYBCpEBCA4QABqGATCBgwKBgFMcbEpl9ukVR6AO_R6sMyiU11I8b8MBSUCEC15iKsrVO8v_m47_TRRjWPYtQ9eZ7o1ocNJHaGUU7qqInFqtFaVnIceP6NmCsXhjs3MLrWPS8IRAy4Zf4FKmGOx3N9O2vemjUygZ9vUiSkULdVrecinRaT8JQ5RG4bUMY04XGIwFIJiRBhADCpYBCpEBCA8QABqGATCBgwKBgGpCkW-NR3li8GlRvqpq2YZGSIgm_PTyDI2Zwfw69grsBmPpVFW48Vw7xoMN35zcrojEpialB_uQzlpLYOvsMl634CRIuj-n1QE3-gaZTTTE8mg-AR4mcxnTKThPnRQpbuOlYAnriwiasWiQEMbGjq_HmWioYYxFo9USlklQn4-9IJmRBhAE";
+    static const TString EXPIRED_SERVICE_TICKET = "3:serv:CBAQACIZCOUBEBwaCGJiOnNlc3MxGghiYjpzZXNzMg:IwfMNJYEqStY_SixwqJnyHOMCPR7-3HHk4uylB2oVRkthtezq-OOA7QizDvx7VABLs_iTlXuD1r5IjufNei_EiV145eaa3HIg4xCdJXCojMexf2UYJz8mF2b0YzFAy6_KWagU7xo13CyKAqzJuQf5MJcSUf0ecY9hVh36cJ51aw";
+    static const TString MALFORMED_TVM_KEYS = "1:CpgCCpMCCAEQABqIAjCCAQQCggEAcLEXeH67FQESFUn4_7wnX7wN0PUrBoUsm3QQ4W5vC-qz6sXaEjSwnTV8w1o-z6X9KPLlhzMQvuS38NCNfK4uvJ4Zvfp3YsXJ25-rYtbnrYJHNvHohD-kPCCw_yZpMp21JdWigzQGuV7CtrxUhF-NNrsnUaJrE5-OpEWNt4X6nCItKIYeVcSK6XJUbEWbrNCRbvkSc4ak2ymFeMuHYJVjxh4eQbk7_ZPzodP0WvF6eUYrYeb42imVEOR8ofVLQWE5DVnb1z_TqZm4i1XkS7jMwZuBxBRw8DGdYei0lT_sAf7KST2jC0590NySB3vsBgWEVs1OdUUWA6r-Dvx9dsOQtSCVkQYQAAqZAgqUAggCEAAaiQIwggEFAoIBAQDhEBM5-6YsPWfogKtbluJoCX1WV2KdzOaQ0-OlRbBzeCzw-eQKu12c8WakHBbeCMd1I1TU64SDkDorWjXGIa_2xT6N3zzNAE50roTbPCcmeQrps26woTYfYIuqDdoxYKZNr0lvNLLW47vBr7EKqo1S4KSj7aXK_XYeEvUgIgf3nVIcNrio7VTnFmGGVQCepaL1Hi1gN4yIXjVZ06PBPZ-DxSRu6xOGbFrfKMJeMPs7KOyE-26Q3xOXdTIa1X-zYIucTd_bxUCL4BVbwW2AvbbFsaG7ISmVdGu0XUTmhXs1KrEfUVLRJhE4Dx99hAZXm1_HlYMUeJcMQ_oHOhV94ENFIJaRBhACCpYBCpEBCAMQABqGATCBgwKBgF9t2YJGAJkRRFq6fWhi3m1TFW1UOE0f6ZrfYhHAkpqGlKlh0QVfeTNPpeJhi75xXzCe6oReRUm-0DbqDNhTShC7uGUv1INYnRBQWH6E-5Fc5XrbDFSuGQw2EYjNfHy_HefHJXxQKAqPvxBDKMKkHgV58WtM6rC8jRi9sdX_ig2NIJeRBhABCpYBCpEBCAQQABqGATCBgwKBgGB4d6eLGUBv-Q6EPLehC4S-yuE2HB-_rJ7WkeYwyp-xIPolPrd-PQme2utHB4ZgpXHIu_OFksDe_0bPgZniNRSVRbl7W49DgS5Ya3kMfrYB4DnF5Fta5tn1oV6EwxYD4JONpFTenOJALPGTPawxXEfon_peiHOSBuQMu3_Vn-l1IJiRBhADCpcBCpIBCAUQABqHATCBhAKBgQCTJMKIfmfeZpaI7Q9rnsc29gdWawK7TnpVKRHws1iY7EUlYROeVcMdAwEqVM6f8BVCKLGgzQ7Gar_uuxfUGKwqEQzoppDraw4F75J464-7D5f6_oJQuGIBHZxqbMONtLjBCXRUhQW5szBLmTQ_R3qaJb5vf-h0APZfkYhq1cTttSCZkQYQBAqWAQqRAQgLEAAahgEwgYMCgYBvvGVH_M2H8qxxv94yaDYUTWbRnJ1uiIYc59KIQlfFimMPhSS7x2tqUa2-hI55JiII0Xym6GNkwLhyc1xtWChpVuIdSnbvttbrt4weDMLHqTwNOF6qAsVKGKT1Yh8yf-qb-DSmicgvFc74mBQm_6gAY1iQsf33YX8578ClhKBWHSCVkQYQAAqXAQqSAQgMEAAahwEwgYQCgYEAkuzFcd5TJu7lYWYe2hQLFfUWIIj91BvQQLa_Thln4YtGCO8gG1KJqJm-YlmJOWQG0B7H_5RVhxUxV9KpmFnsDVkzUFKOsCBaYGXc12xPVioawUlAwp5qp3QQtZyx_se97YIoLzuLr46UkLcLnkIrp-Jo46QzYi_QHq45WTm8MQ0glpEGEAIKlwEKkgEIDRAAGocBMIGEAoGBAIUzbxOknXf_rNt17_ir8JlWvrtnCWsQd1MAnl5mgArvavDtKeBYHzi5_Ak7DHlLzuA6YE8W175FxLFKpN2hkz-l-M7ltUSd8N1BvJRhK4t6WffWfC_1wPyoAbeSN2Yb1jygtZJQ8wGoXHcJQUXiMit3eFNyylwsJFj1gzAR4JCdIJeRBhABCpYBCpEBCA4QABqGATCBgwKBgFMcbEpl9ukVR6AO_R6sMyiU11I8b8MBSUCEC15iKsrVO8v_m47_TRRjWPYtQ9eZ7o1ocNJHaGUU7qqInFqtFaVnIceP6NmCsXhjs3MLrWPS8IRAy4Zf4FKmGOx3N9O2vemjUygZ9vUiSkULdVrecinRaT8JQ5RG4bUMY04XGIwFIJiRBhADCpYBCpEBCA8QABqGATCBgwKBgGpCkW-NR3li8GlRvqpq2YZGSIgm_PTyDI2Zwfw69grsBmPpVFW48Vw7xoMN35zcrojEpialB_uQzlpLYOvsMl634CRIuj-n1QE3-gaZTTTE8mg-AR4mcxnTKThPnRQpbuOlYAnriwiasWiQEMbGjq_HmWioYYxFo9USlklQn4-9IJmRBhAEEpUBCpIBCAYQABqHATCBhAKBgQCoZkFGm9oLTqjeXZAq6j5S6i7K20V0lNdBBLqfmFBIRuTkYxhs4vUYnWjZrKRAd5bp6_py0csmFmpl_5Yh0b-2pdo_E5PNP7LGRzKyKSiFddyykKKzVOazH8YYldDAfE8Z5HoS9e48an5JsPg0jr-TPu34DnJq3yv2a6dqiKL9zSCakQYSlQEKkgEIEBAAGocBMIGEAoGBALhrihbf3EpjDQS2sCQHazoFgN0nBbE9eesnnFTfzQELXb2gnJU9enmV_aDqaHKjgtLIPpCgn40lHrn5k6mvH5OdedyI6cCzE-N-GFp3nAq0NDJyMe0fhtIRD__CbT0ulcvkeow65ubXWfw6dBC2gR_34rdMe_L_TGRLMWjDULbNIJ";
+    static const TString MALFORMED_TVM_SECRET = "adcvxcv./-+";
+    static const TTvmId OUR_ID = 28;
+    static const TString SECRET = "GRMJrKnj4fOVnvOqe-WyD1";
+    static const TString SERVICE_TICKET_PROTOBUF = "CBAQ__________9_IhkI5QEQHBoIYmI6c2VzczEaCGJiOnNlc3My";
+    static const TTvmId SRC_ID = 229;
+    static const TString UNSUPPORTED_VERSION_SERVICE_TICKET = "2:serv:CBAQ__________9_IhkI5QEQHBoIYmI6c2VzczEaCGJiOnNlc3My:WUPx1cTf05fjD1exB35T5j2DCHWH1YaLJon_a4rN-D7JfXHK1Ai4wM4uSfboHD9xmGQH7extqtlEk1tCTCGm5qbRVloJwWzCZBXo3zKX6i1oBYP_89WcjCNPVe1e8jwGdLsnu6PpxL5cn0xCksiStILH5UmDR6xfkJdnmMG94o8";
+    static const TString VALID_SERVICE_TICKET_1 = "3:serv:CBAQ__________9_IhkI5QEQHBoIYmI6c2VzczEaCGJiOnNlc3My:WUPx1cTf05fjD1exB35T5j2DCHWH1YaLJon_a4rN-D7JfXHK1Ai4wM4uSfboHD9xmGQH7extqtlEk1tCTCGm5qbRVloJwWzCZBXo3zKX6i1oBYP_89WcjCNPVe1e8jwGdLsnu6PpxL5cn0xCksiStILH5UmDR6xfkJdnmMG94o8";
+    static const TString VALID_SERVICE_TICKET_2 = "3:serv:CBAQ__________9_IskICOUBEBwaCGJiOnNlc3MxGgliYjpzZXNzMTAaCmJiOnNlc3MxMDAaCWJiOnNlc3MxMRoJYmI6c2VzczEyGgliYjpzZXNzMTMaCWJiOnNlc3MxNBoJYmI6c2VzczE1GgliYjpzZXNzMTYaCWJiOnNlc3MxNxoJYmI6c2VzczE4GgliYjpzZXNzMTkaCGJiOnNlc3MyGgliYjpzZXNzMjAaCWJiOnNlc3MyMRoJYmI6c2VzczIyGgliYjpzZXNzMjMaCWJiOnNlc3MyNBoJYmI6c2VzczI1GgliYjpzZXNzMjYaCWJiOnNlc3MyNxoJYmI6c2VzczI4GgliYjpzZXNzMjkaCGJiOnNlc3MzGgliYjpzZXNzMzAaCWJiOnNlc3MzMRoJYmI6c2VzczMyGgliYjpzZXNzMzMaCWJiOnNlc3MzNBoJYmI6c2VzczM1GgliYjpzZXNzMzYaCWJiOnNlc3MzNxoJYmI6c2VzczM4GgliYjpzZXNzMzkaCGJiOnNlc3M0GgliYjpzZXNzNDAaCWJiOnNlc3M0MRoJYmI6c2VzczQyGgliYjpzZXNzNDMaCWJiOnNlc3M0NBoJYmI6c2VzczQ1GgliYjpzZXNzNDYaCWJiOnNlc3M0NxoJYmI6c2VzczQ4GgliYjpzZXNzNDkaCGJiOnNlc3M1GgliYjpzZXNzNTAaCWJiOnNlc3M1MRoJYmI6c2VzczUyGgliYjpzZXNzNTMaCWJiOnNlc3M1NBoJYmI6c2VzczU1GgliYjpzZXNzNTYaCWJiOnNlc3M1NxoJYmI6c2VzczU4GgliYjpzZXNzNTkaCGJiOnNlc3M2GgliYjpzZXNzNjAaCWJiOnNlc3M2MRoJYmI6c2VzczYyGgliYjpzZXNzNjMaCWJiOnNlc3M2NBoJYmI6c2VzczY1GgliYjpzZXNzNjYaCWJiOnNlc3M2NxoJYmI6c2VzczY4GgliYjpzZXNzNjkaCGJiOnNlc3M3GgliYjpzZXNzNzAaCWJiOnNlc3M3MRoJYmI6c2VzczcyGgliYjpzZXNzNzMaCWJiOnNlc3M3NBoJYmI6c2Vzczc1GgliYjpzZXNzNzYaCWJiOnNlc3M3NxoJYmI6c2Vzczc4GgliYjpzZXNzNzkaCGJiOnNlc3M4GgliYjpzZXNzODAaCWJiOnNlc3M4MRoJYmI6c2VzczgyGgliYjpzZXNzODMaCWJiOnNlc3M4NBoJYmI6c2Vzczg1GgliYjpzZXNzODYaCWJiOnNlc3M4NxoJYmI6c2Vzczg4GgliYjpzZXNzODkaCGJiOnNlc3M5GgliYjpzZXNzOTAaCWJiOnNlc3M5MRoJYmI6c2VzczkyGgliYjpzZXNzOTMaCWJiOnNlc3M5NBoJYmI6c2Vzczk1GgliYjpzZXNzOTYaCWJiOnNlc3M5NxoJYmI6c2Vzczk4GgliYjpzZXNzOTk:JYmABAVLM6y7_T4n1pRcwBfwDfzMV4JJ3cpbEG617zdGgKRZwL7MalsYn5bq1F2ibujMrsF9nzZf8l4s_e-Ivjkz_xu4KMzSp-pUh9V7XIF_smj0WHYpv6gOvWNuK8uIvlZTTKwtQX0qZOL9m-MEeZiHoQPKZGCfJ_qxMUp-J8I";
+    static const TString VALID_SERVICE_TICKET_3 = "3:serv:CBAQ__________9_IgUI5QEQHA:Sd6tmA1CNy2Nf7XevC3x7zr2DrGNRmcl-TxUsDtDW2xI3YXyCxBltWeg0-KtDlqyYuPOP5Jd_-XXNA12KlOPnNzrz3jm-5z8uQl6CjCcrVHUHJ75pGC8r9UOlS8cOgeXQB5dYP-fOWyo5CNadlozx1S2meCIxncbQRV1kCBi4KU";
+    static const TString VALID_SERVICE_TICKET_ISSUER = "3:serv:CBAQ__________9_IgsI5QEQHCDr1MT4Ag:Gu66XJT_nKnIRJjFy1561wFhIqkJItcSTGftLo7Yvi7i5wIdV-QuKT_-IMPpgjxnnGbt1Dy3Ys2TEoeJAb0TdaCYG1uy3vpoLONmTx9AenN5dx1HHf46cypLK5D3OdiTjxvqI9uGmSIKrSdRxU8gprpu5QiBDPZqVCWhM60FVSY";
+
+    Y_UNIT_TEST(BlackboxTvmIdTest) {
+        UNIT_ASSERT_VALUES_EQUAL("222", TA_BlackboxTvmIdProd);
+        UNIT_ASSERT_VALUES_EQUAL("224", TA_BlackboxTvmIdTest);
+        UNIT_ASSERT_VALUES_EQUAL("223", TA_BlackboxTvmIdProdYateam);
+        UNIT_ASSERT_VALUES_EQUAL("225", TA_BlackboxTvmIdTestYateam);
+        UNIT_ASSERT_VALUES_EQUAL("226", TA_BlackboxTvmIdStress);
+        UNIT_ASSERT_VALUES_EQUAL("239", TA_BlackboxTvmIdMimino);
+    }
+
+    Y_UNIT_TEST(ContextErrorsTest) {
+        TA_TServiceContext* context;
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_MALFORMED_TVM_KEYS,
+            TA_CreateServiceContext(OUR_ID, SECRET.c_str(), SECRET.size(), MALFORMED_TVM_KEYS.c_str(), MALFORMED_TVM_KEYS.size(), &context));
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_EMPTY_TVM_KEYS,
+            TA_CreateServiceContext(OUR_ID, SECRET.c_str(), SECRET.size(), EMPTY_TVM_KEYS.c_str(), EMPTY_TVM_KEYS.size(), &context));
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_MALFORMED_TVM_SECRET,
+            TA_CreateServiceContext(OUR_ID, MALFORMED_TVM_SECRET.c_str(), MALFORMED_TVM_SECRET.size(), NUnittest::TVMKNIFE_PUBLIC_KEYS.c_str(), NUnittest::TVMKNIFE_PUBLIC_KEYS.size(), &context));
+
+        char signature[512];
+        size_t signatureSize;
+
+        TA_CreateServiceContext(OUR_ID, SECRET.c_str(), SECRET.size(), NUnittest::TVMKNIFE_PUBLIC_KEYS.c_str(), NUnittest::TVMKNIFE_PUBLIC_KEYS.size(), &context);
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_SMALL_BUFFER,
+            TA_SignCgiParamsForTvm(context, "1490000001", 10, "13,19", 5, "", 0, signature, &signatureSize, 1));
+        TA_DeleteServiceContext(context);
+
+        TA_CreateServiceContext(OUR_ID, nullptr, 0, NUnittest::TVMKNIFE_PUBLIC_KEYS.c_str(), NUnittest::TVMKNIFE_PUBLIC_KEYS.size(), &context);
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_MALFORMED_TVM_SECRET,
+            TA_SignCgiParamsForTvm(context, "1490000001", 10, "13,19", 5, "", 0, signature, &signatureSize, 1));
+        TA_DeleteServiceContext(context);
+    }
+
+    Y_UNIT_TEST(ContextSignTest) {
+        TA_TServiceContext* context;
+        TA_CreateServiceContext(OUR_ID, SECRET.c_str(), SECRET.size(), NUnittest::TVMKNIFE_PUBLIC_KEYS.c_str(), NUnittest::TVMKNIFE_PUBLIC_KEYS.size(), &context);
+        char signature[512];
+        size_t signatureSize;
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_OK,
+            TA_SignCgiParamsForTvm(context, "1490000001", 10, "13,19", 5, "", 0, signature, &signatureSize, 512));
+        UNIT_ASSERT_VALUES_EQUAL("9q5ghpb9jqJocw1GyweNo2LyY_lN47O7sXu2-Oe78V4", signature);
+        TA_DeleteServiceContext(context);
+    }
+
+    Y_UNIT_TEST(ContextTest) {
+        TA_TServiceContext* context;
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_OK,
+            TA_CreateServiceContext(OUR_ID, SECRET.c_str(), SECRET.size(), NUnittest::TVMKNIFE_PUBLIC_KEYS.c_str(), NUnittest::TVMKNIFE_PUBLIC_KEYS.size(), &context));
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_OK,
+            TA_DeleteServiceContext(context));
+    }
+
+    Y_UNIT_TEST(StatusToLabelsTest) {
+        UNIT_ASSERT_VALUES_EQUAL(TA_ErrorCodeToString(TA_EErrorCode::TA_EC_OK), "libtvmauth.so: OK");
+        UNIT_ASSERT_VALUES_EQUAL(TA_ErrorCodeToString(TA_EErrorCode::TA_EC_DEPRECATED), "libtvmauth.so: Deprecated function");
+        UNIT_ASSERT_VALUES_EQUAL(TA_ErrorCodeToString(TA_EErrorCode::TA_EC_EMPTY_TVM_KEYS), "libtvmauth.so: Empty TVM keys");
+        UNIT_ASSERT_VALUES_EQUAL(TA_ErrorCodeToString(TA_EErrorCode::TA_EC_EXPIRED_TICKET), "libtvmauth.so: Expired ticket");
+        UNIT_ASSERT_VALUES_EQUAL(TA_ErrorCodeToString(TA_EErrorCode::TA_EC_INVALID_BLACKBOX_ENV), "libtvmauth.so: Invalid BlackBox environment");
+        UNIT_ASSERT_VALUES_EQUAL(TA_ErrorCodeToString(TA_EErrorCode::TA_EC_INVALID_DST), "libtvmauth.so: Invalid ticket destination");
+        UNIT_ASSERT_VALUES_EQUAL(TA_ErrorCodeToString(TA_EErrorCode::TA_EC_INVALID_PARAM), "libtvmauth.so: Invalid function parameter");
+        UNIT_ASSERT_VALUES_EQUAL(TA_ErrorCodeToString(TA_EErrorCode::TA_EC_INVALID_TICKET_TYPE), "libtvmauth.so: Invalid ticket type");
+        UNIT_ASSERT_VALUES_EQUAL(TA_ErrorCodeToString(TA_EErrorCode::TA_EC_MALFORMED_TICKET), "libtvmauth.so: Malformed ticket");
+        UNIT_ASSERT_VALUES_EQUAL(TA_ErrorCodeToString(TA_EErrorCode::TA_EC_MALFORMED_TVM_KEYS), "libtvmauth.so: Malformed TVM keys");
+        UNIT_ASSERT_VALUES_EQUAL(TA_ErrorCodeToString(TA_EErrorCode::TA_EC_MALFORMED_TVM_SECRET), "libtvmauth.so: Malformed TVM secret: it is empty or invalid base64url");
+        UNIT_ASSERT_VALUES_EQUAL(TA_ErrorCodeToString(TA_EErrorCode::TA_EC_MISSING_KEY), "libtvmauth.so: Context does not have required key to check ticket: public keys are too old");
+        UNIT_ASSERT_VALUES_EQUAL(TA_ErrorCodeToString(TA_EErrorCode::TA_EC_NOT_ALLOWED), "libtvmauth.so: Not allowed method");
+        UNIT_ASSERT_VALUES_EQUAL(TA_ErrorCodeToString(TA_EErrorCode::TA_EC_SIGN_BROKEN), "libtvmauth.so: Invalid ticket signature");
+        UNIT_ASSERT_VALUES_EQUAL(TA_ErrorCodeToString(TA_EErrorCode::TA_EC_SMALL_BUFFER), "libtvmauth.so: Small buffer");
+        UNIT_ASSERT_VALUES_EQUAL(TA_ErrorCodeToString(TA_EErrorCode::TA_EC_UNEXPECTED_ERROR), "libtvmauth.so: Unexpected error");
+        UNIT_ASSERT_VALUES_EQUAL(TA_ErrorCodeToString(TA_EErrorCode::TA_EC_UNSUPPORTED_VERSION), "libtvmauth.so: Unsupported ticket version");
+        UNIT_ASSERT_VALUES_EQUAL(TA_ErrorCodeToString(TA_EErrorCode::TA_EC_FAILED_TO_START_TVM_CLIENT), "libtvmauth.so: TvmClient failed to start with some reason (need to check logs)");
+        UNIT_ASSERT_VALUES_EQUAL(TA_ErrorCodeToString(static_cast<TA_EErrorCode>(31)), "libtvmauth.so: Unknown error");
+    }
+
+    Y_UNIT_TEST(TicketErrorsTest) {
+        TA_TServiceContext* context;
+        TA_TCheckedServiceTicket* ticket;
+        char debugInfo[512];
+        size_t debugInfoSize;
+
+        TA_CreateServiceContext(OUR_ID, SECRET.c_str(), SECRET.size(), NUnittest::TVMKNIFE_PUBLIC_KEYS.c_str(), NUnittest::TVMKNIFE_PUBLIC_KEYS.size(), &context);
+        TA_CheckServiceTicket(context, VALID_SERVICE_TICKET_1.c_str(), VALID_SERVICE_TICKET_1.size(), &ticket);
+
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_SMALL_BUFFER,
+            TA_GetServiceTicketDebugInfo(ticket, debugInfo, &debugInfoSize, 1));
+
+        TA_DeleteServiceTicket(ticket);
+        TA_DeleteServiceContext(context);
+    }
+
+    Y_UNIT_TEST(Ticket1Test) {
+        TA_TServiceContext* context;
+        char debugInfo[512];
+        size_t debugInfoSize;
+        TA_TCheckedServiceTicket* ticket;
+        uint32_t ticketSrc;
+        uint64_t uid = 0;
+
+        TA_CreateServiceContext(OUR_ID, SECRET.c_str(), SECRET.size(), NUnittest::TVMKNIFE_PUBLIC_KEYS.c_str(), NUnittest::TVMKNIFE_PUBLIC_KEYS.size(), &context);
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_OK,
+            TA_CheckServiceTicket(context, VALID_SERVICE_TICKET_1.c_str(), VALID_SERVICE_TICKET_1.size(), &ticket));
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_OK,
+            TA_GetServiceTicketSrc(ticket, &ticketSrc));
+        UNIT_ASSERT_VALUES_EQUAL(SRC_ID, ticketSrc);
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_OK,
+            TA_GetServiceTicketDebugInfo(ticket, debugInfo, &debugInfoSize, 512));
+        UNIT_ASSERT_VALUES_EQUAL(
+            "ticket_type=serv;expiration_time=9223372036854775807;src=229;dst=28;scope=bb:sess1;scope=bb:sess2;",
+            TStringBuf(debugInfo, debugInfoSize));
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_OK,
+            TA_GetServiceTicketIssuerUid(ticket, &uid));
+        UNIT_ASSERT_VALUES_EQUAL(0, uid);
+        TA_DeleteServiceTicket(ticket);
+        TA_DeleteServiceContext(context);
+    }
+
+    Y_UNIT_TEST(Ticket2Test) {
+        TA_TServiceContext* context;
+        char debugInfo[8192];
+        size_t debugInfoSize;
+        TA_TCheckedServiceTicket* ticket;
+        uint64_t uid = 0;
+
+        TA_CreateServiceContext(OUR_ID, SECRET.c_str(), SECRET.size(), NUnittest::TVMKNIFE_PUBLIC_KEYS.c_str(), NUnittest::TVMKNIFE_PUBLIC_KEYS.size(), &context);
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_OK,
+            TA_CheckServiceTicket(context, VALID_SERVICE_TICKET_2.c_str(), VALID_SERVICE_TICKET_2.size(), &ticket));
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_OK,
+            TA_GetServiceTicketDebugInfo(ticket, debugInfo, &debugInfoSize, 8192));
+        UNIT_ASSERT_VALUES_EQUAL(
+            "ticket_type=serv;expiration_time=9223372036854775807;src=229;dst=28;scope=bb:sess1;scope=bb:sess10;scope=bb:sess100;scope=bb:sess11;scope=bb:sess12;scope=bb:sess13;scope=bb:sess14;scope=bb:sess15;scope=bb:sess16;scope=bb:sess17;scope=bb:sess18;scope=bb:sess19;scope=bb:sess2;scope=bb:sess20;scope=bb:sess21;scope=bb:sess22;scope=bb:sess23;scope=bb:sess24;scope=bb:sess25;scope=bb:sess26;scope=bb:sess27;scope=bb:sess28;scope=bb:sess29;scope=bb:sess3;scope=bb:sess30;scope=bb:sess31;scope=bb:sess32;scope=bb:sess33;scope=bb:sess34;scope=bb:sess35;scope=bb:sess36;scope=bb:sess37;scope=bb:sess38;scope=bb:sess39;scope=bb:sess4;scope=bb:sess40;scope=bb:sess41;scope=bb:sess42;scope=bb:sess43;scope=bb:sess44;scope=bb:sess45;scope=bb:sess46;scope=bb:sess47;scope=bb:sess48;scope=bb:sess49;scope=bb:sess5;scope=bb:sess50;scope=bb:sess51;scope=bb:sess52;scope=bb:sess53;scope=bb:sess54;scope=bb:sess55;scope=bb:sess56;scope=bb:sess57;scope=bb:sess58;scope=bb:sess59;scope=bb:sess6;scope=bb:sess60;scope=bb:sess61;scope=bb:sess62;scope=bb:sess63;scope=bb:sess64;scope=bb:sess65;scope=bb:sess66;scope=bb:sess67;scope=bb:sess68;scope=bb:sess69;scope=bb:sess7;scope=bb:sess70;scope=bb:sess71;scope=bb:sess72;scope=bb:sess73;scope=bb:sess74;scope=bb:sess75;scope=bb:sess76;scope=bb:sess77;scope=bb:sess78;scope=bb:sess79;scope=bb:sess8;scope=bb:sess80;scope=bb:sess81;scope=bb:sess82;scope=bb:sess83;scope=bb:sess84;scope=bb:sess85;scope=bb:sess86;scope=bb:sess87;scope=bb:sess88;scope=bb:sess89;scope=bb:sess9;scope=bb:sess90;scope=bb:sess91;scope=bb:sess92;scope=bb:sess93;scope=bb:sess94;scope=bb:sess95;scope=bb:sess96;scope=bb:sess97;scope=bb:sess98;scope=bb:sess99;",
+            TStringBuf(debugInfo, debugInfoSize));
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_OK,
+            TA_GetServiceTicketIssuerUid(ticket, &uid));
+        UNIT_ASSERT_VALUES_EQUAL(0, uid);
+        TA_DeleteServiceTicket(ticket);
+        TA_DeleteServiceContext(context);
+    }
+
+    Y_UNIT_TEST(Ticket3Test) {
+        TA_TServiceContext* context;
+        char debugInfo[512];
+        size_t debugInfoSize;
+        TA_TCheckedServiceTicket* ticket;
+        uint64_t uid = 0;
+
+        TA_CreateServiceContext(OUR_ID, SECRET.c_str(), SECRET.size(), NUnittest::TVMKNIFE_PUBLIC_KEYS.c_str(), NUnittest::TVMKNIFE_PUBLIC_KEYS.size(), &context);
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_OK,
+            TA_CheckServiceTicket(context, VALID_SERVICE_TICKET_3.c_str(), VALID_SERVICE_TICKET_3.size(), &ticket));
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_OK,
+            TA_GetServiceTicketDebugInfo(ticket, debugInfo, &debugInfoSize, 512));
+        UNIT_ASSERT_VALUES_EQUAL(
+            "ticket_type=serv;expiration_time=9223372036854775807;src=229;dst=28;",
+            TStringBuf(debugInfo, debugInfoSize));
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_OK,
+            TA_GetServiceTicketIssuerUid(ticket, &uid));
+        UNIT_ASSERT_VALUES_EQUAL(0, uid);
+        TA_DeleteServiceTicket(ticket);
+        TA_DeleteServiceContext(context);
+    }
+
+    Y_UNIT_TEST(TicketIssuerTest) {
+        TA_TServiceContext* context;
+        char debugInfo[512];
+        size_t debugInfoSize;
+        TA_TCheckedServiceTicket* ticket;
+        uint64_t uid = 0;
+
+        TA_CreateServiceContext(OUR_ID, SECRET.c_str(), SECRET.size(), NUnittest::TVMKNIFE_PUBLIC_KEYS.c_str(), NUnittest::TVMKNIFE_PUBLIC_KEYS.size(), &context);
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_OK,
+            TA_CheckServiceTicket(context, VALID_SERVICE_TICKET_ISSUER.c_str(), VALID_SERVICE_TICKET_ISSUER.size(), &ticket));
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_OK,
+            TA_GetServiceTicketDebugInfo(ticket, debugInfo, &debugInfoSize, 512));
+        UNIT_ASSERT_VALUES_EQUAL(
+            "ticket_type=serv;expiration_time=9223372036854775807;src=229;dst=28;issuer_uid=789654123;",
+            TStringBuf(debugInfo, debugInfoSize));
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_OK,
+            TA_GetServiceTicketIssuerUid(ticket, &uid));
+        UNIT_ASSERT_VALUES_EQUAL(789654123, uid);
+        TA_DeleteServiceTicket(ticket);
+        TA_DeleteServiceContext(context);
+    }
+}
+
+Y_UNIT_TEST_SUITE(CInterfaceUserTestSuite) {
+    static const TString EMPTY_TVM_KEYS = "1:CpkCCpQCCAIQABqJAjCCAQUCggEBAOEQEzn7piw9Z-iAq1uW4mgJfVZXYp3M5pDT46VFsHN4LPD55Aq7XZzxZqQcFt4Ix3UjVNTrhIOQOitaNcYhr_bFPo3fPM0ATnSuhNs8JyZ5CumzbrChNh9gi6oN2jFgpk2vSW80stbju8GvsQqqjVLgpKPtpcr9dh4S9SAiB_edUhw2uKjtVOcWYYZVAJ6lovUeLWA3jIheNVnTo8E9n4PFJG7rE4ZsWt8owl4w-zso7IT7bpDfE5d1MhrVf7Ngi5xN39vFQIvgFVvBbYC9tsWxobshKZV0a7RdROaFezUqsR9RUtEmETgPH32EBlebX8eVgxR4lwxD-gc6FX3gQ0UglpEGEAIKlgEKkQEIAxAAGoYBMIGDAoGAX23ZgkYAmRFEWrp9aGLebVMVbVQ4TR_pmt9iEcCSmoaUqWHRBV95M0-l4mGLvnFfMJ7qhF5FSb7QNuoM2FNKELu4ZS_Ug1idEFBYfoT7kVzletsMVK4ZDDYRiM18fL8d58clfFAoCo-_EEMowqQeBXnxa0zqsLyNGL2x1f-KDY0gl5EGEAEKlgEKkQEIBBAAGoYBMIGDAoGAYHh3p4sZQG_5DoQ8t6ELhL7K4TYcH7-sntaR5jDKn7Eg-iU-t349CZ7a60cHhmClcci784WSwN7_Rs-BmeI1FJVFuXtbj0OBLlhreQx-tgHgOcXkW1rm2fWhXoTDFgPgk42kVN6c4kAs8ZM9rDFcR-if-l6Ic5IG5Ay7f9Wf6XUgmJEGEAMKlwEKkgEIBRAAGocBMIGEAoGBAJMkwoh-Z95mlojtD2uexzb2B1ZrArtOelUpEfCzWJjsRSVhE55Vwx0DASpUzp_wFUIosaDNDsZqv-67F9QYrCoRDOimkOtrDgXvknjrj7sPl_r-glC4YgEdnGpsw420uMEJdFSFBbmzMEuZND9Hepolvm9_6HQA9l-RiGrVxO21IJmRBhAECpcBCpIBCAwQABqHATCBhAKBgQCS7MVx3lMm7uVhZh7aFAsV9RYgiP3UG9BAtr9OGWfhi0YI7yAbUomomb5iWYk5ZAbQHsf_lFWHFTFX0qmYWewNWTNQUo6wIFpgZdzXbE9WKhrBSUDCnmqndBC1nLH-x73tgigvO4uvjpSQtwueQiun4mjjpDNiL9AerjlZObwxDSCWkQYQAgqXAQqSAQgNEAAahwEwgYQCgYEAhTNvE6Sdd_-s23Xv-KvwmVa-u2cJaxB3UwCeXmaACu9q8O0p4FgfOLn8CTsMeUvO4DpgTxbXvkXEsUqk3aGTP6X4zuW1RJ3w3UG8lGEri3pZ99Z8L_XA_KgBt5I3ZhvWPKC1klDzAahcdwlBReIyK3d4U3LKXCwkWPWDMBHgkJ0gl5EGEAEKlgEKkQEIDhAAGoYBMIGDAoGAUxxsSmX26RVHoA79HqwzKJTXUjxvwwFJQIQLXmIqytU7y_-bjv9NFGNY9i1D15nujWhw0kdoZRTuqoicWq0VpWchx4_o2YKxeGOzcwutY9LwhEDLhl_gUqYY7Hc307a96aNTKBn29SJKRQt1Wt5yKdFpPwlDlEbhtQxjThcYjAUgmJEGEAMKlgEKkQEIDxAAGoYBMIGDAoGAakKRb41HeWLwaVG-qmrZhkZIiCb89PIMjZnB_Dr2CuwGY-lUVbjxXDvGgw3fnNyuiMSmJqUH-5DOWktg6-wyXrfgJEi6P6fVATf6BplNNMTyaD4BHiZzGdMpOE-dFClu46VgCeuLCJqxaJAQxsaOr8eZaKhhjEWj1RKWSVCfj70gmZEGEAQSlQEKkgEIBhAAGocBMIGEAoGBAKhmQUab2gtOqN5dkCrqPlLqLsrbRXSU10EEup-YUEhG5ORjGGzi9RidaNmspEB3lunr-nLRyyYWamX_liHRv7al2j8Tk80_ssZHMrIpKIV13LKQorNU5rMfxhiV0MB8TxnkehL17jxqfkmw-DSOv5M-7fgOcmrfK_Zrp2qIov3NIJqRBhKVAQqSAQgQEAAahwEwgYQCgYEAuGuKFt_cSmMNBLawJAdrOgWA3ScFsT156yecVN_NAQtdvaCclT16eZX9oOpocqOC0sg-kKCfjSUeufmTqa8fk5153IjpwLMT434YWnecCrQ0MnIx7R-G0hEP_8JtPS6Vy-R6jDrm5tdZ_Dp0ELaBH_fit0x78v9MZEsxaMNQts0gmpEG";
+    static const TString EXPIRED_USER_TICKET = "3:user:CA0QABokCgMIyAMKAgh7EMgDGghiYjpzZXNzMRoIYmI6c2VzczIgEigB:D0CmYVwWg91LDYejjeQ2UP8AeiA_mr1q1CUD_lfJ9zQSEYEOYGDTafg4Um2rwOOvQnsD1JHM4zHyMUJ6Jtp9GAm5pmhbXBBZqaCcJpyxLTEC8a81MhJFCCJRvu_G1FiAgRgB25gI3HIbkvHFUEqAIC_nANy7NFQnbKk2S-EQPGY";
+    static const TString MALFORMED_TVM_KEYS = "1:CpgCCpMCCAEQABqIAjCCAQQCggEAcLEXeH67FQESFUn4_7wnX7wN0PUrBoUsm3QQ4W5vC-qz6sXaEjSwnTV8w1o-z6X9KPLlhzMQvuS38NCNfK4uvJ4Zvfp3YsXJ25-rYtbnrYJHNvHohD-kPCCw_yZpMp21JdWigzQGuV7CtrxUhF-NNrsnUaJrE5-OpEWNt4X6nCItKIYeVcSK6XJUbEWbrNCRbvkSc4ak2ymFeMuHYJVjxh4eQbk7_ZPzodP0WvF6eUYrYeb42imVEOR8ofVLQWE5DVnb1z_TqZm4i1XkS7jMwZuBxBRw8DGdYei0lT_sAf7KST2jC0590NySB3vsBgWEVs1OdUUWA6r-Dvx9dsOQtSCVkQYQAAqZAgqUAggCEAAaiQIwggEFAoIBAQDhEBM5-6YsPWfogKtbluJoCX1WV2KdzOaQ0-OlRbBzeCzw-eQKu12c8WakHBbeCMd1I1TU64SDkDorWjXGIa_2xT6N3zzNAE50roTbPCcmeQrps26woTYfYIuqDdoxYKZNr0lvNLLW47vBr7EKqo1S4KSj7aXK_XYeEvUgIgf3nVIcNrio7VTnFmGGVQCepaL1Hi1gN4yIXjVZ06PBPZ-DxSRu6xOGbFrfKMJeMPs7KOyE-26Q3xOXdTIa1X-zYIucTd_bxUCL4BVbwW2AvbbFsaG7ISmVdGu0XUTmhXs1KrEfUVLRJhE4Dx99hAZXm1_HlYMUeJcMQ_oHOhV94ENFIJaRBhACCpYBCpEBCAMQABqGATCBgwKBgF9t2YJGAJkRRFq6fWhi3m1TFW1UOE0f6ZrfYhHAkpqGlKlh0QVfeTNPpeJhi75xXzCe6oReRUm-0DbqDNhTShC7uGUv1INYnRBQWH6E-5Fc5XrbDFSuGQw2EYjNfHy_HefHJXxQKAqPvxBDKMKkHgV58WtM6rC8jRi9sdX_ig2NIJeRBhABCpYBCpEBCAQQABqGATCBgwKBgGB4d6eLGUBv-Q6EPLehC4S-yuE2HB-_rJ7WkeYwyp-xIPolPrd-PQme2utHB4ZgpXHIu_OFksDe_0bPgZniNRSVRbl7W49DgS5Ya3kMfrYB4DnF5Fta5tn1oV6EwxYD4JONpFTenOJALPGTPawxXEfon_peiHOSBuQMu3_Vn-l1IJiRBhADCpcBCpIBCAUQABqHATCBhAKBgQCTJMKIfmfeZpaI7Q9rnsc29gdWawK7TnpVKRHws1iY7EUlYROeVcMdAwEqVM6f8BVCKLGgzQ7Gar_uuxfUGKwqEQzoppDraw4F75J464-7D5f6_oJQuGIBHZxqbMONtLjBCXRUhQW5szBLmTQ_R3qaJb5vf-h0APZfkYhq1cTttSCZkQYQBAqWAQqRAQgLEAAahgEwgYMCgYBvvGVH_M2H8qxxv94yaDYUTWbRnJ1uiIYc59KIQlfFimMPhSS7x2tqUa2-hI55JiII0Xym6GNkwLhyc1xtWChpVuIdSnbvttbrt4weDMLHqTwNOF6qAsVKGKT1Yh8yf-qb-DSmicgvFc74mBQm_6gAY1iQsf33YX8578ClhKBWHSCVkQYQAAqXAQqSAQgMEAAahwEwgYQCgYEAkuzFcd5TJu7lYWYe2hQLFfUWIIj91BvQQLa_Thln4YtGCO8gG1KJqJm-YlmJOWQG0B7H_5RVhxUxV9KpmFnsDVkzUFKOsCBaYGXc12xPVioawUlAwp5qp3QQtZyx_se97YIoLzuLr46UkLcLnkIrp-Jo46QzYi_QHq45WTm8MQ0glpEGEAIKlwEKkgEIDRAAGocBMIGEAoGBAIUzbxOknXf_rNt17_ir8JlWvrtnCWsQd1MAnl5mgArvavDtKeBYHzi5_Ak7DHlLzuA6YE8W175FxLFKpN2hkz-l-M7ltUSd8N1BvJRhK4t6WffWfC_1wPyoAbeSN2Yb1jygtZJQ8wGoXHcJQUXiMit3eFNyylwsJFj1gzAR4JCdIJeRBhABCpYBCpEBCA4QABqGATCBgwKBgFMcbEpl9ukVR6AO_R6sMyiU11I8b8MBSUCEC15iKsrVO8v_m47_TRRjWPYtQ9eZ7o1ocNJHaGUU7qqInFqtFaVnIceP6NmCsXhjs3MLrWPS8IRAy4Zf4FKmGOx3N9O2vemjUygZ9vUiSkULdVrecinRaT8JQ5RG4bUMY04XGIwFIJiRBhADCpYBCpEBCA8QABqGATCBgwKBgGpCkW-NR3li8GlRvqpq2YZGSIgm_PTyDI2Zwfw69grsBmPpVFW48Vw7xoMN35zcrojEpialB_uQzlpLYOvsMl634CRIuj-n1QE3-gaZTTTE8mg-AR4mcxnTKThPnRQpbuOlYAnriwiasWiQEMbGjq_HmWioYYxFo9USlklQn4-9IJmRBhAEEpUBCpIBCAYQABqHATCBhAKBgQCoZkFGm9oLTqjeXZAq6j5S6i7K20V0lNdBBLqfmFBIRuTkYxhs4vUYnWjZrKRAd5bp6_py0csmFmpl_5Yh0b-2pdo_E5PNP7LGRzKyKSiFddyykKKzVOazH8YYldDAfE8Z5HoS9e48an5JsPg0jr-TPu34DnJq3yv2a6dqiKL9zSCakQYSlQEKkgEIEBAAGocBMIGEAoGBALhrihbf3EpjDQS2sCQHazoFgN0nBbE9eesnnFTfzQELXb2gnJU9enmV_aDqaHKjgtLIPpCgn40lHrn5k6mvH5OdedyI6cCzE-N-GFp3nAq0NDJyMe0fhtIRD__CbT0ulcvkeow65ubXWfw6dBC2gR_34rdMe_L_TGRLMWjDULbNIJ";
+    static const TString UNSUPPORTED_VERSION_USER_TICKET = "2:user:CA0Q__________9_GiQKAwjIAwoCCHsQyAMaCGJiOnNlc3MxGghiYjpzZXNzMiASKAE:KJFv5EcXn9krYk19LCvlFrhMW-R4q8mKfXJXCd-RBVBgUQzCOR1Dx2FiOyU-BxUoIsaU0PiwTjbVY5I2onJDilge70Cl5zEPI9pfab2qwklACq_ZBUvD1tzrfNUr88otBGAziHASJWgyVDkhyQ3p7YbN38qpb0vGQrYNxlk4e2I";
+    static const TString USER_TICKET_PROTOBUF = "CA0Q__________9_GiQKAwjIAwoCCHsQyAMaCGJiOnNlc3MxGghiYjpzZXNzMiASKAE";
+    static const TString VALID_USER_TICKET_1 = "3:user:CA0Q__________9_GiQKAwjIAwoCCHsQyAMaCGJiOnNlc3MxGghiYjpzZXNzMiASKAE:KJFv5EcXn9krYk19LCvlFrhMW-R4q8mKfXJXCd-RBVBgUQzCOR1Dx2FiOyU-BxUoIsaU0PiwTjbVY5I2onJDilge70Cl5zEPI9pfab2qwklACq_ZBUvD1tzrfNUr88otBGAziHASJWgyVDkhyQ3p7YbN38qpb0vGQrYNxlk4e2I";
+    static const TString VALID_USER_TICKET_2 = "3:user:CA0Q__________9_GhAKAwjIAwoCCHsQyAMgEigB:KRibGYTJUA2ns0Fn7VYqeMZ1-GdscB1o9pRzELyr7QJrJsfsE8Y_HoVvB8Npr-oalv6AXOpagSc8HpZjAQz8zKMAVE_tI0tL-9DEsHirpawEbpy7OWV7-k18o1m-RaDaKeTlIB45KHbBul1-9aeKkortBfbbXtz_Qy9r_mfFPiQ";
+    static const TString VALID_USER_TICKET_3 = "3:user:CA0Q__________9_Go8bCgIIAAoCCAEKAggCCgIIAwoCCAQKAggFCgIIBgoCCAcKAggICgIICQoCCAoKAggLCgIIDAoCCA0KAggOCgIIDwoCCBAKAggRCgIIEgoCCBMKAggUCgIIFQoCCBYKAggXCgIIGAoCCBkKAggaCgIIGwoCCBwKAggdCgIIHgoCCB8KAgggCgIIIQoCCCIKAggjCgIIJAoCCCUKAggmCgIIJwoCCCgKAggpCgIIKgoCCCsKAggsCgIILQoCCC4KAggvCgIIMAoCCDEKAggyCgIIMwoCCDQKAgg1CgIINgoCCDcKAgg4CgIIOQoCCDoKAgg7CgIIPAoCCD0KAgg-CgIIPwoCCEAKAghBCgIIQgoCCEMKAghECgIIRQoCCEYKAghHCgIISAoCCEkKAghKCgIISwoCCEwKAghNCgIITgoCCE8KAghQCgIIUQoCCFIKAghTCgIIVAoCCFUKAghWCgIIVwoCCFgKAghZCgIIWgoCCFsKAghcCgIIXQoCCF4KAghfCgIIYAoCCGEKAghiCgIIYwoCCGQKAghlCgIIZgoCCGcKAghoCgIIaQoCCGoKAghrCgIIbAoCCG0KAghuCgIIbwoCCHAKAghxCgIIcgoCCHMKAgh0CgIIdQoCCHYKAgh3CgIIeAoCCHkKAgh6CgIIewoCCHwKAgh9CgIIfgoCCH8KAwiAAQoDCIEBCgMIggEKAwiDAQoDCIQBCgMIhQEKAwiGAQoDCIcBCgMIiAEKAwiJAQoDCIoBCgMIiwEKAwiMAQoDCI0BCgMIjgEKAwiPAQoDCJABCgMIkQEKAwiSAQoDCJMBCgMIlAEKAwiVAQoDCJYBCgMIlwEKAwiYAQoDCJkBCgMImgEKAwibAQoDCJwBCgMInQEKAwieAQoDCJ8BCgMIoAEKAwihAQoDCKIBCgMIowEKAwikAQoDCKUBCgMIpgEKAwinAQoDCKgBCgMIqQEKAwiqAQoDCKsBCgMIrAEKAwitAQoDCK4BCgMIrwEKAwiwAQoDCLEBCgMIsgEKAwizAQoDCLQBCgMItQEKAwi2AQoDCLcBCgMIuAEKAwi5AQoDCLoBCgMIuwEKAwi8AQoDCL0BCgMIvgEKAwi_AQoDCMABCgMIwQEKAwjCAQoDCMMBCgMIxAEKAwjFAQoDCMYBCgMIxwEKAwjIAQoDCMkBCgMIygEKAwjLAQoDCMwBCgMIzQEKAwjOAQoDCM8BCgMI0AEKAwjRAQoDCNIBCgMI0wEKAwjUAQoDCNUBCgMI1gEKAwjXAQoDCNgBCgMI2QEKAwjaAQoDCNsBCgMI3AEKAwjdAQoDCN4BCgMI3wEKAwjgAQoDCOEBCgMI4gEKAwjjAQoDCOQBCgMI5QEKAwjmAQoDCOcBCgMI6AEKAwjpAQoDCOoBCgMI6wEKAwjsAQoDCO0BCgMI7gEKAwjvAQoDCPABCgMI8QEKAwjyAQoDCPMBCgMI9AEKAwj1AQoDCPYBCgMI9wEKAwj4AQoDCPkBCgMI-gEKAwj7AQoDCPwBCgMI_QEKAwj-AQoDCP8BCgMIgAIKAwiBAgoDCIICCgMIgwIKAwiEAgoDCIUCCgMIhgIKAwiHAgoDCIgCCgMIiQIKAwiKAgoDCIsCCgMIjAIKAwiNAgoDCI4CCgMIjwIKAwiQAgoDCJECCgMIkgIKAwiTAgoDCJQCCgMIlQIKAwiWAgoDCJcCCgMImAIKAwiZAgoDCJoCCgMImwIKAwicAgoDCJ0CCgMIngIKAwifAgoDCKACCgMIoQIKAwiiAgoDCKMCCgMIpAIKAwilAgoDCKYCCgMIpwIKAwioAgoDCKkCCgMIqgIKAwirAgoDCKwCCgMIrQIKAwiuAgoDCK8CCgMIsAIKAwixAgoDCLICCgMIswIKAwi0AgoDCLUCCgMItgIKAwi3AgoDCLgCCgMIuQIKAwi6AgoDCLsCCgMIvAIKAwi9AgoDCL4CCgMIvwIKAwjAAgoDCMECCgMIwgIKAwjDAgoDCMQCCgMIxQIKAwjGAgoDCMcCCgMIyAIKAwjJAgoDCMoCCgMIywIKAwjMAgoDCM0CCgMIzgIKAwjPAgoDCNACCgMI0QIKAwjSAgoDCNMCCgMI1AIKAwjVAgoDCNYCCgMI1wIKAwjYAgoDCNkCCgMI2gIKAwjbAgoDCNwCCgMI3QIKAwjeAgoDCN8CCgMI4AIKAwjhAgoDCOICCgMI4wIKAwjkAgoDCOUCCgMI5gIKAwjnAgoDCOgCCgMI6QIKAwjqAgoDCOsCCgMI7AIKAwjtAgoDCO4CCgMI7wIKAwjwAgoDCPECCgMI8gIKAwjzAgoDCPQCCgMI9QIKAwj2AgoDCPcCCgMI-AIKAwj5AgoDCPoCCgMI-wIKAwj8AgoDCP0CCgMI_gIKAwj_AgoDCIADCgMIgQMKAwiCAwoDCIMDCgMIhAMKAwiFAwoDCIYDCgMIhwMKAwiIAwoDCIkDCgMIigMKAwiLAwoDCIwDCgMIjQMKAwiOAwoDCI8DCgMIkAMKAwiRAwoDCJIDCgMIkwMKAwiUAwoDCJUDCgMIlgMKAwiXAwoDCJgDCgMImQMKAwiaAwoDCJsDCgMInAMKAwidAwoDCJ4DCgMInwMKAwigAwoDCKEDCgMIogMKAwijAwoDCKQDCgMIpQMKAwimAwoDCKcDCgMIqAMKAwipAwoDCKoDCgMIqwMKAwisAwoDCK0DCgMIrgMKAwivAwoDCLADCgMIsQMKAwiyAwoDCLMDCgMItAMKAwi1AwoDCLYDCgMItwMKAwi4AwoDCLkDCgMIugMKAwi7AwoDCLwDCgMIvQMKAwi-AwoDCL8DCgMIwAMKAwjBAwoDCMIDCgMIwwMKAwjEAwoDCMUDCgMIxgMKAwjHAwoDCMgDCgMIyQMKAwjKAwoDCMsDCgMIzAMKAwjNAwoDCM4DCgMIzwMKAwjQAwoDCNEDCgMI0gMKAwjTAwoDCNQDCgMI1QMKAwjWAwoDCNcDCgMI2AMKAwjZAwoDCNoDCgMI2wMKAwjcAwoDCN0DCgMI3gMKAwjfAwoDCOADCgMI4QMKAwjiAwoDCOMDCgMI5AMKAwjlAwoDCOYDCgMI5wMKAwjoAwoDCOkDCgMI6gMKAwjrAwoDCOwDCgMI7QMKAwjuAwoDCO8DCgMI8AMKAwjxAwoDCPIDCgMI8wMQyAMaCGJiOnNlc3MxGgliYjpzZXNzMTAaCmJiOnNlc3MxMDAaCWJiOnNlc3MxMRoJYmI6c2VzczEyGgliYjpzZXNzMTMaCWJiOnNlc3MxNBoJYmI6c2VzczE1GgliYjpzZXNzMTYaCWJiOnNlc3MxNxoJYmI6c2VzczE4GgliYjpzZXNzMTkaCGJiOnNlc3MyGgliYjpzZXNzMjAaCWJiOnNlc3MyMRoJYmI6c2VzczIyGgliYjpzZXNzMjMaCWJiOnNlc3MyNBoJYmI6c2VzczI1GgliYjpzZXNzMjYaCWJiOnNlc3MyNxoJYmI6c2VzczI4GgliYjpzZXNzMjkaCGJiOnNlc3MzGgliYjpzZXNzMzAaCWJiOnNlc3MzMRoJYmI6c2VzczMyGgliYjpzZXNzMzMaCWJiOnNlc3MzNBoJYmI6c2VzczM1GgliYjpzZXNzMzYaCWJiOnNlc3MzNxoJYmI6c2VzczM4GgliYjpzZXNzMzkaCGJiOnNlc3M0GgliYjpzZXNzNDAaCWJiOnNlc3M0MRoJYmI6c2VzczQyGgliYjpzZXNzNDMaCWJiOnNlc3M0NBoJYmI6c2VzczQ1GgliYjpzZXNzNDYaCWJiOnNlc3M0NxoJYmI6c2VzczQ4GgliYjpzZXNzNDkaCGJiOnNlc3M1GgliYjpzZXNzNTAaCWJiOnNlc3M1MRoJYmI6c2VzczUyGgliYjpzZXNzNTMaCWJiOnNlc3M1NBoJYmI6c2VzczU1GgliYjpzZXNzNTYaCWJiOnNlc3M1NxoJYmI6c2VzczU4GgliYjpzZXNzNTkaCGJiOnNlc3M2GgliYjpzZXNzNjAaCWJiOnNlc3M2MRoJYmI6c2VzczYyGgliYjpzZXNzNjMaCWJiOnNlc3M2NBoJYmI6c2VzczY1GgliYjpzZXNzNjYaCWJiOnNlc3M2NxoJYmI6c2VzczY4GgliYjpzZXNzNjkaCGJiOnNlc3M3GgliYjpzZXNzNzAaCWJiOnNlc3M3MRoJYmI6c2VzczcyGgliYjpzZXNzNzMaCWJiOnNlc3M3NBoJYmI6c2Vzczc1GgliYjpzZXNzNzYaCWJiOnNlc3M3NxoJYmI6c2Vzczc4GgliYjpzZXNzNzkaCGJiOnNlc3M4GgliYjpzZXNzODAaCWJiOnNlc3M4MRoJYmI6c2VzczgyGgliYjpzZXNzODMaCWJiOnNlc3M4NBoJYmI6c2Vzczg1GgliYjpzZXNzODYaCWJiOnNlc3M4NxoJYmI6c2Vzczg4GgliYjpzZXNzODkaCGJiOnNlc3M5GgliYjpzZXNzOTAaCWJiOnNlc3M5MRoJYmI6c2VzczkyGgliYjpzZXNzOTMaCWJiOnNlc3M5NBoJYmI6c2Vzczk1GgliYjpzZXNzOTYaCWJiOnNlc3M5NxoJYmI6c2Vzczk4GgliYjpzZXNzOTkgEigB:CX8PIOrxJnQqFXl7wAsiHJ_1VGjoI-asNlCXb8SE8jtI2vdh9x6CqbAurSgIlAAEgotVP-nuUR38x_a9YJuXzmG5AvJ458apWQtODHIDIX6ZaIwMxjS02R7S5LNqXa0gAuU_R6bCWpZdWe2uLMkdpu5KHbDgW08g-uaP_nceDOk";
+
+    Y_UNIT_TEST(BlackboxEnvTest) {
+        UNIT_ASSERT_EQUAL(int(TA_EBlackboxEnv::TA_BE_PROD), int(EBlackboxEnv::Prod));
+        UNIT_ASSERT_EQUAL(int(TA_EBlackboxEnv::TA_BE_TEST), int(EBlackboxEnv::Test));
+        UNIT_ASSERT_EQUAL(int(TA_EBlackboxEnv::TA_BE_PROD_YATEAM), int(EBlackboxEnv::ProdYateam));
+        UNIT_ASSERT_EQUAL(int(TA_EBlackboxEnv::TA_BE_TEST_YATEAM), int(EBlackboxEnv::TestYateam));
+        UNIT_ASSERT_EQUAL(int(TA_EBlackboxEnv::TA_BE_STRESS), int(EBlackboxEnv::Stress));
+    }
+
+    Y_UNIT_TEST(ContextTest) {
+        TA_TUserContext* context;
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_OK,
+            TA_CreateUserContext(TA_EBlackboxEnv::TA_BE_TEST, NUnittest::TVMKNIFE_PUBLIC_KEYS.c_str(), NUnittest::TVMKNIFE_PUBLIC_KEYS.size(), &context));
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_OK,
+            TA_DeleteUserContext(context));
+    }
+
+    Y_UNIT_TEST(ContextErrorsTest) {
+        TA_TUserContext* context;
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_MALFORMED_TVM_KEYS,
+            TA_CreateUserContext(TA_EBlackboxEnv::TA_BE_PROD, MALFORMED_TVM_KEYS.c_str(), MALFORMED_TVM_KEYS.size(), &context));
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_EMPTY_TVM_KEYS,
+            TA_CreateUserContext(TA_EBlackboxEnv::TA_BE_PROD, EMPTY_TVM_KEYS.c_str(), EMPTY_TVM_KEYS.size(), &context));
+    }
+
+    Y_UNIT_TEST(Ticket1Test) {
+        int checking;
+        TA_TUserContext* context;
+        char debugInfo[512];
+        size_t debugInfoSize;
+        uint64_t defaultUid;
+        const char* firstScope;
+        uint64_t firstUid;
+        size_t scopesCount;
+        const char* secondScope;
+        uint64_t secondUid;
+        TA_TCheckedUserTicket* ticket;
+        size_t uidsCount;
+
+        TA_CreateUserContext(TA_EBlackboxEnv::TA_BE_TEST, NUnittest::TVMKNIFE_PUBLIC_KEYS.c_str(), NUnittest::TVMKNIFE_PUBLIC_KEYS.size(), &context);
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_OK,
+            TA_CheckUserTicket(context, VALID_USER_TICKET_1.c_str(), VALID_USER_TICKET_1.size(), &ticket));
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_OK,
+            TA_GetUserTicketDefaultUid(ticket, &defaultUid));
+        UNIT_ASSERT_VALUES_EQUAL(456, defaultUid);
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_OK,
+            TA_GetUserTicketScopesCount(ticket, &scopesCount));
+        UNIT_ASSERT_VALUES_EQUAL(2, scopesCount);
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_OK,
+            TA_GetUserTicketScope(ticket, 0, &firstScope));
+        UNIT_ASSERT_VALUES_EQUAL("bb:sess1", firstScope);
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_OK,
+            TA_GetUserTicketScope(ticket, 1, &secondScope));
+        UNIT_ASSERT_VALUES_EQUAL("bb:sess2", secondScope);
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_OK,
+            TA_GetUserTicketUidsCount(ticket, &uidsCount));
+        UNIT_ASSERT_EQUAL(2, uidsCount);
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_OK,
+            TA_GetUserTicketUid(ticket, 0, &firstUid));
+        UNIT_ASSERT_EQUAL(456, firstUid);
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_OK,
+            TA_GetUserTicketUid(ticket, 1, &secondUid));
+        UNIT_ASSERT_EQUAL(123, secondUid);
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_OK,
+            TA_HasUserTicketScope(ticket, "bb:sess1", 8, &checking));
+        UNIT_ASSERT(checking);
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_OK,
+            TA_HasUserTicketScope(ticket, "bb:sess2", 8, &checking));
+        UNIT_ASSERT(checking);
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_OK,
+            TA_HasUserTicketScope(ticket, "bb:sess3", 8, &checking));
+        UNIT_ASSERT(!checking);
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_OK,
+            TA_GetUserTicketDebugInfo(ticket, debugInfo, &debugInfoSize, 512));
+        UNIT_ASSERT_VALUES_EQUAL(
+            "ticket_type=user;expiration_time=9223372036854775807;scope=bb:sess1;scope=bb:sess2;default_uid=456;uid=456;uid=123;env=Test;",
+            TStringBuf(debugInfo, debugInfoSize));
+        TA_DeleteUserTicket(ticket);
+        TA_DeleteUserContext(context);
+    }
+
+    Y_UNIT_TEST(Ticket2Test) {
+        TA_TUserContext* context;
+        char debugInfo[512];
+        size_t debugInfoSize;
+        size_t scopesCount;
+        TA_TCheckedUserTicket* ticket;
+        size_t uidsCount;
+
+        TA_CreateUserContext(TA_EBlackboxEnv::TA_BE_TEST, NUnittest::TVMKNIFE_PUBLIC_KEYS.c_str(), NUnittest::TVMKNIFE_PUBLIC_KEYS.size(), &context);
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_OK,
+            TA_CheckUserTicket(context, VALID_USER_TICKET_2.c_str(), VALID_USER_TICKET_2.size(), &ticket));
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_OK,
+            TA_GetUserTicketScopesCount(ticket, &scopesCount));
+        UNIT_ASSERT_VALUES_EQUAL(0, scopesCount);
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_OK,
+            TA_GetUserTicketUidsCount(ticket, &uidsCount));
+        UNIT_ASSERT_VALUES_EQUAL(2, uidsCount);
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_OK,
+            TA_GetUserTicketDebugInfo(ticket, debugInfo, &debugInfoSize, 512));
+        UNIT_ASSERT_VALUES_EQUAL(
+            "ticket_type=user;expiration_time=9223372036854775807;default_uid=456;uid=456;uid=123;env=Test;",
+            TStringBuf(debugInfo, debugInfoSize));
+        TA_DeleteUserTicket(ticket);
+        TA_DeleteUserContext(context);
+    }
+
+    Y_UNIT_TEST(Ticket3Test) {
+        TA_TUserContext* context;
+        char debugInfo[8192];
+        size_t debugInfoSize;
+        size_t scopesCount;
+        TA_TCheckedUserTicket* ticket;
+        size_t uidsCount;
+
+        TA_CreateUserContext(TA_EBlackboxEnv::TA_BE_TEST, NUnittest::TVMKNIFE_PUBLIC_KEYS.c_str(), NUnittest::TVMKNIFE_PUBLIC_KEYS.size(), &context);
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_OK,
+            TA_CheckUserTicket(context, VALID_USER_TICKET_3.c_str(), VALID_USER_TICKET_3.size(), &ticket));
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_OK,
+            TA_GetUserTicketScopesCount(ticket, &scopesCount));
+        UNIT_ASSERT_VALUES_EQUAL(100, scopesCount);
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_OK,
+            TA_GetUserTicketUidsCount(ticket, &uidsCount));
+        UNIT_ASSERT_EQUAL(500, uidsCount);
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_OK,
+            TA_GetUserTicketDebugInfo(ticket, debugInfo, &debugInfoSize, 8192));
+        UNIT_ASSERT_VALUES_EQUAL(
+            "ticket_type=user;expiration_time=9223372036854775807;scope=bb:sess1;scope=bb:sess10;scope=bb:sess100;scope=bb:sess11;scope=bb:sess12;scope=bb:sess13;scope=bb:sess14;scope=bb:sess15;scope=bb:sess16;scope=bb:sess17;scope=bb:sess18;scope=bb:sess19;scope=bb:sess2;scope=bb:sess20;scope=bb:sess21;scope=bb:sess22;scope=bb:sess23;scope=bb:sess24;scope=bb:sess25;scope=bb:sess26;scope=bb:sess27;scope=bb:sess28;scope=bb:sess29;scope=bb:sess3;scope=bb:sess30;scope=bb:sess31;scope=bb:sess32;scope=bb:sess33;scope=bb:sess34;scope=bb:sess35;scope=bb:sess36;scope=bb:sess37;scope=bb:sess38;scope=bb:sess39;scope=bb:sess4;scope=bb:sess40;scope=bb:sess41;scope=bb:sess42;scope=bb:sess43;scope=bb:sess44;scope=bb:sess45;scope=bb:sess46;scope=bb:sess47;scope=bb:sess48;scope=bb:sess49;scope=bb:sess5;scope=bb:sess50;scope=bb:sess51;scope=bb:sess52;scope=bb:sess53;scope=bb:sess54;scope=bb:sess55;scope=bb:sess56;scope=bb:sess57;scope=bb:sess58;scope=bb:sess59;scope=bb:sess6;scope=bb:sess60;scope=bb:sess61;scope=bb:sess62;scope=bb:sess63;scope=bb:sess64;scope=bb:sess65;scope=bb:sess66;scope=bb:sess67;scope=bb:sess68;scope=bb:sess69;scope=bb:sess7;scope=bb:sess70;scope=bb:sess71;scope=bb:sess72;scope=bb:sess73;scope=bb:sess74;scope=bb:sess75;scope=bb:sess76;scope=bb:sess77;scope=bb:sess78;scope=bb:sess79;scope=bb:sess8;scope=bb:sess80;scope=bb:sess81;scope=bb:sess82;scope=bb:sess83;scope=bb:sess84;scope=bb:sess85;scope=bb:sess86;scope=bb:sess87;scope=bb:sess88;scope=bb:sess89;scope=bb:sess9;scope=bb:sess90;scope=bb:sess91;scope=bb:sess92;scope=bb:sess93;scope=bb:sess94;scope=bb:sess95;scope=bb:sess96;scope=bb:sess97;scope=bb:sess98;scope=bb:sess99;default_uid=456;uid=0;uid=1;uid=2;uid=3;uid=4;uid=5;uid=6;uid=7;uid=8;uid=9;uid=10;uid=11;uid=12;uid=13;uid=14;uid=15;uid=16;uid=17;uid=18;uid=19;uid=20;uid=21;uid=22;uid=23;uid=24;uid=25;uid=26;uid=27;uid=28;uid=29;uid=30;uid=31;uid=32;uid=33;uid=34;uid=35;uid=36;uid=37;uid=38;uid=39;uid=40;uid=41;uid=42;uid=43;uid=44;uid=45;uid=46;uid=47;uid=48;uid=49;uid=50;uid=51;uid=52;uid=53;uid=54;uid=55;uid=56;uid=57;uid=58;uid=59;uid=60;uid=61;uid=62;uid=63;uid=64;uid=65;uid=66;uid=67;uid=68;uid=69;uid=70;uid=71;uid=72;uid=73;uid=74;uid=75;uid=76;uid=77;uid=78;uid=79;uid=80;uid=81;uid=82;uid=83;uid=84;uid=85;uid=86;uid=87;uid=88;uid=89;uid=90;uid=91;uid=92;uid=93;uid=94;uid=95;uid=96;uid=97;uid=98;uid=99;uid=100;uid=101;uid=102;uid=103;uid=104;uid=105;uid=106;uid=107;uid=108;uid=109;uid=110;uid=111;uid=112;uid=113;uid=114;uid=115;uid=116;uid=117;uid=118;uid=119;uid=120;uid=121;uid=122;uid=123;uid=124;uid=125;uid=126;uid=127;uid=128;uid=129;uid=130;uid=131;uid=132;uid=133;uid=134;uid=135;uid=136;uid=137;uid=138;uid=139;uid=140;uid=141;uid=142;uid=143;uid=144;uid=145;uid=146;uid=147;uid=148;uid=149;uid=150;uid=151;uid=152;uid=153;uid=154;uid=155;uid=156;uid=157;uid=158;uid=159;uid=160;uid=161;uid=162;uid=163;uid=164;uid=165;uid=166;uid=167;uid=168;uid=169;uid=170;uid=171;uid=172;uid=173;uid=174;uid=175;uid=176;uid=177;uid=178;uid=179;uid=180;uid=181;uid=182;uid=183;uid=184;uid=185;uid=186;uid=187;uid=188;uid=189;uid=190;uid=191;uid=192;uid=193;uid=194;uid=195;uid=196;uid=197;uid=198;uid=199;uid=200;uid=201;uid=202;uid=203;uid=204;uid=205;uid=206;uid=207;uid=208;uid=209;uid=210;uid=211;uid=212;uid=213;uid=214;uid=215;uid=216;uid=217;uid=218;uid=219;uid=220;uid=221;uid=222;uid=223;uid=224;uid=225;uid=226;uid=227;uid=228;uid=229;uid=230;uid=231;uid=232;uid=233;uid=234;uid=235;uid=236;uid=237;uid=238;uid=239;uid=240;uid=241;uid=242;uid=243;uid=244;uid=245;uid=246;uid=247;uid=248;uid=249;uid=250;uid=251;uid=252;uid=253;uid=254;uid=255;uid=256;uid=257;uid=258;uid=259;uid=260;uid=261;uid=262;uid=263;uid=264;uid=265;uid=266;uid=267;uid=268;uid=269;uid=270;uid=271;uid=272;uid=273;uid=274;uid=275;uid=276;uid=277;uid=278;uid=279;uid=280;uid=281;uid=282;uid=283;uid=284;uid=285;uid=286;uid=287;uid=288;uid=289;uid=290;uid=291;uid=292;uid=293;uid=294;uid=295;uid=296;uid=297;uid=298;uid=299;uid=300;uid=301;uid=302;uid=303;uid=304;uid=305;uid=306;uid=307;uid=308;uid=309;uid=310;uid=311;uid=312;uid=313;uid=314;uid=315;uid=316;uid=317;uid=318;uid=319;uid=320;uid=321;uid=322;uid=323;uid=324;uid=325;uid=326;uid=327;uid=328;uid=329;uid=330;uid=331;uid=332;uid=333;uid=334;uid=335;uid=336;uid=337;uid=338;uid=339;uid=340;uid=341;uid=342;uid=343;uid=344;uid=345;uid=346;uid=347;uid=348;uid=349;uid=350;uid=351;uid=352;uid=353;uid=354;uid=355;uid=356;uid=357;uid=358;uid=359;uid=360;uid=361;uid=362;uid=363;uid=364;uid=365;uid=366;uid=367;uid=368;uid=369;uid=370;uid=371;uid=372;uid=373;uid=374;uid=375;uid=376;uid=377;uid=378;uid=379;uid=380;uid=381;uid=382;uid=383;uid=384;uid=385;uid=386;uid=387;uid=388;uid=389;uid=390;uid=391;uid=392;uid=393;uid=394;uid=395;uid=396;uid=397;uid=398;uid=399;uid=400;uid=401;uid=402;uid=403;uid=404;uid=405;uid=406;uid=407;uid=408;uid=409;uid=410;uid=411;uid=412;uid=413;uid=414;uid=415;uid=416;uid=417;uid=418;uid=419;uid=420;uid=421;uid=422;uid=423;uid=424;uid=425;uid=426;uid=427;uid=428;uid=429;uid=430;uid=431;uid=432;uid=433;uid=434;uid=435;uid=436;uid=437;uid=438;uid=439;uid=440;uid=441;uid=442;uid=443;uid=444;uid=445;uid=446;uid=447;uid=448;uid=449;uid=450;uid=451;uid=452;uid=453;uid=454;uid=455;uid=456;uid=457;uid=458;uid=459;uid=460;uid=461;uid=462;uid=463;uid=464;uid=465;uid=466;uid=467;uid=468;uid=469;uid=470;uid=471;uid=472;uid=473;uid=474;uid=475;uid=476;uid=477;uid=478;uid=479;uid=480;uid=481;uid=482;uid=483;uid=484;uid=485;uid=486;uid=487;uid=488;uid=489;uid=490;uid=491;uid=492;uid=493;uid=494;uid=495;uid=496;uid=497;uid=498;uid=499;env=Test;",
+            TStringBuf(debugInfo, debugInfoSize));
+        TA_DeleteUserTicket(ticket);
+        TA_DeleteUserContext(context);
+    }
+
+    Y_UNIT_TEST(RemoveSignatureTest) {
+        const char* removedSignature;
+        size_t removedSignatureSize;
+        UNIT_ASSERT_EQUAL(
+            TA_EErrorCode::TA_EC_OK,
+            TA_RemoveTicketSignature(VALID_USER_TICKET_1.c_str(), VALID_USER_TICKET_1.size(), &removedSignature, &removedSignatureSize));
+        UNIT_ASSERT_VALUES_EQUAL(
+            "3:user:CA0Q__________9_GiQKAwjIAwoCCHsQyAMaCGJiOnNlc3MxGghiYjpzZXNzMiASKAE:",
+            TStringBuf(removedSignature, removedSignatureSize));
+    }
+}
diff --git a/library/c/tvmauth/src/ut/high_lvl_client_ut.cpp b/library/c/tvmauth/src/ut/high_lvl_client_ut.cpp
new file mode 100644
index 0000000000..a9c376b417
--- /dev/null
+++ b/library/c/tvmauth/src/ut/high_lvl_client_ut.cpp
@@ -0,0 +1,264 @@
+// DO_NOT_STYLE
+
+#include <library/c/tvmauth/high_lvl_client.h>
+
+#include <library/cpp/testing/unittest/registar.h>
+#include <library/cpp/tvmauth/client/ut/common.h>
+
+#include <util/stream/str.h>
+
+Y_UNIT_TEST_SUITE(CHighLvlClient) {
+    static ui32 OK_CLIENT = 100500;
+    static const TString SRV_TICKET = "3:serv:CBAQ__________9_IgYIexCUkQY:GioCM49Ob6_f80y6FY0XBVN4hLXuMlFeyMvIMiDuQnZkbkLpRpQOuQo5YjWoBjM0Vf-XqOm8B7xtrvxSYHDD7Q4OatN2l-Iwg7i71lE3scUeD36x47st3nd0OThvtjrFx_D8mw_c0GT5KcniZlqq1SjhLyAk1b_zJsx8viRAhCU";
+    static const TString TEST_TICKET = "3:user:CA0Q__________9_Gg4KAgh7EHsg0oXYzAQoAQ:AuTECbsGGH-jkLJsKjdHL-jvoOMiBLxBDi_kkZXgWnxvdLQkhXGKXKlG6oHCB6aYfISq3cHdJ2QuyJceqkpi2220-YK1jm68K1-llyApKC7ps5LQ213zuAxxN0fJcTUL4Ys02pkCUkSBft094rXYHciZBUjABU7-8Laj0Ag9j30";
+    static const TString PROD_TICKET = "3:user:CAsQ__________9_Gg4KAgh7EHsg0oXYzAQoAA:N8PvrDNLh-5JywinxJntLeQGDEHBUxfzjuvB8-_BEUv1x9CALU7do8irDlDYVeVVDr4AIpR087YPZVzWPAqmnBuRJS0tJXekmDDvrivLnbRrzY4IUXZ_fImB0fJhTyVetKv6RD11bGqnAJeDpIukBwPTbJc_EMvKDt8V490CJFw";
+    static const TString PROD_YATEAM_TICKET = "3:user:CAwQ__________9_Gg4KAgh7EHsg0oXYzAQoAg:G2wloFRSi8--RLb2GDSro_sKXPF2JSdL5CVOuOHgUcRvLm-3OxIPn0NUqbJ9DWDmhPplOqEiblIbLK85My1VMJ2aG5SLbRNKEtwfmxLvkwNpl_gUEwWPJm9_8Khslfj71P3hccxtEEqM9bJSMwHueVAY-a9HSzFo-uMFMeSgQ-k";
+
+    Y_UNIT_TEST(Settings) {
+        TA_TTvmApiClientSettings* s = nullptr;
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmApiClientSettings_Create(&s));
+
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmApiClientSettings_EnableServiceTicketChecking(s));
+
+        UNIT_ASSERT_EQUAL(TA_EC_INVALID_PARAM, TA_TvmApiClientSettings_SetSelfTvmId(s, 0));
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmApiClientSettings_SetSelfTvmId(s, OK_CLIENT));
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmApiClientSettings_EnableServiceTicketChecking(s));
+
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmApiClientSettings_EnableUserTicketChecking(s, TA_BE_PROD));
+
+        UNIT_ASSERT_EQUAL(TA_EC_INVALID_PARAM, TA_TvmApiClientSettings_SetDiskCacheDir(s, nullptr, 7));
+        UNIT_ASSERT_EQUAL(TA_EC_INVALID_PARAM, TA_TvmApiClientSettings_SetDiskCacheDir(s, "abc", 0));
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmApiClientSettings_SetDiskCacheDir(s, "/abc", 4));
+        const TString dir = GetCachePath();
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmApiClientSettings_SetDiskCacheDir(s, dir.data(), dir.size()));
+
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmApiClientSettings_Delete(s));
+    }
+
+    static TStringStream STREAM;
+    static void Log(int lvl, const char* msg) {
+        STREAM << lvl << ": " << msg << Endl;
+    }
+
+    Y_UNIT_TEST(Client) {
+        STREAM.Clear();
+        TA_TTvmApiClientSettings* s = nullptr;
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmApiClientSettings_Create(&s));
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmApiClientSettings_SetSelfTvmId(s, OK_CLIENT));
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmApiClientSettings_EnableServiceTicketChecking(s));
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmApiClientSettings_EnableUserTicketChecking(s, TA_BE_PROD));
+        const TString dir = GetCachePath();
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmApiClientSettings_SetDiskCacheDir(s, dir.data(), dir.size()));
+
+        struct TA_TTvmClient* c = nullptr;
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmClient_Create(s, Log, &c));
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmApiClientSettings_Delete(s));
+
+        TA_TTvmClientStatus* status;
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmClient_GetStatus(c, &status));
+        TA_ETvmClientStatusCode code;
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmClient_Status_GetCode(status, &code));
+        UNIT_ASSERT_EQUAL(TA_TCSC_OK, code);
+        const char* lastError = nullptr;
+        size_t lastErrorSize = 0;
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmClient_Status_GetLastError(status, &lastError, &lastErrorSize));
+        UNIT_ASSERT_VALUES_EQUAL("OK", TStringBuf(lastError, lastErrorSize));
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmClient_DeleteStatus(status));
+
+        TA_TCheckedServiceTicket* st = nullptr;
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmClient_CheckServiceTicket(c, SRV_TICKET.data(), SRV_TICKET.size(), &st));
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_DeleteServiceTicket(st));
+
+        TA_TCheckedUserTicket* ut = nullptr;
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmClient_CheckUserTicket(c, PROD_TICKET.data(), PROD_TICKET.size(), &ut));
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_DeleteUserTicket(ut));
+
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmClient_Delete(c));
+
+        UNIT_ASSERT_C(STREAM.Str().find("was successfully read") != TString::npos, STREAM.Str());
+        UNIT_ASSERT_C(STREAM.Str().find("was successfully fetched") == TString::npos, STREAM.Str());
+    }
+
+    Y_UNIT_TEST(CreateClientWithError) {
+        STREAM.Clear();
+        // TODO
+    }
+
+    Y_UNIT_TEST(ClientDstId) {
+        STREAM.Clear();
+        TA_TTvmApiClientSettings* s = nullptr;
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmApiClientSettings_Create(&s));
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmApiClientSettings_SetSelfTvmId(s, OK_CLIENT));
+        const TString dir = GetCachePath();
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmApiClientSettings_SetDiskCacheDir(s, dir.data(), dir.size()));
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmApiClientSettings_EnableServiceTicketsFetchOptionsWithTvmIds(
+                              s,
+                              "aaaaaaaaaaaaaaaa",
+                              16,
+                              "19",
+                              2));
+
+        struct TA_TTvmClient* c = nullptr;
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmClient_Create(s, Log, &c));
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmApiClientSettings_Delete(s));
+
+        TA_TTvmClientStatus* status;
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmClient_GetStatus(c, &status));
+        TA_ETvmClientStatusCode code;
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmClient_Status_GetCode(status, &code));
+        UNIT_ASSERT_EQUAL(TA_TCSC_OK, code);
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmClient_DeleteStatus(status));
+
+        char t[512];
+        size_t size = 0;
+
+        UNIT_ASSERT_EQUAL(TA_EC_BROKEN_TVM_CLIENT_SETTINGS,
+                          TA_TvmClient_GetServiceTicketForTvmId(c, 20, 512, t, &size));
+        UNIT_ASSERT_EQUAL(TA_EC_OK,
+                          TA_TvmClient_GetServiceTicketForTvmId(c, 19, 512, t, &size));
+        UNIT_ASSERT_STRINGS_EQUAL(TStringBuf(t, size), "3:serv:CBAQ__________9_IgYIKhCUkQY:CX");
+
+        UNIT_ASSERT_EQUAL(TA_EC_BROKEN_TVM_CLIENT_SETTINGS,
+                          TA_TvmClient_GetServiceTicketForAlias(c, "ololo", 5, 512, t, &size));
+        UNIT_ASSERT_EQUAL(TA_EC_BROKEN_TVM_CLIENT_SETTINGS,
+                          TA_TvmClient_GetServiceTicketForAlias(c, "bar", 3, 512, t, &size));
+        UNIT_ASSERT_EQUAL(TA_EC_BROKEN_TVM_CLIENT_SETTINGS,
+                          TA_TvmClient_GetServiceTicketForAlias(c, "foo", 3, 512, t, &size));
+
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmClient_Delete(c));
+
+        UNIT_ASSERT_C(STREAM.Str().find("was successfully read") != TString::npos, STREAM.Str());
+        UNIT_ASSERT_C(STREAM.Str().find("was successfully fetched") == TString::npos, STREAM.Str());
+    }
+
+    Y_UNIT_TEST(ClientDstAlias) {
+        STREAM.Clear();
+        TA_TTvmApiClientSettings* s = nullptr;
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmApiClientSettings_Create(&s));
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmApiClientSettings_SetSelfTvmId(s, OK_CLIENT));
+        const TString dir = GetCachePath();
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmApiClientSettings_SetDiskCacheDir(s, dir.data(), dir.size()));
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmApiClientSettings_EnableServiceTicketsFetchOptionsWithAliases(
+                              s,
+                              "aaaaaaaaaaaaaaaa",
+                              16,
+                              "foo:19",
+                              6));
+
+        struct TA_TTvmClient* c = nullptr;
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmClient_Create(s, Log, &c));
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmApiClientSettings_Delete(s));
+
+        TA_TTvmClientStatus* status;
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmClient_GetStatus(c, &status));
+        TA_ETvmClientStatusCode code;
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmClient_Status_GetCode(status, &code));
+        UNIT_ASSERT_EQUAL(TA_TCSC_OK, code);
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmClient_DeleteStatus(status));
+
+        char t[512];
+        size_t size = 0;
+
+        UNIT_ASSERT_EQUAL(TA_EC_BROKEN_TVM_CLIENT_SETTINGS,
+                          TA_TvmClient_GetServiceTicketForTvmId(c, 20, 512, t, &size));
+        UNIT_ASSERT_EQUAL(TA_EC_OK,
+                          TA_TvmClient_GetServiceTicketForTvmId(c, 19, 512, t, &size));
+        UNIT_ASSERT_STRINGS_EQUAL(TStringBuf(t, size), "3:serv:CBAQ__________9_IgYIKhCUkQY:CX");
+
+        UNIT_ASSERT_EQUAL(TA_EC_BROKEN_TVM_CLIENT_SETTINGS,
+                          TA_TvmClient_GetServiceTicketForAlias(c, "ololo", 5, 512, t, &size));
+        UNIT_ASSERT_EQUAL(TA_EC_OK,
+                          TA_TvmClient_GetServiceTicketForAlias(c, "foo", 3, 512, t, &size));
+        UNIT_ASSERT_STRINGS_EQUAL(TStringBuf(t, size), "3:serv:CBAQ__________9_IgYIKhCUkQY:CX");
+
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmClient_Delete(c));
+
+        UNIT_ASSERT_C(STREAM.Str().find("was successfully read") != TString::npos, STREAM.Str());
+        UNIT_ASSERT_C(STREAM.Str().find("was successfully fetched") == TString::npos, STREAM.Str());
+    }
+
+    Y_UNIT_TEST(ToolClient) {
+        STREAM.Clear();
+        TPortManager pm;
+        ui16 port = pm.GetPort(80);
+        NMock::TMockServer server(port, []() { return new TTvmTool; });
+
+        TA_TTvmToolClientSettings* s = nullptr;
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmToolClientSettings_Create("me", 2, &s));
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmToolClientSettings_SetPort(s, port));
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmToolClientSettings_SetHostname(s, "localhost", 9));
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmToolClientSettings_SetAuthToken(s, AUTH_TOKEN.data(), AUTH_TOKEN.size()));
+
+        struct TA_TTvmClient* c = nullptr;
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmClient_CreateForTvmtool(s, Log, &c));
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmToolClientSettings_Delete(s));
+
+        TA_TTvmClientStatus* status;
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmClient_GetStatus(c, &status));
+        TA_ETvmClientStatusCode code;
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmClient_Status_GetCode(status, &code));
+        UNIT_ASSERT_EQUAL(TA_TCSC_OK, code);
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmClient_DeleteStatus(status));
+
+        TA_TCheckedServiceTicket* st = nullptr;
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmClient_CheckServiceTicket(c, SRV_TICKET.data(), SRV_TICKET.size(), &st));
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_DeleteServiceTicket(st));
+
+        TA_TCheckedUserTicket* ut = nullptr;
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmClient_CheckUserTicket(c, PROD_YATEAM_TICKET.data(), PROD_YATEAM_TICKET.size(), &ut));
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_DeleteUserTicket(ut));
+
+        ut = nullptr;
+        UNIT_ASSERT_EQUAL(TA_EC_INVALID_BLACKBOX_ENV, TA_TvmClient_CheckUserTicketWithOverridedEnv(c, PROD_YATEAM_TICKET.data(), PROD_YATEAM_TICKET.size(), TA_BE_PROD, &ut));
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_DeleteUserTicket(ut));
+
+        char t[512];
+        size_t size = 0;
+
+        UNIT_ASSERT_EQUAL(TA_EC_BROKEN_TVM_CLIENT_SETTINGS,
+                          TA_TvmClient_GetServiceTicketForTvmId(c, 20, 512, t, &size));
+        UNIT_ASSERT_EQUAL(TA_EC_OK,
+                          TA_TvmClient_GetServiceTicketForTvmId(c, 242, 512, t, &size));
+        UNIT_ASSERT_EQUAL(TA_EC_OK,
+                          TA_TvmClient_GetServiceTicketForTvmId(c, 11, 512, t, &size));
+        UNIT_ASSERT_STRINGS_EQUAL(TStringBuf(t, size), "3:serv:CBAQ__________9_IgYIlJEGEAs:T-apeMNWFc_vHPQ3iLaZv9NjG-hf5-i23O4AhRu1M68ryN3FU5qvyqTSSiPbtJdFP6EE41QQBzEs59dHn9DRkqQNwwKf1is00Oewwj2XKO0uHukuzd9XxZnro7MfjPswsjWufxX28rmJtlfSXwAtyKt8TI5yKJnMeBPQ0m5R3k8");
+
+        UNIT_ASSERT_EQUAL(TA_EC_BROKEN_TVM_CLIENT_SETTINGS,
+                          TA_TvmClient_GetServiceTicketForAlias(c, "ololo", 5, 512, t, &size));
+        UNIT_ASSERT_EQUAL(TA_EC_OK,
+                          TA_TvmClient_GetServiceTicketForAlias(c, "bbox", 4, 512, t, &size));
+        UNIT_ASSERT_EQUAL(TA_EC_OK,
+                          TA_TvmClient_GetServiceTicketForAlias(c, "pass_likers", 11, 512, t, &size));
+        UNIT_ASSERT_STRINGS_EQUAL(TStringBuf(t, size), "3:serv:CBAQ__________9_IgYIlJEGEAs:T-apeMNWFc_vHPQ3iLaZv9NjG-hf5-i23O4AhRu1M68ryN3FU5qvyqTSSiPbtJdFP6EE41QQBzEs59dHn9DRkqQNwwKf1is00Oewwj2XKO0uHukuzd9XxZnro7MfjPswsjWufxX28rmJtlfSXwAtyKt8TI5yKJnMeBPQ0m5R3k8");
+
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmClient_Delete(c));
+
+        UNIT_ASSERT_VALUES_EQUAL(
+            TStringBuilder()
+                << "7: Meta info fetched from localhost:" << port << "\n"
+                << "6: Meta: self_tvm_id=100500, bb_env=ProdYateam, idm_slug=<NULL>, dsts=[(pass_likers:11)(bbox:242)]\n"
+                << "7: Tickets fetched from tvmtool: 2425-09-17T11:04:00.000000Z\n"
+                << "7: Public keys fetched from tvmtool: 2425-09-17T11:04:00.000000Z\n"
+                << "7: Thread-worker started\n"
+                << "7: Thread-worker stopped\n",
+            STREAM.Str());
+    }
+
+    Y_UNIT_TEST(ToolClient_BadOverride) {
+        STREAM.Clear();
+        TPortManager pm;
+        ui16 port = pm.GetPort(80);
+        NMock::TMockServer server(port, []() { return new TTvmTool; });
+
+        TA_TTvmToolClientSettings* s = nullptr;
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmToolClientSettings_Create("me", 2, &s));
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmToolClientSettings_SetPort(s, port));
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmToolClientSettings_SetHostname(s, "localhost", 9));
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmToolClientSettings_SetAuthToken(s, AUTH_TOKEN.data(), AUTH_TOKEN.size()));
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmToolClientSettings_OverrideBlackboxEnv(s, TA_BE_STRESS));
+
+        struct TA_TTvmClient* c = nullptr;
+        UNIT_ASSERT_EQUAL(TA_EC_BROKEN_TVM_CLIENT_SETTINGS, TA_TvmClient_CreateForTvmtool(s, Log, &c));
+        UNIT_ASSERT_EQUAL(TA_EC_OK, TA_TvmToolClientSettings_Delete(s));
+    }
+}
diff --git a/library/c/tvmauth/src/ut/high_lvl_wrapper_ut.cpp b/library/c/tvmauth/src/ut/high_lvl_wrapper_ut.cpp
new file mode 100644
index 0000000000..51f0103825
--- /dev/null
+++ b/library/c/tvmauth/src/ut/high_lvl_wrapper_ut.cpp
@@ -0,0 +1,188 @@
+// DO_NOT_STYLE
+
+#include <library/c/tvmauth/high_lvl_wrapper.h>
+
+#include <library/cpp/testing/unittest/registar.h>
+#include <library/cpp/tvmauth/client/ut/common.h>
+
+#include <util/stream/str.h>
+
+Y_UNIT_TEST_SUITE(CHighLvlWarapper) {
+    static ui32 OK_CLIENT = 100500;
+    static const TString SRV_TICKET = "3:serv:CBAQ__________9_IgYIexCUkQY:GioCM49Ob6_f80y6FY0XBVN4hLXuMlFeyMvIMiDuQnZkbkLpRpQOuQo5YjWoBjM0Vf-XqOm8B7xtrvxSYHDD7Q4OatN2l-Iwg7i71lE3scUeD36x47st3nd0OThvtjrFx_D8mw_c0GT5KcniZlqq1SjhLyAk1b_zJsx8viRAhCU";
+    static const TString PROD_TICKET = "3:user:CAsQ__________9_Gg4KAgh7EHsg0oXYzAQoAA:N8PvrDNLh-5JywinxJntLeQGDEHBUxfzjuvB8-_BEUv1x9CALU7do8irDlDYVeVVDr4AIpR087YPZVzWPAqmnBuRJS0tJXekmDDvrivLnbRrzY4IUXZ_fImB0fJhTyVetKv6RD11bGqnAJeDpIukBwPTbJc_EMvKDt8V490CJFw";
+
+    Y_UNIT_TEST(Settings) {
+        NTvmAuthWrapper::TTvmApiClientSettings s;
+
+        UNIT_ASSERT_EXCEPTION(s.SetSelfTvmId(0), std::runtime_error);
+        UNIT_ASSERT_NO_EXCEPTION(s.EnableServiceTicketChecking());
+
+        UNIT_ASSERT_NO_EXCEPTION(s.SetSelfTvmId(OK_CLIENT));
+        UNIT_ASSERT_NO_EXCEPTION(s.EnableServiceTicketChecking());
+
+        UNIT_ASSERT_EXCEPTION(s.SetDiskCacheDir(""), std::runtime_error);
+    }
+
+    static TStringStream STREAM;
+    static void Log(int lvl, const char* msg) {
+        STREAM << lvl << ": " << msg << Endl;
+    }
+
+    NTvmAuthWrapper::TTvmClient GetClient(const NTvmAuthWrapper::TTvmApiClientSettings& s, TA_ETvmClientStatusCode code = TA_TCSC_OK) {
+        STREAM.Clear();
+        NTvmAuthWrapper::TTvmClient f(s, Log);
+        Sleep(TDuration::MilliSeconds(300));
+        UNIT_ASSERT_EQUAL(code, f.GetStatus().Code);
+        UNIT_ASSERT_C(STREAM.Str().find("was successfully read") != TString::npos, STREAM.Str());
+        UNIT_ASSERT_C(STREAM.Str().find("was successfully fetched") == TString::npos, STREAM.Str());
+        return f;
+    }
+
+    Y_UNIT_TEST(Service) {
+        NTvmAuthWrapper::TTvmApiClientSettings s;
+        s.SetSelfTvmId(OK_CLIENT);
+        s.EnableServiceTicketChecking();
+        s.SetDiskCacheDir(GetCachePath());
+        NTvmAuthWrapper::TTvmClient f = GetClient(s);
+
+        UNIT_ASSERT(f.CheckServiceTicket(SRV_TICKET));
+        UNIT_ASSERT_EXCEPTION(f.CheckUserTicket(PROD_TICKET), std::runtime_error);
+    }
+
+    Y_UNIT_TEST(User) {
+        NTvmAuthWrapper::TTvmApiClientSettings s;
+        s.EnableUserTicketChecking(TA_BE_PROD);
+        s.SetDiskCacheDir(GetCachePath());
+
+        NTvmAuthWrapper::TTvmClient f = GetClient(s);
+        UNIT_ASSERT_EXCEPTION(f.CheckServiceTicket(SRV_TICKET), std::runtime_error);
+        UNIT_ASSERT(f.CheckUserTicket(PROD_TICKET));
+    }
+
+    Y_UNIT_TEST(Consts) {
+        UNIT_ASSERT_VALUES_EQUAL("222", NTvmAuthWrapper::NBlackboxTvmId::Prod);
+        UNIT_ASSERT_VALUES_EQUAL("224", NTvmAuthWrapper::NBlackboxTvmId::Test);
+        UNIT_ASSERT_VALUES_EQUAL("223", NTvmAuthWrapper::NBlackboxTvmId::ProdYateam);
+        UNIT_ASSERT_VALUES_EQUAL("225", NTvmAuthWrapper::NBlackboxTvmId::TestYateam);
+        UNIT_ASSERT_VALUES_EQUAL("226", NTvmAuthWrapper::NBlackboxTvmId::Stress);
+        UNIT_ASSERT_VALUES_EQUAL("239", NTvmAuthWrapper::NBlackboxTvmId::Mimino);
+    }
+
+    Y_UNIT_TEST(GetTicketTvmId) {
+        NTvmAuthWrapper::TTvmApiClientSettings s;
+        s.SetSelfTvmId(OK_CLIENT);
+        s.EnableServiceTicketsFetchOptions("aaaaaaaaaaaaaaaa",
+                                           NTvmAuthWrapper::TTvmApiClientSettings::TDstVector(1, 19));
+        s.SetDiskCacheDir(GetCachePath());
+        NTvmAuthWrapper::TTvmClient f = GetClient(s);
+
+        UNIT_ASSERT_EXCEPTION_CONTAINS(f.GetServiceTicketFor(20), std::runtime_error, "TVM settings are broken");
+        UNIT_ASSERT_STRINGS_EQUAL("3:serv:CBAQ__________9_IgYIKhCUkQY:CX", f.GetServiceTicketFor(19));
+
+        UNIT_ASSERT_EXCEPTION_CONTAINS(f.GetServiceTicketFor("ololo"), std::runtime_error, "TVM settings are broken");
+        UNIT_ASSERT_EXCEPTION_CONTAINS(f.GetServiceTicketFor("foo"), std::runtime_error, "TVM settings are broken");
+        UNIT_ASSERT_EXCEPTION_CONTAINS(f.GetServiceTicketFor("bar"), std::runtime_error, "TVM settings are broken");
+    }
+
+    Y_UNIT_TEST(GetTicketAlias) {
+        NTvmAuthWrapper::TTvmApiClientSettings s;
+        s.SetSelfTvmId(OK_CLIENT);
+        s.EnableServiceTicketsFetchOptions("aaaaaaaaaaaaaaaa",
+                                           {
+                                               {"foo", 19},
+                                           });
+        s.SetDiskCacheDir(GetCachePath());
+        NTvmAuthWrapper::TTvmClient f = GetClient(s);
+
+        UNIT_ASSERT_EXCEPTION_CONTAINS(f.GetServiceTicketFor(20), std::runtime_error, "TVM settings are broken");
+        UNIT_ASSERT_STRINGS_EQUAL("3:serv:CBAQ__________9_IgYIKhCUkQY:CX", f.GetServiceTicketFor(19));
+
+        UNIT_ASSERT_EXCEPTION_CONTAINS(f.GetServiceTicketFor("ololo"), std::runtime_error, "TVM settings are broken");
+        UNIT_ASSERT_STRINGS_EQUAL("3:serv:CBAQ__________9_IgYIKhCUkQY:CX", f.GetServiceTicketFor("foo"));
+    }
+
+    Y_UNIT_TEST(Tvmtool) {
+        STREAM.Clear();
+        TPortManager pm;
+        ui16 port = pm.GetPort(80);
+        NMock::TMockServer server(port, []() { return new TTvmTool; });
+
+        NTvmAuthWrapper::TTvmToolClientSettings s("me");
+        s.SetPort(port);
+        s.SetHostname("localhost");
+        s.SetAuthtoken(AUTH_TOKEN);
+        s.OverrideBlackboxEnv(TA_BE_PROD);
+
+        {
+            NTvmAuthWrapper::TTvmClient c(s, Log);
+            UNIT_ASSERT_EQUAL(TA_TCSC_OK, c.GetStatus().Code);
+            UNIT_ASSERT_VALUES_EQUAL("OK", c.GetStatus().LastError);
+
+            NTvmAuthWrapper::TCheckedServiceTicket st = c.CheckServiceTicket(SRV_TICKET);
+            UNIT_ASSERT_EQUAL(TA_EC_OK, st.GetStatus());
+
+            NTvmAuthWrapper::TCheckedUserTicket ut = c.CheckUserTicket(PROD_TICKET);
+            UNIT_ASSERT_EQUAL(TA_EC_OK, ut.GetStatus());
+            UNIT_ASSERT_EQUAL(TA_EC_INVALID_BLACKBOX_ENV, c.CheckUserTicket(PROD_TICKET, TA_BE_PROD_YATEAM).GetStatus());
+
+            UNIT_ASSERT_EXCEPTION_CONTAINS(c.GetServiceTicketFor(20), std::runtime_error, "TVM settings are broken");
+            UNIT_ASSERT_STRINGS_EQUAL("3:serv:CBAQ__________9_IgcIlJEGEPIB:N7luw0_rVmBosTTI130jwDbQd0-cMmqJeEl0ma4ZlIo_mHXjBzpOuMQ3A9YagbmOBOt8TZ_gzGvVSegWZkEeB24gM22acw0w-RcHaQKrzSOA5Zq8WLNIC8QUa4_WGTlAsb7R7eC4KTAGgouIquNAgMBdTuGOuZHnMLvZyLnOMKc",
+                                      c.GetServiceTicketFor(242));
+            UNIT_ASSERT_STRINGS_EQUAL("3:serv:CBAQ__________9_IgYIlJEGEAs:T-apeMNWFc_vHPQ3iLaZv9NjG-hf5-i23O4AhRu1M68ryN3FU5qvyqTSSiPbtJdFP6EE41QQBzEs59dHn9DRkqQNwwKf1is00Oewwj2XKO0uHukuzd9XxZnro7MfjPswsjWufxX28rmJtlfSXwAtyKt8TI5yKJnMeBPQ0m5R3k8",
+                                      c.GetServiceTicketFor(11));
+
+            UNIT_ASSERT_EXCEPTION_CONTAINS(c.GetServiceTicketFor("ololo"), std::runtime_error, "TVM settings are broken");
+            UNIT_ASSERT_STRINGS_EQUAL("3:serv:CBAQ__________9_IgcIlJEGEPIB:N7luw0_rVmBosTTI130jwDbQd0-cMmqJeEl0ma4ZlIo_mHXjBzpOuMQ3A9YagbmOBOt8TZ_gzGvVSegWZkEeB24gM22acw0w-RcHaQKrzSOA5Zq8WLNIC8QUa4_WGTlAsb7R7eC4KTAGgouIquNAgMBdTuGOuZHnMLvZyLnOMKc",
+                                      c.GetServiceTicketFor("bbox"));
+            UNIT_ASSERT_STRINGS_EQUAL("3:serv:CBAQ__________9_IgYIlJEGEAs:T-apeMNWFc_vHPQ3iLaZv9NjG-hf5-i23O4AhRu1M68ryN3FU5qvyqTSSiPbtJdFP6EE41QQBzEs59dHn9DRkqQNwwKf1is00Oewwj2XKO0uHukuzd9XxZnro7MfjPswsjWufxX28rmJtlfSXwAtyKt8TI5yKJnMeBPQ0m5R3k8",
+                                      c.GetServiceTicketFor("pass_likers"));
+
+            Sleep(TDuration::MilliSeconds(300));
+        }
+
+        UNIT_ASSERT_VALUES_EQUAL(
+            TStringBuilder()
+                << "7: Meta info fetched from localhost:" << port << "\n"
+                << "6: Meta: self_tvm_id=100500, bb_env=ProdYateam, idm_slug=<NULL>, dsts=[(pass_likers:11)(bbox:242)]\n"
+                << "6: Meta: override blackbox env: ProdYateam->Prod\n"
+                << "7: Tickets fetched from tvmtool: 2425-09-17T11:04:00.000000Z\n"
+                << "7: Public keys fetched from tvmtool: 2425-09-17T11:04:00.000000Z\n"
+                << "7: Thread-worker started\n"
+                << "7: Thread-worker stopped\n",
+            STREAM.Str());
+    }
+
+    Y_UNIT_TEST(DummyLogger) {
+        {
+            NTvmAuthWrapper::TTvmApiClientSettings s;
+            s.SetSelfTvmId(OK_CLIENT);
+            s.EnableServiceTicketChecking();
+            s.SetDiskCacheDir(GetCachePath());
+
+            UNIT_ASSERT_EXCEPTION_CONTAINS(NTvmAuthWrapper::TTvmClient(s, nullptr),
+                                           std::runtime_error,
+                                           "Invalid function parameter");
+
+            NTvmAuthWrapper::TTvmClient f(s, TA_NoopLogger);
+        }
+
+        {
+            TPortManager pm;
+            ui16 port = pm.GetPort(80);
+            NMock::TMockServer server(port, []() { return new TTvmTool; });
+
+            NTvmAuthWrapper::TTvmToolClientSettings s("me");
+            s.SetPort(port);
+            s.SetHostname("localhost");
+            s.SetAuthtoken(AUTH_TOKEN);
+            s.OverrideBlackboxEnv(TA_BE_PROD);
+
+            UNIT_ASSERT_EXCEPTION_CONTAINS(NTvmAuthWrapper::TTvmClient(s, nullptr),
+                                           std::runtime_error,
+                                           "Invalid function parameter");
+
+            NTvmAuthWrapper::TTvmClient c(s, TA_NoopLogger);
+        }
+    }
+}
diff --git a/library/c/tvmauth/src/ut/utils_ut.cpp b/library/c/tvmauth/src/ut/utils_ut.cpp
new file mode 100644
index 0000000000..fdb0c5f298
--- /dev/null
+++ b/library/c/tvmauth/src/ut/utils_ut.cpp
@@ -0,0 +1,20 @@
+#include <library/c/tvmauth/src/utils.h>
+
+#include <library/cpp/testing/unittest/registar.h>
+
+Y_UNIT_TEST_SUITE(UtilsTest) {
+    using namespace NTvmAuth;
+    using namespace NTvmAuthC::NUtils;
+
+    Y_UNIT_TEST(CppErrorCodeToCTest) {
+        UNIT_ASSERT_EQUAL(CppErrorCodeToC(ETicketStatus::Ok), TA_EC_OK);
+        UNIT_ASSERT_EQUAL(CppErrorCodeToC(ETicketStatus::Expired), TA_EC_EXPIRED_TICKET);
+        UNIT_ASSERT_EQUAL(CppErrorCodeToC(ETicketStatus::InvalidBlackboxEnv), TA_EC_INVALID_BLACKBOX_ENV);
+        UNIT_ASSERT_EQUAL(CppErrorCodeToC(ETicketStatus::InvalidDst), TA_EC_INVALID_DST);
+        UNIT_ASSERT_EQUAL(CppErrorCodeToC(ETicketStatus::InvalidTicketType), TA_EC_INVALID_TICKET_TYPE);
+        UNIT_ASSERT_EQUAL(CppErrorCodeToC(ETicketStatus::Malformed), TA_EC_MALFORMED_TICKET);
+        UNIT_ASSERT_EQUAL(CppErrorCodeToC(ETicketStatus::MissingKey), TA_EC_MISSING_KEY);
+        UNIT_ASSERT_EQUAL(CppErrorCodeToC(ETicketStatus::SignBroken), TA_EC_SIGN_BROKEN);
+        UNIT_ASSERT_EQUAL(CppErrorCodeToC(ETicketStatus::UnsupportedVersion), TA_EC_UNSUPPORTED_VERSION);
+    }
+}
diff --git a/library/c/tvmauth/src/ut/wrapper_ut.cpp b/library/c/tvmauth/src/ut/wrapper_ut.cpp
new file mode 100644
index 0000000000..c0944eae3f
--- /dev/null
+++ b/library/c/tvmauth/src/ut/wrapper_ut.cpp
@@ -0,0 +1,259 @@
+#include <library/c/tvmauth/deprecated_wrapper.h>
+#include <library/c/tvmauth/tvmauth_wrapper.h>
+
+#include <library/cpp/testing/unittest/registar.h>
+#include <library/cpp/tvmauth/unittest.h>
+
+#include <chrono>
+#include <stdexcept>
+
+using namespace NTvmAuthWrapper;
+
+Y_UNIT_TEST_SUITE(CppWrapperServiceTestSuite) {
+    static const TString EMPTY_TVM_KEYS = "1:CpgCCpMCCAEQABqIAjCCAQQCggEAcLEXeH67FQESFUn4_7wnX7wN0PUrBoUsm3QQ4W5vC-qz6sXaEjSwnTV8w1o-z6X9KPLlhzMQvuS38NCNfK4uvJ4Zvfp3YsXJ25-rYtbnrYJHNvHohD-kPCCw_yZpMp21JdWigzQGuV7CtrxUhF-NNrsnUaJrE5-OpEWNt4X6nCItKIYeVcSK6XJUbEWbrNCRbvkSc4ak2ymFeMuHYJVjxh4eQbk7_ZPzodP0WvF6eUYrYeb42imVEOR8ofVLQWE5DVnb1z_TqZm4i1XkS7jMwZuBxBRw8DGdYei0lT_sAf7KST2jC0590NySB3vsBgWEVs1OdUUWA6r-Dvx9dsOQtSCVkQYQAAqZAgqUAggCEAAaiQIwggEFAoIBAQDhEBM5-6YsPWfogKtbluJoCX1WV2KdzOaQ0-OlRbBzeCzw-eQKu12c8WakHBbeCMd1I1TU64SDkDorWjXGIa_2xT6N3zzNAE50roTbPCcmeQrps26woTYfYIuqDdoxYKZNr0lvNLLW47vBr7EKqo1S4KSj7aXK_XYeEvUgIgf3nVIcNrio7VTnFmGGVQCepaL1Hi1gN4yIXjVZ06PBPZ-DxSRu6xOGbFrfKMJeMPs7KOyE-26Q3xOXdTIa1X-zYIucTd_bxUCL4BVbwW2AvbbFsaG7ISmVdGu0XUTmhXs1KrEfUVLRJhE4Dx99hAZXm1_HlYMUeJcMQ_oHOhV94ENFIJaRBhACCpYBCpEBCAMQABqGATCBgwKBgF9t2YJGAJkRRFq6fWhi3m1TFW1UOE0f6ZrfYhHAkpqGlKlh0QVfeTNPpeJhi75xXzCe6oReRUm-0DbqDNhTShC7uGUv1INYnRBQWH6E-5Fc5XrbDFSuGQw2EYjNfHy_HefHJXxQKAqPvxBDKMKkHgV58WtM6rC8jRi9sdX_ig2NIJeRBhABCpYBCpEBCAQQABqGATCBgwKBgGB4d6eLGUBv-Q6EPLehC4S-yuE2HB-_rJ7WkeYwyp-xIPolPrd-PQme2utHB4ZgpXHIu_OFksDe_0bPgZniNRSVRbl7W49DgS5Ya3kMfrYB4DnF5Fta5tn1oV6EwxYD4JONpFTenOJALPGTPawxXEfon_peiHOSBuQMu3_Vn-l1IJiRBhADCpcBCpIBCAUQABqHATCBhAKBgQCTJMKIfmfeZpaI7Q9rnsc29gdWawK7TnpVKRHws1iY7EUlYROeVcMdAwEqVM6f8BVCKLGgzQ7Gar_uuxfUGKwqEQzoppDraw4F75J464-7D5f6_oJQuGIBHZxqbMONtLjBCXRUhQW5szBLmTQ_R3qaJb5vf-h0APZfkYhq1cTttSCZkQYQBAqWAQqRAQgLEAAahgEwgYMCgYBvvGVH_M2H8qxxv94yaDYUTWbRnJ1uiIYc59KIQlfFimMPhSS7x2tqUa2-hI55JiII0Xym6GNkwLhyc1xtWChpVuIdSnbvttbrt4weDMLHqTwNOF6qAsVKGKT1Yh8yf-qb-DSmicgvFc74mBQm_6gAY1iQsf33YX8578ClhKBWHSCVkQYQAAqXAQqSAQgMEAAahwEwgYQCgYEAkuzFcd5TJu7lYWYe2hQLFfUWIIj91BvQQLa_Thln4YtGCO8gG1KJqJm-YlmJOWQG0B7H_5RVhxUxV9KpmFnsDVkzUFKOsCBaYGXc12xPVioawUlAwp5qp3QQtZyx_se97YIoLzuLr46UkLcLnkIrp-Jo46QzYi_QHq45WTm8MQ0glpEGEAIKlwEKkgEIDRAAGocBMIGEAoGBAIUzbxOknXf_rNt17_ir8JlWvrtnCWsQd1MAnl5mgArvavDtKeBYHzi5_Ak7DHlLzuA6YE8W175FxLFKpN2hkz-l-M7ltUSd8N1BvJRhK4t6WffWfC_1wPyoAbeSN2Yb1jygtZJQ8wGoXHcJQUXiMit3eFNyylwsJFj1gzAR4JCdIJeRBhABCpYBCpEBCA4QABqGATCBgwKBgFMcbEpl9ukVR6AO_R6sMyiU11I8b8MBSUCEC15iKsrVO8v_m47_TRRjWPYtQ9eZ7o1ocNJHaGUU7qqInFqtFaVnIceP6NmCsXhjs3MLrWPS8IRAy4Zf4FKmGOx3N9O2vemjUygZ9vUiSkULdVrecinRaT8JQ5RG4bUMY04XGIwFIJiRBhADCpYBCpEBCA8QABqGATCBgwKBgGpCkW-NR3li8GlRvqpq2YZGSIgm_PTyDI2Zwfw69grsBmPpVFW48Vw7xoMN35zcrojEpialB_uQzlpLYOvsMl634CRIuj-n1QE3-gaZTTTE8mg-AR4mcxnTKThPnRQpbuOlYAnriwiasWiQEMbGjq_HmWioYYxFo9USlklQn4-9IJmRBhAE";
+    static const TString EXPIRED_SERVICE_TICKET = "3:serv:CBAQACIZCOUBEBwaCGJiOnNlc3MxGghiYjpzZXNzMg:IwfMNJYEqStY_SixwqJnyHOMCPR7-3HHk4uylB2oVRkthtezq-OOA7QizDvx7VABLs_iTlXuD1r5IjufNei_EiV145eaa3HIg4xCdJXCojMexf2UYJz8mF2b0YzFAy6_KWagU7xo13CyKAqzJuQf5MJcSUf0ecY9hVh36cJ51aw";
+    static const TString MALFORMED_TVM_KEYS = "1:CpgCCpMCCAEQABqIAjCCAQQCggEAcLEXeH67FQESFUn4_7wnX7wN0PUrBoUsm3QQ4W5vC-qz6sXaEjSwnTV8w1o-z6X9KPLlhzMQvuS38NCNfK4uvJ4Zvfp3YsXJ25-rYtbnrYJHNvHohD-kPCCw_yZpMp21JdWigzQGuV7CtrxUhF-NNrsnUaJrE5-OpEWNt4X6nCItKIYeVcSK6XJUbEWbrNCRbvkSc4ak2ymFeMuHYJVjxh4eQbk7_ZPzodP0WvF6eUYrYeb42imVEOR8ofVLQWE5DVnb1z_TqZm4i1XkS7jMwZuBxBRw8DGdYei0lT_sAf7KST2jC0590NySB3vsBgWEVs1OdUUWA6r-Dvx9dsOQtSCVkQYQAAqZAgqUAggCEAAaiQIwggEFAoIBAQDhEBM5-6YsPWfogKtbluJoCX1WV2KdzOaQ0-OlRbBzeCzw-eQKu12c8WakHBbeCMd1I1TU64SDkDorWjXGIa_2xT6N3zzNAE50roTbPCcmeQrps26woTYfYIuqDdoxYKZNr0lvNLLW47vBr7EKqo1S4KSj7aXK_XYeEvUgIgf3nVIcNrio7VTnFmGGVQCepaL1Hi1gN4yIXjVZ06PBPZ-DxSRu6xOGbFrfKMJeMPs7KOyE-26Q3xOXdTIa1X-zYIucTd_bxUCL4BVbwW2AvbbFsaG7ISmVdGu0XUTmhXs1KrEfUVLRJhE4Dx99hAZXm1_HlYMUeJcMQ_oHOhV94ENFIJaRBhACCpYBCpEBCAMQABqGATCBgwKBgF9t2YJGAJkRRFq6fWhi3m1TFW1UOE0f6ZrfYhHAkpqGlKlh0QVfeTNPpeJhi75xXzCe6oReRUm-0DbqDNhTShC7uGUv1INYnRBQWH6E-5Fc5XrbDFSuGQw2EYjNfHy_HefHJXxQKAqPvxBDKMKkHgV58WtM6rC8jRi9sdX_ig2NIJeRBhABCpYBCpEBCAQQABqGATCBgwKBgGB4d6eLGUBv-Q6EPLehC4S-yuE2HB-_rJ7WkeYwyp-xIPolPrd-PQme2utHB4ZgpXHIu_OFksDe_0bPgZniNRSVRbl7W49DgS5Ya3kMfrYB4DnF5Fta5tn1oV6EwxYD4JONpFTenOJALPGTPawxXEfon_peiHOSBuQMu3_Vn-l1IJiRBhADCpcBCpIBCAUQABqHATCBhAKBgQCTJMKIfmfeZpaI7Q9rnsc29gdWawK7TnpVKRHws1iY7EUlYROeVcMdAwEqVM6f8BVCKLGgzQ7Gar_uuxfUGKwqEQzoppDraw4F75J464-7D5f6_oJQuGIBHZxqbMONtLjBCXRUhQW5szBLmTQ_R3qaJb5vf-h0APZfkYhq1cTttSCZkQYQBAqWAQqRAQgLEAAahgEwgYMCgYBvvGVH_M2H8qxxv94yaDYUTWbRnJ1uiIYc59KIQlfFimMPhSS7x2tqUa2-hI55JiII0Xym6GNkwLhyc1xtWChpVuIdSnbvttbrt4weDMLHqTwNOF6qAsVKGKT1Yh8yf-qb-DSmicgvFc74mBQm_6gAY1iQsf33YX8578ClhKBWHSCVkQYQAAqXAQqSAQgMEAAahwEwgYQCgYEAkuzFcd5TJu7lYWYe2hQLFfUWIIj91BvQQLa_Thln4YtGCO8gG1KJqJm-YlmJOWQG0B7H_5RVhxUxV9KpmFnsDVkzUFKOsCBaYGXc12xPVioawUlAwp5qp3QQtZyx_se97YIoLzuLr46UkLcLnkIrp-Jo46QzYi_QHq45WTm8MQ0glpEGEAIKlwEKkgEIDRAAGocBMIGEAoGBAIUzbxOknXf_rNt17_ir8JlWvrtnCWsQd1MAnl5mgArvavDtKeBYHzi5_Ak7DHlLzuA6YE8W175FxLFKpN2hkz-l-M7ltUSd8N1BvJRhK4t6WffWfC_1wPyoAbeSN2Yb1jygtZJQ8wGoXHcJQUXiMit3eFNyylwsJFj1gzAR4JCdIJeRBhABCpYBCpEBCA4QABqGATCBgwKBgFMcbEpl9ukVR6AO_R6sMyiU11I8b8MBSUCEC15iKsrVO8v_m47_TRRjWPYtQ9eZ7o1ocNJHaGUU7qqInFqtFaVnIceP6NmCsXhjs3MLrWPS8IRAy4Zf4FKmGOx3N9O2vemjUygZ9vUiSkULdVrecinRaT8JQ5RG4bUMY04XGIwFIJiRBhADCpYBCpEBCA8QABqGATCBgwKBgGpCkW-NR3li8GlRvqpq2YZGSIgm_PTyDI2Zwfw69grsBmPpVFW48Vw7xoMN35zcrojEpialB_uQzlpLYOvsMl634CRIuj-n1QE3-gaZTTTE8mg-AR4mcxnTKThPnRQpbuOlYAnriwiasWiQEMbGjq_HmWioYYxFo9USlklQn4-9IJmRBhAEEpUBCpIBCAYQABqHATCBhAKBgQCoZkFGm9oLTqjeXZAq6j5S6i7K20V0lNdBBLqfmFBIRuTkYxhs4vUYnWjZrKRAd5bp6_py0csmFmpl_5Yh0b-2pdo_E5PNP7LGRzKyKSiFddyykKKzVOazH8YYldDAfE8Z5HoS9e48an5JsPg0jr-TPu34DnJq3yv2a6dqiKL9zSCakQYSlQEKkgEIEBAAGocBMIGEAoGBALhrihbf3EpjDQS2sCQHazoFgN0nBbE9eesnnFTfzQELXb2gnJU9enmV_aDqaHKjgtLIPpCgn40lHrn5k6mvH5OdedyI6cCzE-N-GFp3nAq0NDJyMe0fhtIRD__CbT0ulcvkeow65ubXWfw6dBC2gR_34rdMe_L_TGRLMWjDULbNIJ";
+    static const TString MALFORMED_TVM_SECRET = "adcvxcv./-+";
+    static const TTvmId NOT_OUR_ID = 27;
+    static const TTvmId OUR_ID = 28;
+    static const TString SECRET = "GRMJrKnj4fOVnvOqe-WyD1";
+    static const TString SERVICE_TICKET_PROTOBUF = "CBAQ__________9_IhkI5QEQHBoIYmI6c2VzczEaCGJiOnNlc3My";
+    static const TTvmId SRC_ID = 229;
+    static const TString UNSUPPORTED_VERSION_SERVICE_TICKET = "2:serv:CBAQ__________9_IhkI5QEQHBoIYmI6c2VzczEaCGJiOnNlc3My:WUPx1cTf05fjD1exB35T5j2DCHWH1YaLJon_a4rN-D7JfXHK1Ai4wM4uSfboHD9xmGQH7extqtlEk1tCTCGm5qbRVloJwWzCZBXo3zKX6i1oBYP_89WcjCNPVe1e8jwGdLsnu6PpxL5cn0xCksiStILH5UmDR6xfkJdnmMG94o8";
+    static const TString VALID_SERVICE_TICKET_1 = "3:serv:CBAQ__________9_IhkI5QEQHBoIYmI6c2VzczEaCGJiOnNlc3My:WUPx1cTf05fjD1exB35T5j2DCHWH1YaLJon_a4rN-D7JfXHK1Ai4wM4uSfboHD9xmGQH7extqtlEk1tCTCGm5qbRVloJwWzCZBXo3zKX6i1oBYP_89WcjCNPVe1e8jwGdLsnu6PpxL5cn0xCksiStILH5UmDR6xfkJdnmMG94o8";
+    static const TString VALID_SERVICE_TICKET_2 = "3:serv:CBAQ__________9_IskICOUBEBwaCGJiOnNlc3MxGgliYjpzZXNzMTAaCmJiOnNlc3MxMDAaCWJiOnNlc3MxMRoJYmI6c2VzczEyGgliYjpzZXNzMTMaCWJiOnNlc3MxNBoJYmI6c2VzczE1GgliYjpzZXNzMTYaCWJiOnNlc3MxNxoJYmI6c2VzczE4GgliYjpzZXNzMTkaCGJiOnNlc3MyGgliYjpzZXNzMjAaCWJiOnNlc3MyMRoJYmI6c2VzczIyGgliYjpzZXNzMjMaCWJiOnNlc3MyNBoJYmI6c2VzczI1GgliYjpzZXNzMjYaCWJiOnNlc3MyNxoJYmI6c2VzczI4GgliYjpzZXNzMjkaCGJiOnNlc3MzGgliYjpzZXNzMzAaCWJiOnNlc3MzMRoJYmI6c2VzczMyGgliYjpzZXNzMzMaCWJiOnNlc3MzNBoJYmI6c2VzczM1GgliYjpzZXNzMzYaCWJiOnNlc3MzNxoJYmI6c2VzczM4GgliYjpzZXNzMzkaCGJiOnNlc3M0GgliYjpzZXNzNDAaCWJiOnNlc3M0MRoJYmI6c2VzczQyGgliYjpzZXNzNDMaCWJiOnNlc3M0NBoJYmI6c2VzczQ1GgliYjpzZXNzNDYaCWJiOnNlc3M0NxoJYmI6c2VzczQ4GgliYjpzZXNzNDkaCGJiOnNlc3M1GgliYjpzZXNzNTAaCWJiOnNlc3M1MRoJYmI6c2VzczUyGgliYjpzZXNzNTMaCWJiOnNlc3M1NBoJYmI6c2VzczU1GgliYjpzZXNzNTYaCWJiOnNlc3M1NxoJYmI6c2VzczU4GgliYjpzZXNzNTkaCGJiOnNlc3M2GgliYjpzZXNzNjAaCWJiOnNlc3M2MRoJYmI6c2VzczYyGgliYjpzZXNzNjMaCWJiOnNlc3M2NBoJYmI6c2VzczY1GgliYjpzZXNzNjYaCWJiOnNlc3M2NxoJYmI6c2VzczY4GgliYjpzZXNzNjkaCGJiOnNlc3M3GgliYjpzZXNzNzAaCWJiOnNlc3M3MRoJYmI6c2VzczcyGgliYjpzZXNzNzMaCWJiOnNlc3M3NBoJYmI6c2Vzczc1GgliYjpzZXNzNzYaCWJiOnNlc3M3NxoJYmI6c2Vzczc4GgliYjpzZXNzNzkaCGJiOnNlc3M4GgliYjpzZXNzODAaCWJiOnNlc3M4MRoJYmI6c2VzczgyGgliYjpzZXNzODMaCWJiOnNlc3M4NBoJYmI6c2Vzczg1GgliYjpzZXNzODYaCWJiOnNlc3M4NxoJYmI6c2Vzczg4GgliYjpzZXNzODkaCGJiOnNlc3M5GgliYjpzZXNzOTAaCWJiOnNlc3M5MRoJYmI6c2VzczkyGgliYjpzZXNzOTMaCWJiOnNlc3M5NBoJYmI6c2Vzczk1GgliYjpzZXNzOTYaCWJiOnNlc3M5NxoJYmI6c2Vzczk4GgliYjpzZXNzOTk:JYmABAVLM6y7_T4n1pRcwBfwDfzMV4JJ3cpbEG617zdGgKRZwL7MalsYn5bq1F2ibujMrsF9nzZf8l4s_e-Ivjkz_xu4KMzSp-pUh9V7XIF_smj0WHYpv6gOvWNuK8uIvlZTTKwtQX0qZOL9m-MEeZiHoQPKZGCfJ_qxMUp-J8I";
+    static const TString VALID_SERVICE_TICKET_3 = "3:serv:CBAQ__________9_IgUI5QEQHA:Sd6tmA1CNy2Nf7XevC3x7zr2DrGNRmcl-TxUsDtDW2xI3YXyCxBltWeg0-KtDlqyYuPOP5Jd_-XXNA12KlOPnNzrz3jm-5z8uQl6CjCcrVHUHJ75pGC8r9UOlS8cOgeXQB5dYP-fOWyo5CNadlozx1S2meCIxncbQRV1kCBi4KU";
+    static const TString VALID_SERVICE_TICKET_ISSUER = "3:serv:CBAQ__________9_IgsI5QEQHCDr1MT4Ag:Gu66XJT_nKnIRJjFy1561wFhIqkJItcSTGftLo7Yvi7i5wIdV-QuKT_-IMPpgjxnnGbt1Dy3Ys2TEoeJAb0TdaCYG1uy3vpoLONmTx9AenN5dx1HHf46cypLK5D3OdiTjxvqI9uGmSIKrSdRxU8gprpu5QiBDPZqVCWhM60FVSY";
+
+    Y_UNIT_TEST(Case1Test) {
+        TServiceContext context1(OUR_ID, SECRET, NTvmAuth::NUnittest::TVMKNIFE_PUBLIC_KEYS);
+        TServiceContext context2 = std::move(context1);
+        TServiceContext context3(std::move(context2));
+
+        TCheckedServiceTicket checkedTicket1 = context3.Check(VALID_SERVICE_TICKET_1);
+        UNIT_ASSERT_EQUAL(TA_EErrorCode::TA_EC_OK, checkedTicket1.GetStatus());
+        TCheckedServiceTicket checkedTicket2 = std::move(checkedTicket1);
+        TCheckedServiceTicket checkedTicket3(std::move(checkedTicket2));
+        UNIT_ASSERT_EQUAL(TA_EErrorCode::TA_EC_OK, checkedTicket3.GetStatus());
+    }
+
+    Y_UNIT_TEST(ContextExceptionsTest) {
+        UNIT_ASSERT_EXCEPTION(TServiceContext(OUR_ID, SECRET, MALFORMED_TVM_KEYS), TMalformedTvmKeysException);
+        UNIT_ASSERT_EXCEPTION(TServiceContext(OUR_ID, SECRET, EMPTY_TVM_KEYS), TEmptyTvmKeysException);
+        UNIT_ASSERT_EXCEPTION(TServiceContext(OUR_ID, MALFORMED_TVM_SECRET, NTvmAuth::NUnittest::TVMKNIFE_PUBLIC_KEYS), TMalformedTvmSecretException);
+        TServiceContext context = TServiceContext(OUR_ID, NTvmAuth::NUnittest::TVMKNIFE_PUBLIC_KEYS);
+        UNIT_ASSERT_EXCEPTION(context.SignCgiParamsForTvm(IntToString<10>(std::numeric_limits<time_t>::max()), "13,28", ""), TMalformedTvmSecretException);
+        UNIT_ASSERT_NO_EXCEPTION(context.Check("ABCDE"));
+        context = TServiceContext::CheckingFactory(OUR_ID, NTvmAuth::NUnittest::TVMKNIFE_PUBLIC_KEYS);
+        UNIT_ASSERT_EXCEPTION(context.SignCgiParamsForTvm(IntToString<10>(std::numeric_limits<time_t>::max()), "13,28", ""), TMalformedTvmSecretException);
+        UNIT_ASSERT_NO_EXCEPTION(context.Check("ABCDE"));
+    }
+
+    Y_UNIT_TEST(ContextSignTest) {
+        TServiceContext context(OUR_ID, SECRET, NTvmAuth::NUnittest::TVMKNIFE_PUBLIC_KEYS);
+        UNIT_ASSERT_VALUES_EQUAL(
+            "NsPTYak4Cfk-4vgau5lab3W4GPiTtb2etuj3y4MDPrk",
+            context.SignCgiParamsForTvm(IntToString<10>(std::numeric_limits<time_t>::max()), "13,28", ""));
+    }
+
+    Y_UNIT_TEST(Ticket1Test) {
+        TServiceContext context(OUR_ID, SECRET, NTvmAuth::NUnittest::TVMKNIFE_PUBLIC_KEYS);
+        auto checkedTicket = context.Check(VALID_SERVICE_TICKET_1);
+        UNIT_ASSERT_EQUAL(TA_EErrorCode::TA_EC_OK, checkedTicket.GetStatus());
+        UNIT_ASSERT_EQUAL(SRC_ID, checkedTicket.GetSrc());
+        UNIT_ASSERT_EQUAL("ticket_type=serv;expiration_time=9223372036854775807;src=229;dst=28;scope=bb:sess1;scope=bb:sess2;", checkedTicket.DebugInfo());
+        UNIT_ASSERT_VALUES_EQUAL(0, checkedTicket.GetIssuerUid());
+    }
+
+    Y_UNIT_TEST(Ticket2Test) {
+        TServiceContext context(OUR_ID, SECRET, NTvmAuth::NUnittest::TVMKNIFE_PUBLIC_KEYS);
+        auto checkedTicket = context.Check(VALID_SERVICE_TICKET_2);
+        UNIT_ASSERT_EQUAL(TA_EErrorCode::TA_EC_OK, checkedTicket.GetStatus());
+        UNIT_ASSERT_VALUES_EQUAL("ticket_type=serv;expiration_time=9223372036854775807;src=229;dst=28;scope=bb:sess1;scope=bb:sess10;scope=bb:sess100;scope=bb:sess11;scope=bb:sess12;scope=bb:sess13;scope=bb:sess14;scope=bb:sess15;scope=bb:sess16;scope=bb:sess17;scope=bb:sess18;scope=bb:sess19;scope=bb:sess2;scope=bb:sess20;scope=bb:sess21;scope=bb:sess22;scope=bb:sess23;scope=bb:sess24;scope=bb:sess25;scope=bb:sess26;scope=bb:sess27;scope=bb:sess28;scope=bb:sess29;scope=bb:sess3;scope=bb:sess30;scope=bb:sess31;scope=bb:sess32;scope=bb:sess33;scope=bb:sess34;scope=bb:sess35;scope=bb:sess36;scope=bb:sess37;scope=bb:sess38;scope=bb:sess39;scope=bb:sess4;scope=bb:sess40;scope=bb:sess41;scope=bb:sess42;scope=bb:sess43;scope=bb:sess44;scope=bb:sess45;scope=bb:sess46;scope=bb:sess47;scope=bb:sess48;scope=bb:sess49;scope=bb:sess5;scope=bb:sess50;scope=bb:sess51;scope=bb:sess52;scope=bb:sess53;scope=bb:sess54;scope=bb:sess55;scope=bb:sess56;scope=bb:sess57;scope=bb:sess58;scope=bb:sess59;scope=bb:sess6;scope=bb:sess60;scope=bb:sess61;scope=bb:sess62;scope=bb:sess63;scope=bb:sess64;scope=bb:sess65;scope=bb:sess66;scope=bb:sess67;scope=bb:sess68;scope=bb:sess69;scope=bb:sess7;scope=bb:sess70;scope=bb:sess71;scope=bb:sess72;scope=bb:sess73;scope=bb:sess74;scope=bb:sess75;scope=bb:sess76;scope=bb:sess77;scope=bb:sess78;scope=bb:sess79;scope=bb:sess8;scope=bb:sess80;scope=bb:sess81;scope=bb:sess82;scope=bb:sess83;scope=bb:sess84;scope=bb:sess85;scope=bb:sess86;scope=bb:sess87;scope=bb:sess88;scope=bb:sess89;scope=bb:sess9;scope=bb:sess90;scope=bb:sess91;scope=bb:sess92;scope=bb:sess93;scope=bb:sess94;scope=bb:sess95;scope=bb:sess96;scope=bb:sess97;scope=bb:sess98;scope=bb:sess99;", checkedTicket.DebugInfo());
+        UNIT_ASSERT_VALUES_EQUAL(0, checkedTicket.GetIssuerUid());
+    }
+
+    Y_UNIT_TEST(Ticket3Test) {
+        TServiceContext context(OUR_ID, SECRET, NTvmAuth::NUnittest::TVMKNIFE_PUBLIC_KEYS);
+        auto checkedTicket = context.Check(VALID_SERVICE_TICKET_3);
+        UNIT_ASSERT_EQUAL(TA_EErrorCode::TA_EC_OK, checkedTicket.GetStatus());
+        UNIT_ASSERT_VALUES_EQUAL("ticket_type=serv;expiration_time=9223372036854775807;src=229;dst=28;", checkedTicket.DebugInfo());
+        UNIT_ASSERT_VALUES_EQUAL(0, checkedTicket.GetIssuerUid());
+    }
+
+    Y_UNIT_TEST(TicketIssuerTest) {
+        TServiceContext context(OUR_ID, SECRET, NTvmAuth::NUnittest::TVMKNIFE_PUBLIC_KEYS);
+        auto checkedTicket = context.Check(VALID_SERVICE_TICKET_ISSUER);
+        UNIT_ASSERT_EQUAL(TA_EErrorCode::TA_EC_OK, checkedTicket.GetStatus());
+        UNIT_ASSERT_VALUES_EQUAL("ticket_type=serv;expiration_time=9223372036854775807;src=229;dst=28;issuer_uid=789654123;", checkedTicket.DebugInfo());
+        UNIT_ASSERT_VALUES_EQUAL(789654123, checkedTicket.GetIssuerUid());
+    }
+
+    Y_UNIT_TEST(TicketErrorsTest) {
+        TServiceContext context(NOT_OUR_ID, SECRET, NTvmAuth::NUnittest::TVMKNIFE_PUBLIC_KEYS);
+        auto checkedTicket1 = context.Check(VALID_SERVICE_TICKET_1);
+        UNIT_ASSERT_EQUAL(TA_EErrorCode::TA_EC_INVALID_DST, checkedTicket1.GetStatus());
+
+        auto checkedTicket2 = context.Check(UNSUPPORTED_VERSION_SERVICE_TICKET);
+        UNIT_ASSERT_EQUAL(TA_EErrorCode::TA_EC_UNSUPPORTED_VERSION, checkedTicket2.GetStatus());
+
+        auto checkedTicket3 = context.Check(EXPIRED_SERVICE_TICKET);
+        UNIT_ASSERT_EQUAL(TA_EErrorCode::TA_EC_EXPIRED_TICKET, checkedTicket3.GetStatus());
+    }
+
+    Y_UNIT_TEST(TicketExceptionsTest) {
+        TServiceContext context(OUR_ID, SECRET, NTvmAuth::NUnittest::TVMKNIFE_PUBLIC_KEYS);
+        auto checkedTicket = context.Check(EXPIRED_SERVICE_TICKET);
+        UNIT_ASSERT_EQUAL(TA_EErrorCode::TA_EC_EXPIRED_TICKET, checkedTicket.GetStatus());
+
+        UNIT_ASSERT(!bool(checkedTicket));
+        UNIT_ASSERT_EXCEPTION(checkedTicket.GetSrc(), TNotAllowedException);
+        UNIT_ASSERT_NO_EXCEPTION(bool(checkedTicket));
+        UNIT_ASSERT_NO_EXCEPTION(checkedTicket.DebugInfo());
+        UNIT_ASSERT_NO_EXCEPTION(checkedTicket.GetStatus());
+    }
+
+    Y_UNIT_TEST(RemoveSignatureTest) {
+        UNIT_ASSERT_VALUES_EQUAL("1:serv:ASDkljbjhsdbfLJHABFJHBslfbsfjs:asdxcvbxcvniueliuweklsvds",
+                                 RemoveTicketSignature("1:serv:ASDkljbjhsdbfLJHABFJHBslfbsfjs:asdxcvbxcvniueliuweklsvds"));
+        UNIT_ASSERT_VALUES_EQUAL("2:serv:ASDkljbjhsdbfLJHABFJHBslfbsfjs:asdxcvbxcvniueliuweklsvds",
+                                 RemoveTicketSignature("2:serv:ASDkljbjhsdbfLJHABFJHBslfbsfjs:asdxcvbxcvniueliuweklsvds"));
+        UNIT_ASSERT_VALUES_EQUAL("4:serv:ASDkljbjhsdbfLJHABFJHBslfbsfjs:asdxcvbxcvniueliuweklsvds",
+                                 RemoveTicketSignature("4:serv:ASDkljbjhsdbfLJHABFJHBslfbsfjs:asdxcvbxcvniueliuweklsvds"));
+        UNIT_ASSERT_VALUES_EQUAL("3.serv.ASDkljbjhsdbfLJHABFJHBslfbsfjs.asdxcvbxcvniueliuweklsvds",
+                                 RemoveTicketSignature("3.serv.ASDkljbjhsdbfLJHABFJHBslfbsfjs.asdxcvbxcvniueliuweklsvds"));
+        UNIT_ASSERT_VALUES_EQUAL("3:serv:ASDkljbjhsdbfLJHABFJHBslfbsfjs:",
+                                 RemoveTicketSignature("3:serv:ASDkljbjhsdbfLJHABFJHBslfbsfjs:asdxcvbxcvniueliuweklsvds"));
+        UNIT_ASSERT_VALUES_EQUAL("3:serv:ASDkljbjhsdbfLJHABFJHBslfbsfjs:",
+                                 RemoveTicketSignature("3:serv:ASDkljbjhsdbfLJHABFJHBslfbsfjs:asdxcvbxcvniueliuweklsvds"));
+        UNIT_ASSERT_VALUES_EQUAL("3:serv:",
+                                 RemoveTicketSignature("3:serv:ASDkljbjhsdbfLJHABFJHBslfbsfjs.asdxcvbxcvniueliuweklsvds"));
+        UNIT_ASSERT_VALUES_EQUAL("asdxcbvfgdsgfasdfxczvdsgfxcdvbcbvf",
+                                 RemoveTicketSignature("asdxcbvfgdsgfasdfxczvdsgfxcdvbcbvf"));
+    }
+
+    Y_UNIT_TEST(ResetKeysTest) {
+        TServiceContext context(OUR_ID, SECRET, NTvmAuth::NUnittest::TVMKNIFE_PUBLIC_KEYS);
+        auto checkedTicket = context.Check(VALID_SERVICE_TICKET_1);
+        UNIT_ASSERT_EQUAL(TA_EErrorCode::TA_EC_OK, checkedTicket.GetStatus());
+    }
+
+    Y_UNIT_TEST(CheckForEmptyTvmKeysTest) {
+        TServiceContext context = TServiceContext::SigningFactory(SECRET, OUR_ID);
+        UNIT_ASSERT_NO_EXCEPTION(context.SignCgiParamsForTvm(IntToString<10>(std::numeric_limits<time_t>::max()), "13,28", ""));
+
+        auto checkedTicket = context.Check("ABCDE");
+        UNIT_ASSERT_EQUAL(TA_EErrorCode::TA_EC_EMPTY_TVM_KEYS, checkedTicket.GetStatus());
+    }
+}
+
+Y_UNIT_TEST_SUITE(CppWrapperUserTestSuite) {
+    static const TString EMPTY_TVM_KEYS = "1:CpkCCpQCCAIQABqJAjCCAQUCggEBAOEQEzn7piw9Z-iAq1uW4mgJfVZXYp3M5pDT46VFsHN4LPD55Aq7XZzxZqQcFt4Ix3UjVNTrhIOQOitaNcYhr_bFPo3fPM0ATnSuhNs8JyZ5CumzbrChNh9gi6oN2jFgpk2vSW80stbju8GvsQqqjVLgpKPtpcr9dh4S9SAiB_edUhw2uKjtVOcWYYZVAJ6lovUeLWA3jIheNVnTo8E9n4PFJG7rE4ZsWt8owl4w-zso7IT7bpDfE5d1MhrVf7Ngi5xN39vFQIvgFVvBbYC9tsWxobshKZV0a7RdROaFezUqsR9RUtEmETgPH32EBlebX8eVgxR4lwxD-gc6FX3gQ0UglpEGEAIKlgEKkQEIAxAAGoYBMIGDAoGAX23ZgkYAmRFEWrp9aGLebVMVbVQ4TR_pmt9iEcCSmoaUqWHRBV95M0-l4mGLvnFfMJ7qhF5FSb7QNuoM2FNKELu4ZS_Ug1idEFBYfoT7kVzletsMVK4ZDDYRiM18fL8d58clfFAoCo-_EEMowqQeBXnxa0zqsLyNGL2x1f-KDY0gl5EGEAEKlgEKkQEIBBAAGoYBMIGDAoGAYHh3p4sZQG_5DoQ8t6ELhL7K4TYcH7-sntaR5jDKn7Eg-iU-t349CZ7a60cHhmClcci784WSwN7_Rs-BmeI1FJVFuXtbj0OBLlhreQx-tgHgOcXkW1rm2fWhXoTDFgPgk42kVN6c4kAs8ZM9rDFcR-if-l6Ic5IG5Ay7f9Wf6XUgmJEGEAMKlwEKkgEIBRAAGocBMIGEAoGBAJMkwoh-Z95mlojtD2uexzb2B1ZrArtOelUpEfCzWJjsRSVhE55Vwx0DASpUzp_wFUIosaDNDsZqv-67F9QYrCoRDOimkOtrDgXvknjrj7sPl_r-glC4YgEdnGpsw420uMEJdFSFBbmzMEuZND9Hepolvm9_6HQA9l-RiGrVxO21IJmRBhAECpcBCpIBCAwQABqHATCBhAKBgQCS7MVx3lMm7uVhZh7aFAsV9RYgiP3UG9BAtr9OGWfhi0YI7yAbUomomb5iWYk5ZAbQHsf_lFWHFTFX0qmYWewNWTNQUo6wIFpgZdzXbE9WKhrBSUDCnmqndBC1nLH-x73tgigvO4uvjpSQtwueQiun4mjjpDNiL9AerjlZObwxDSCWkQYQAgqXAQqSAQgNEAAahwEwgYQCgYEAhTNvE6Sdd_-s23Xv-KvwmVa-u2cJaxB3UwCeXmaACu9q8O0p4FgfOLn8CTsMeUvO4DpgTxbXvkXEsUqk3aGTP6X4zuW1RJ3w3UG8lGEri3pZ99Z8L_XA_KgBt5I3ZhvWPKC1klDzAahcdwlBReIyK3d4U3LKXCwkWPWDMBHgkJ0gl5EGEAEKlgEKkQEIDhAAGoYBMIGDAoGAUxxsSmX26RVHoA79HqwzKJTXUjxvwwFJQIQLXmIqytU7y_-bjv9NFGNY9i1D15nujWhw0kdoZRTuqoicWq0VpWchx4_o2YKxeGOzcwutY9LwhEDLhl_gUqYY7Hc307a96aNTKBn29SJKRQt1Wt5yKdFpPwlDlEbhtQxjThcYjAUgmJEGEAMKlgEKkQEIDxAAGoYBMIGDAoGAakKRb41HeWLwaVG-qmrZhkZIiCb89PIMjZnB_Dr2CuwGY-lUVbjxXDvGgw3fnNyuiMSmJqUH-5DOWktg6-wyXrfgJEi6P6fVATf6BplNNMTyaD4BHiZzGdMpOE-dFClu46VgCeuLCJqxaJAQxsaOr8eZaKhhjEWj1RKWSVCfj70gmZEGEAQSlQEKkgEIBhAAGocBMIGEAoGBAKhmQUab2gtOqN5dkCrqPlLqLsrbRXSU10EEup-YUEhG5ORjGGzi9RidaNmspEB3lunr-nLRyyYWamX_liHRv7al2j8Tk80_ssZHMrIpKIV13LKQorNU5rMfxhiV0MB8TxnkehL17jxqfkmw-DSOv5M-7fgOcmrfK_Zrp2qIov3NIJqRBhKVAQqSAQgQEAAahwEwgYQCgYEAuGuKFt_cSmMNBLawJAdrOgWA3ScFsT156yecVN_NAQtdvaCclT16eZX9oOpocqOC0sg-kKCfjSUeufmTqa8fk5153IjpwLMT434YWnecCrQ0MnIx7R-G0hEP_8JtPS6Vy-R6jDrm5tdZ_Dp0ELaBH_fit0x78v9MZEsxaMNQts0gmpEG";
+    static const TString EXPIRED_USER_TICKET = "3:user:CA0QABokCgMIyAMKAgh7EMgDGghiYjpzZXNzMRoIYmI6c2VzczIgEigB:D0CmYVwWg91LDYejjeQ2UP8AeiA_mr1q1CUD_lfJ9zQSEYEOYGDTafg4Um2rwOOvQnsD1JHM4zHyMUJ6Jtp9GAm5pmhbXBBZqaCcJpyxLTEC8a81MhJFCCJRvu_G1FiAgRgB25gI3HIbkvHFUEqAIC_nANy7NFQnbKk2S-EQPGY";
+    static const TString MALFORMED_TVM_KEYS = "1:CpgCCpMCCAEQABqIAjCCAQQCggEAcLEXeH67FQESFUn4_7wnX7wN0PUrBoUsm3QQ4W5vC-qz6sXaEjSwnTV8w1o-z6X9KPLlhzMQvuS38NCNfK4uvJ4Zvfp3YsXJ25-rYtbnrYJHNvHohD-kPCCw_yZpMp21JdWigzQGuV7CtrxUhF-NNrsnUaJrE5-OpEWNt4X6nCItKIYeVcSK6XJUbEWbrNCRbvkSc4ak2ymFeMuHYJVjxh4eQbk7_ZPzodP0WvF6eUYrYeb42imVEOR8ofVLQWE5DVnb1z_TqZm4i1XkS7jMwZuBxBRw8DGdYei0lT_sAf7KST2jC0590NySB3vsBgWEVs1OdUUWA6r-Dvx9dsOQtSCVkQYQAAqZAgqUAggCEAAaiQIwggEFAoIBAQDhEBM5-6YsPWfogKtbluJoCX1WV2KdzOaQ0-OlRbBzeCzw-eQKu12c8WakHBbeCMd1I1TU64SDkDorWjXGIa_2xT6N3zzNAE50roTbPCcmeQrps26woTYfYIuqDdoxYKZNr0lvNLLW47vBr7EKqo1S4KSj7aXK_XYeEvUgIgf3nVIcNrio7VTnFmGGVQCepaL1Hi1gN4yIXjVZ06PBPZ-DxSRu6xOGbFrfKMJeMPs7KOyE-26Q3xOXdTIa1X-zYIucTd_bxUCL4BVbwW2AvbbFsaG7ISmVdGu0XUTmhXs1KrEfUVLRJhE4Dx99hAZXm1_HlYMUeJcMQ_oHOhV94ENFIJaRBhACCpYBCpEBCAMQABqGATCBgwKBgF9t2YJGAJkRRFq6fWhi3m1TFW1UOE0f6ZrfYhHAkpqGlKlh0QVfeTNPpeJhi75xXzCe6oReRUm-0DbqDNhTShC7uGUv1INYnRBQWH6E-5Fc5XrbDFSuGQw2EYjNfHy_HefHJXxQKAqPvxBDKMKkHgV58WtM6rC8jRi9sdX_ig2NIJeRBhABCpYBCpEBCAQQABqGATCBgwKBgGB4d6eLGUBv-Q6EPLehC4S-yuE2HB-_rJ7WkeYwyp-xIPolPrd-PQme2utHB4ZgpXHIu_OFksDe_0bPgZniNRSVRbl7W49DgS5Ya3kMfrYB4DnF5Fta5tn1oV6EwxYD4JONpFTenOJALPGTPawxXEfon_peiHOSBuQMu3_Vn-l1IJiRBhADCpcBCpIBCAUQABqHATCBhAKBgQCTJMKIfmfeZpaI7Q9rnsc29gdWawK7TnpVKRHws1iY7EUlYROeVcMdAwEqVM6f8BVCKLGgzQ7Gar_uuxfUGKwqEQzoppDraw4F75J464-7D5f6_oJQuGIBHZxqbMONtLjBCXRUhQW5szBLmTQ_R3qaJb5vf-h0APZfkYhq1cTttSCZkQYQBAqWAQqRAQgLEAAahgEwgYMCgYBvvGVH_M2H8qxxv94yaDYUTWbRnJ1uiIYc59KIQlfFimMPhSS7x2tqUa2-hI55JiII0Xym6GNkwLhyc1xtWChpVuIdSnbvttbrt4weDMLHqTwNOF6qAsVKGKT1Yh8yf-qb-DSmicgvFc74mBQm_6gAY1iQsf33YX8578ClhKBWHSCVkQYQAAqXAQqSAQgMEAAahwEwgYQCgYEAkuzFcd5TJu7lYWYe2hQLFfUWIIj91BvQQLa_Thln4YtGCO8gG1KJqJm-YlmJOWQG0B7H_5RVhxUxV9KpmFnsDVkzUFKOsCBaYGXc12xPVioawUlAwp5qp3QQtZyx_se97YIoLzuLr46UkLcLnkIrp-Jo46QzYi_QHq45WTm8MQ0glpEGEAIKlwEKkgEIDRAAGocBMIGEAoGBAIUzbxOknXf_rNt17_ir8JlWvrtnCWsQd1MAnl5mgArvavDtKeBYHzi5_Ak7DHlLzuA6YE8W175FxLFKpN2hkz-l-M7ltUSd8N1BvJRhK4t6WffWfC_1wPyoAbeSN2Yb1jygtZJQ8wGoXHcJQUXiMit3eFNyylwsJFj1gzAR4JCdIJeRBhABCpYBCpEBCA4QABqGATCBgwKBgFMcbEpl9ukVR6AO_R6sMyiU11I8b8MBSUCEC15iKsrVO8v_m47_TRRjWPYtQ9eZ7o1ocNJHaGUU7qqInFqtFaVnIceP6NmCsXhjs3MLrWPS8IRAy4Zf4FKmGOx3N9O2vemjUygZ9vUiSkULdVrecinRaT8JQ5RG4bUMY04XGIwFIJiRBhADCpYBCpEBCA8QABqGATCBgwKBgGpCkW-NR3li8GlRvqpq2YZGSIgm_PTyDI2Zwfw69grsBmPpVFW48Vw7xoMN35zcrojEpialB_uQzlpLYOvsMl634CRIuj-n1QE3-gaZTTTE8mg-AR4mcxnTKThPnRQpbuOlYAnriwiasWiQEMbGjq_HmWioYYxFo9USlklQn4-9IJmRBhAEEpUBCpIBCAYQABqHATCBhAKBgQCoZkFGm9oLTqjeXZAq6j5S6i7K20V0lNdBBLqfmFBIRuTkYxhs4vUYnWjZrKRAd5bp6_py0csmFmpl_5Yh0b-2pdo_E5PNP7LGRzKyKSiFddyykKKzVOazH8YYldDAfE8Z5HoS9e48an5JsPg0jr-TPu34DnJq3yv2a6dqiKL9zSCakQYSlQEKkgEIEBAAGocBMIGEAoGBALhrihbf3EpjDQS2sCQHazoFgN0nBbE9eesnnFTfzQELXb2gnJU9enmV_aDqaHKjgtLIPpCgn40lHrn5k6mvH5OdedyI6cCzE-N-GFp3nAq0NDJyMe0fhtIRD__CbT0ulcvkeow65ubXWfw6dBC2gR_34rdMe_L_TGRLMWjDULbNIJ";
+    static const TString UNSUPPORTED_VERSION_USER_TICKET = "2:user:CA0Q__________9_GiQKAwjIAwoCCHsQyAMaCGJiOnNlc3MxGghiYjpzZXNzMiASKAE:KJFv5EcXn9krYk19LCvlFrhMW-R4q8mKfXJXCd-RBVBgUQzCOR1Dx2FiOyU-BxUoIsaU0PiwTjbVY5I2onJDilge70Cl5zEPI9pfab2qwklACq_ZBUvD1tzrfNUr88otBGAziHASJWgyVDkhyQ3p7YbN38qpb0vGQrYNxlk4e2I";
+    static const TString USER_TICKET_PROTOBUF = "CA0Q__________9_GiQKAwjIAwoCCHsQyAMaCGJiOnNlc3MxGghiYjpzZXNzMiASKAE";
+    static const TString VALID_USER_TICKET_1 = "3:user:CA0Q__________9_GiQKAwjIAwoCCHsQyAMaCGJiOnNlc3MxGghiYjpzZXNzMiASKAE:KJFv5EcXn9krYk19LCvlFrhMW-R4q8mKfXJXCd-RBVBgUQzCOR1Dx2FiOyU-BxUoIsaU0PiwTjbVY5I2onJDilge70Cl5zEPI9pfab2qwklACq_ZBUvD1tzrfNUr88otBGAziHASJWgyVDkhyQ3p7YbN38qpb0vGQrYNxlk4e2I";
+    static const TString VALID_USER_TICKET_2 = "3:user:CA0Q__________9_GhAKAwjIAwoCCHsQyAMgEigB:KRibGYTJUA2ns0Fn7VYqeMZ1-GdscB1o9pRzELyr7QJrJsfsE8Y_HoVvB8Npr-oalv6AXOpagSc8HpZjAQz8zKMAVE_tI0tL-9DEsHirpawEbpy7OWV7-k18o1m-RaDaKeTlIB45KHbBul1-9aeKkortBfbbXtz_Qy9r_mfFPiQ";
+    static const TString VALID_USER_TICKET_3 = "3:user:CA0Q__________9_Go8bCgIIAAoCCAEKAggCCgIIAwoCCAQKAggFCgIIBgoCCAcKAggICgIICQoCCAoKAggLCgIIDAoCCA0KAggOCgIIDwoCCBAKAggRCgIIEgoCCBMKAggUCgIIFQoCCBYKAggXCgIIGAoCCBkKAggaCgIIGwoCCBwKAggdCgIIHgoCCB8KAgggCgIIIQoCCCIKAggjCgIIJAoCCCUKAggmCgIIJwoCCCgKAggpCgIIKgoCCCsKAggsCgIILQoCCC4KAggvCgIIMAoCCDEKAggyCgIIMwoCCDQKAgg1CgIINgoCCDcKAgg4CgIIOQoCCDoKAgg7CgIIPAoCCD0KAgg-CgIIPwoCCEAKAghBCgIIQgoCCEMKAghECgIIRQoCCEYKAghHCgIISAoCCEkKAghKCgIISwoCCEwKAghNCgIITgoCCE8KAghQCgIIUQoCCFIKAghTCgIIVAoCCFUKAghWCgIIVwoCCFgKAghZCgIIWgoCCFsKAghcCgIIXQoCCF4KAghfCgIIYAoCCGEKAghiCgIIYwoCCGQKAghlCgIIZgoCCGcKAghoCgIIaQoCCGoKAghrCgIIbAoCCG0KAghuCgIIbwoCCHAKAghxCgIIcgoCCHMKAgh0CgIIdQoCCHYKAgh3CgIIeAoCCHkKAgh6CgIIewoCCHwKAgh9CgIIfgoCCH8KAwiAAQoDCIEBCgMIggEKAwiDAQoDCIQBCgMIhQEKAwiGAQoDCIcBCgMIiAEKAwiJAQoDCIoBCgMIiwEKAwiMAQoDCI0BCgMIjgEKAwiPAQoDCJABCgMIkQEKAwiSAQoDCJMBCgMIlAEKAwiVAQoDCJYBCgMIlwEKAwiYAQoDCJkBCgMImgEKAwibAQoDCJwBCgMInQEKAwieAQoDCJ8BCgMIoAEKAwihAQoDCKIBCgMIowEKAwikAQoDCKUBCgMIpgEKAwinAQoDCKgBCgMIqQEKAwiqAQoDCKsBCgMIrAEKAwitAQoDCK4BCgMIrwEKAwiwAQoDCLEBCgMIsgEKAwizAQoDCLQBCgMItQEKAwi2AQoDCLcBCgMIuAEKAwi5AQoDCLoBCgMIuwEKAwi8AQoDCL0BCgMIvgEKAwi_AQoDCMABCgMIwQEKAwjCAQoDCMMBCgMIxAEKAwjFAQoDCMYBCgMIxwEKAwjIAQoDCMkBCgMIygEKAwjLAQoDCMwBCgMIzQEKAwjOAQoDCM8BCgMI0AEKAwjRAQoDCNIBCgMI0wEKAwjUAQoDCNUBCgMI1gEKAwjXAQoDCNgBCgMI2QEKAwjaAQoDCNsBCgMI3AEKAwjdAQoDCN4BCgMI3wEKAwjgAQoDCOEBCgMI4gEKAwjjAQoDCOQBCgMI5QEKAwjmAQoDCOcBCgMI6AEKAwjpAQoDCOoBCgMI6wEKAwjsAQoDCO0BCgMI7gEKAwjvAQoDCPABCgMI8QEKAwjyAQoDCPMBCgMI9AEKAwj1AQoDCPYBCgMI9wEKAwj4AQoDCPkBCgMI-gEKAwj7AQoDCPwBCgMI_QEKAwj-AQoDCP8BCgMIgAIKAwiBAgoDCIICCgMIgwIKAwiEAgoDCIUCCgMIhgIKAwiHAgoDCIgCCgMIiQIKAwiKAgoDCIsCCgMIjAIKAwiNAgoDCI4CCgMIjwIKAwiQAgoDCJECCgMIkgIKAwiTAgoDCJQCCgMIlQIKAwiWAgoDCJcCCgMImAIKAwiZAgoDCJoCCgMImwIKAwicAgoDCJ0CCgMIngIKAwifAgoDCKACCgMIoQIKAwiiAgoDCKMCCgMIpAIKAwilAgoDCKYCCgMIpwIKAwioAgoDCKkCCgMIqgIKAwirAgoDCKwCCgMIrQIKAwiuAgoDCK8CCgMIsAIKAwixAgoDCLICCgMIswIKAwi0AgoDCLUCCgMItgIKAwi3AgoDCLgCCgMIuQIKAwi6AgoDCLsCCgMIvAIKAwi9AgoDCL4CCgMIvwIKAwjAAgoDCMECCgMIwgIKAwjDAgoDCMQCCgMIxQIKAwjGAgoDCMcCCgMIyAIKAwjJAgoDCMoCCgMIywIKAwjMAgoDCM0CCgMIzgIKAwjPAgoDCNACCgMI0QIKAwjSAgoDCNMCCgMI1AIKAwjVAgoDCNYCCgMI1wIKAwjYAgoDCNkCCgMI2gIKAwjbAgoDCNwCCgMI3QIKAwjeAgoDCN8CCgMI4AIKAwjhAgoDCOICCgMI4wIKAwjkAgoDCOUCCgMI5gIKAwjnAgoDCOgCCgMI6QIKAwjqAgoDCOsCCgMI7AIKAwjtAgoDCO4CCgMI7wIKAwjwAgoDCPECCgMI8gIKAwjzAgoDCPQCCgMI9QIKAwj2AgoDCPcCCgMI-AIKAwj5AgoDCPoCCgMI-wIKAwj8AgoDCP0CCgMI_gIKAwj_AgoDCIADCgMIgQMKAwiCAwoDCIMDCgMIhAMKAwiFAwoDCIYDCgMIhwMKAwiIAwoDCIkDCgMIigMKAwiLAwoDCIwDCgMIjQMKAwiOAwoDCI8DCgMIkAMKAwiRAwoDCJIDCgMIkwMKAwiUAwoDCJUDCgMIlgMKAwiXAwoDCJgDCgMImQMKAwiaAwoDCJsDCgMInAMKAwidAwoDCJ4DCgMInwMKAwigAwoDCKEDCgMIogMKAwijAwoDCKQDCgMIpQMKAwimAwoDCKcDCgMIqAMKAwipAwoDCKoDCgMIqwMKAwisAwoDCK0DCgMIrgMKAwivAwoDCLADCgMIsQMKAwiyAwoDCLMDCgMItAMKAwi1AwoDCLYDCgMItwMKAwi4AwoDCLkDCgMIugMKAwi7AwoDCLwDCgMIvQMKAwi-AwoDCL8DCgMIwAMKAwjBAwoDCMIDCgMIwwMKAwjEAwoDCMUDCgMIxgMKAwjHAwoDCMgDCgMIyQMKAwjKAwoDCMsDCgMIzAMKAwjNAwoDCM4DCgMIzwMKAwjQAwoDCNEDCgMI0gMKAwjTAwoDCNQDCgMI1QMKAwjWAwoDCNcDCgMI2AMKAwjZAwoDCNoDCgMI2wMKAwjcAwoDCN0DCgMI3gMKAwjfAwoDCOADCgMI4QMKAwjiAwoDCOMDCgMI5AMKAwjlAwoDCOYDCgMI5wMKAwjoAwoDCOkDCgMI6gMKAwjrAwoDCOwDCgMI7QMKAwjuAwoDCO8DCgMI8AMKAwjxAwoDCPIDCgMI8wMQyAMaCGJiOnNlc3MxGgliYjpzZXNzMTAaCmJiOnNlc3MxMDAaCWJiOnNlc3MxMRoJYmI6c2VzczEyGgliYjpzZXNzMTMaCWJiOnNlc3MxNBoJYmI6c2VzczE1GgliYjpzZXNzMTYaCWJiOnNlc3MxNxoJYmI6c2VzczE4GgliYjpzZXNzMTkaCGJiOnNlc3MyGgliYjpzZXNzMjAaCWJiOnNlc3MyMRoJYmI6c2VzczIyGgliYjpzZXNzMjMaCWJiOnNlc3MyNBoJYmI6c2VzczI1GgliYjpzZXNzMjYaCWJiOnNlc3MyNxoJYmI6c2VzczI4GgliYjpzZXNzMjkaCGJiOnNlc3MzGgliYjpzZXNzMzAaCWJiOnNlc3MzMRoJYmI6c2VzczMyGgliYjpzZXNzMzMaCWJiOnNlc3MzNBoJYmI6c2VzczM1GgliYjpzZXNzMzYaCWJiOnNlc3MzNxoJYmI6c2VzczM4GgliYjpzZXNzMzkaCGJiOnNlc3M0GgliYjpzZXNzNDAaCWJiOnNlc3M0MRoJYmI6c2VzczQyGgliYjpzZXNzNDMaCWJiOnNlc3M0NBoJYmI6c2VzczQ1GgliYjpzZXNzNDYaCWJiOnNlc3M0NxoJYmI6c2VzczQ4GgliYjpzZXNzNDkaCGJiOnNlc3M1GgliYjpzZXNzNTAaCWJiOnNlc3M1MRoJYmI6c2VzczUyGgliYjpzZXNzNTMaCWJiOnNlc3M1NBoJYmI6c2VzczU1GgliYjpzZXNzNTYaCWJiOnNlc3M1NxoJYmI6c2VzczU4GgliYjpzZXNzNTkaCGJiOnNlc3M2GgliYjpzZXNzNjAaCWJiOnNlc3M2MRoJYmI6c2VzczYyGgliYjpzZXNzNjMaCWJiOnNlc3M2NBoJYmI6c2VzczY1GgliYjpzZXNzNjYaCWJiOnNlc3M2NxoJYmI6c2VzczY4GgliYjpzZXNzNjkaCGJiOnNlc3M3GgliYjpzZXNzNzAaCWJiOnNlc3M3MRoJYmI6c2VzczcyGgliYjpzZXNzNzMaCWJiOnNlc3M3NBoJYmI6c2Vzczc1GgliYjpzZXNzNzYaCWJiOnNlc3M3NxoJYmI6c2Vzczc4GgliYjpzZXNzNzkaCGJiOnNlc3M4GgliYjpzZXNzODAaCWJiOnNlc3M4MRoJYmI6c2VzczgyGgliYjpzZXNzODMaCWJiOnNlc3M4NBoJYmI6c2Vzczg1GgliYjpzZXNzODYaCWJiOnNlc3M4NxoJYmI6c2Vzczg4GgliYjpzZXNzODkaCGJiOnNlc3M5GgliYjpzZXNzOTAaCWJiOnNlc3M5MRoJYmI6c2VzczkyGgliYjpzZXNzOTMaCWJiOnNlc3M5NBoJYmI6c2Vzczk1GgliYjpzZXNzOTYaCWJiOnNlc3M5NxoJYmI6c2Vzczk4GgliYjpzZXNzOTkgEigB:CX8PIOrxJnQqFXl7wAsiHJ_1VGjoI-asNlCXb8SE8jtI2vdh9x6CqbAurSgIlAAEgotVP-nuUR38x_a9YJuXzmG5AvJ458apWQtODHIDIX6ZaIwMxjS02R7S5LNqXa0gAuU_R6bCWpZdWe2uLMkdpu5KHbDgW08g-uaP_nceDOk";
+
+    Y_UNIT_TEST(BlackboxEnvToTvmIdTest) {
+        UNIT_ASSERT_VALUES_EQUAL("222", NBlackboxTvmId::Prod);
+        UNIT_ASSERT_VALUES_EQUAL("224", NBlackboxTvmId::Test);
+        UNIT_ASSERT_VALUES_EQUAL("223", NBlackboxTvmId::ProdYateam);
+        UNIT_ASSERT_VALUES_EQUAL("225", NBlackboxTvmId::TestYateam);
+        UNIT_ASSERT_VALUES_EQUAL("226", NBlackboxTvmId::Stress);
+        UNIT_ASSERT_VALUES_EQUAL("239", NBlackboxTvmId::Mimino);
+    }
+
+    Y_UNIT_TEST(Case1Test) {
+        TUserContext context1(TA_EBlackboxEnv::TA_BE_TEST, NTvmAuth::NUnittest::TVMKNIFE_PUBLIC_KEYS);
+
+        TCheckedUserTicket checkedTicket1 = context1.Check("2:serv:CgYIDRCUkQYQDBgcIgdiYjpzZXNzIghiYjpzZXNzMg:ERmeH_yzC7K_QsoHTyw7llCsyExEz3CoEopPIuivA0ZAtTaFq_Pa0l9Fhhx_NX9WpOp2CPyY5cFc4PXhcO83jCB7-EGvHNxGN-j2NQalERzPiKqkDCO0Q5etLzSzrfTlvMz7sXDvELNBHyA0PkAQnbz4supY0l-0Q6JBYSEF3zOVMjjE-HeQIFL3ats3_PakaUMWRvgQQ88pVdYZqAtbDw9PlTla7ommygVZQjcfNFXV1pJKRgOCLs-YyCjOJHLKL04zYj0X6KsOCTUeqhj7ml96wLZ-g1X9tyOR2WAr2Ctq7wIEHwqhxOLgOSKqm05xH6Vi3E_hekf50oe2jPfKEA");
+        UNIT_ASSERT_EQUAL(TA_EErrorCode::TA_EC_UNSUPPORTED_VERSION, checkedTicket1.GetStatus());
+        UNIT_ASSERT(!checkedTicket1);
+
+        TUserContext context2 = std::move(context1);
+        TUserContext context3(std::move(context2));
+        TCheckedUserTicket checkedTicket2 = context3.Check(VALID_USER_TICKET_1);
+        UNIT_ASSERT_EQUAL(TA_EErrorCode::TA_EC_OK, checkedTicket2.GetStatus());
+        TCheckedUserTicket checkedTicket3 = std::move(checkedTicket2);
+        TCheckedUserTicket checkedTicket4(std::move(checkedTicket3));
+        UNIT_ASSERT_EQUAL(TA_EErrorCode::TA_EC_OK, checkedTicket4.GetStatus());
+    }
+
+    Y_UNIT_TEST(ContextExceptionsText) {
+        UNIT_ASSERT_EXCEPTION(TUserContext(TA_EBlackboxEnv::TA_BE_PROD, EMPTY_TVM_KEYS), TEmptyTvmKeysException);
+        UNIT_ASSERT_EXCEPTION(TUserContext(TA_EBlackboxEnv::TA_BE_PROD, MALFORMED_TVM_KEYS), TMalformedTvmKeysException);
+        UNIT_ASSERT_EXCEPTION(TUserContext(TA_EBlackboxEnv::TA_BE_PROD, "adcvxcv./-+"), TMalformedTvmKeysException);
+    }
+
+    Y_UNIT_TEST(Ticket1Test) {
+        TUserContext context(TA_EBlackboxEnv::TA_BE_TEST, NTvmAuth::NUnittest::TVMKNIFE_PUBLIC_KEYS);
+        auto checkedTicket = context.Check(VALID_USER_TICKET_1);
+        UNIT_ASSERT_EQUAL(TA_EErrorCode::TA_EC_OK, checkedTicket.GetStatus());
+        UNIT_ASSERT_EQUAL(TUids({456, 123}), checkedTicket.GetUids());
+        UNIT_ASSERT_EQUAL(456, checkedTicket.GetDefaultUid());
+        UNIT_ASSERT_EQUAL(TScopes({"bb:sess1", "bb:sess2"}), checkedTicket.GetScopes());
+        UNIT_ASSERT(checkedTicket.HasScope("bb:sess1"));
+        UNIT_ASSERT(checkedTicket.HasScope("bb:sess2"));
+        UNIT_ASSERT(!checkedTicket.HasScope("bb:sess3"));
+        UNIT_ASSERT_EQUAL("ticket_type=user;expiration_time=9223372036854775807;scope=bb:sess1;scope=bb:sess2;default_uid=456;uid=456;uid=123;env=Test;", checkedTicket.DebugInfo());
+    }
+
+    Y_UNIT_TEST(Ticket2Test) {
+        TUserContext context(TA_EBlackboxEnv::TA_BE_TEST, NTvmAuth::NUnittest::TVMKNIFE_PUBLIC_KEYS);
+        auto checkedTicket = context.Check(VALID_USER_TICKET_2);
+        UNIT_ASSERT_EQUAL(TA_EErrorCode::TA_EC_OK, checkedTicket.GetStatus());
+        UNIT_ASSERT_VALUES_EQUAL("ticket_type=user;expiration_time=9223372036854775807;default_uid=456;uid=456;uid=123;env=Test;", checkedTicket.DebugInfo());
+    }
+
+    Y_UNIT_TEST(Ticket3Test) {
+        TUserContext context(TA_EBlackboxEnv::TA_BE_TEST, NTvmAuth::NUnittest::TVMKNIFE_PUBLIC_KEYS);
+        auto checkedTicket = context.Check(VALID_USER_TICKET_3);
+        UNIT_ASSERT_EQUAL(TA_EErrorCode::TA_EC_OK, checkedTicket.GetStatus());
+        UNIT_ASSERT_VALUES_EQUAL("ticket_type=user;expiration_time=9223372036854775807;scope=bb:sess1;scope=bb:sess10;scope=bb:sess100;scope=bb:sess11;scope=bb:sess12;scope=bb:sess13;scope=bb:sess14;scope=bb:sess15;scope=bb:sess16;scope=bb:sess17;scope=bb:sess18;scope=bb:sess19;scope=bb:sess2;scope=bb:sess20;scope=bb:sess21;scope=bb:sess22;scope=bb:sess23;scope=bb:sess24;scope=bb:sess25;scope=bb:sess26;scope=bb:sess27;scope=bb:sess28;scope=bb:sess29;scope=bb:sess3;scope=bb:sess30;scope=bb:sess31;scope=bb:sess32;scope=bb:sess33;scope=bb:sess34;scope=bb:sess35;scope=bb:sess36;scope=bb:sess37;scope=bb:sess38;scope=bb:sess39;scope=bb:sess4;scope=bb:sess40;scope=bb:sess41;scope=bb:sess42;scope=bb:sess43;scope=bb:sess44;scope=bb:sess45;scope=bb:sess46;scope=bb:sess47;scope=bb:sess48;scope=bb:sess49;scope=bb:sess5;scope=bb:sess50;scope=bb:sess51;scope=bb:sess52;scope=bb:sess53;scope=bb:sess54;scope=bb:sess55;scope=bb:sess56;scope=bb:sess57;scope=bb:sess58;scope=bb:sess59;scope=bb:sess6;scope=bb:sess60;scope=bb:sess61;scope=bb:sess62;scope=bb:sess63;scope=bb:sess64;scope=bb:sess65;scope=bb:sess66;scope=bb:sess67;scope=bb:sess68;scope=bb:sess69;scope=bb:sess7;scope=bb:sess70;scope=bb:sess71;scope=bb:sess72;scope=bb:sess73;scope=bb:sess74;scope=bb:sess75;scope=bb:sess76;scope=bb:sess77;scope=bb:sess78;scope=bb:sess79;scope=bb:sess8;scope=bb:sess80;scope=bb:sess81;scope=bb:sess82;scope=bb:sess83;scope=bb:sess84;scope=bb:sess85;scope=bb:sess86;scope=bb:sess87;scope=bb:sess88;scope=bb:sess89;scope=bb:sess9;scope=bb:sess90;scope=bb:sess91;scope=bb:sess92;scope=bb:sess93;scope=bb:sess94;scope=bb:sess95;scope=bb:sess96;scope=bb:sess97;scope=bb:sess98;scope=bb:sess99;default_uid=456;uid=0;uid=1;uid=2;uid=3;uid=4;uid=5;uid=6;uid=7;uid=8;uid=9;uid=10;uid=11;uid=12;uid=13;uid=14;uid=15;uid=16;uid=17;uid=18;uid=19;uid=20;uid=21;uid=22;uid=23;uid=24;uid=25;uid=26;uid=27;uid=28;uid=29;uid=30;uid=31;uid=32;uid=33;uid=34;uid=35;uid=36;uid=37;uid=38;uid=39;uid=40;uid=41;uid=42;uid=43;uid=44;uid=45;uid=46;uid=47;uid=48;uid=49;uid=50;uid=51;uid=52;uid=53;uid=54;uid=55;uid=56;uid=57;uid=58;uid=59;uid=60;uid=61;uid=62;uid=63;uid=64;uid=65;uid=66;uid=67;uid=68;uid=69;uid=70;uid=71;uid=72;uid=73;uid=74;uid=75;uid=76;uid=77;uid=78;uid=79;uid=80;uid=81;uid=82;uid=83;uid=84;uid=85;uid=86;uid=87;uid=88;uid=89;uid=90;uid=91;uid=92;uid=93;uid=94;uid=95;uid=96;uid=97;uid=98;uid=99;uid=100;uid=101;uid=102;uid=103;uid=104;uid=105;uid=106;uid=107;uid=108;uid=109;uid=110;uid=111;uid=112;uid=113;uid=114;uid=115;uid=116;uid=117;uid=118;uid=119;uid=120;uid=121;uid=122;uid=123;uid=124;uid=125;uid=126;uid=127;uid=128;uid=129;uid=130;uid=131;uid=132;uid=133;uid=134;uid=135;uid=136;uid=137;uid=138;uid=139;uid=140;uid=141;uid=142;uid=143;uid=144;uid=145;uid=146;uid=147;uid=148;uid=149;uid=150;uid=151;uid=152;uid=153;uid=154;uid=155;uid=156;uid=157;uid=158;uid=159;uid=160;uid=161;uid=162;uid=163;uid=164;uid=165;uid=166;uid=167;uid=168;uid=169;uid=170;uid=171;uid=172;uid=173;uid=174;uid=175;uid=176;uid=177;uid=178;uid=179;uid=180;uid=181;uid=182;uid=183;uid=184;uid=185;uid=186;uid=187;uid=188;uid=189;uid=190;uid=191;uid=192;uid=193;uid=194;uid=195;uid=196;uid=197;uid=198;uid=199;uid=200;uid=201;uid=202;uid=203;uid=204;uid=205;uid=206;uid=207;uid=208;uid=209;uid=210;uid=211;uid=212;uid=213;uid=214;uid=215;uid=216;uid=217;uid=218;uid=219;uid=220;uid=221;uid=222;uid=223;uid=224;uid=225;uid=226;uid=227;uid=228;uid=229;uid=230;uid=231;uid=232;uid=233;uid=234;uid=235;uid=236;uid=237;uid=238;uid=239;uid=240;uid=241;uid=242;uid=243;uid=244;uid=245;uid=246;uid=247;uid=248;uid=249;uid=250;uid=251;uid=252;uid=253;uid=254;uid=255;uid=256;uid=257;uid=258;uid=259;uid=260;uid=261;uid=262;uid=263;uid=264;uid=265;uid=266;uid=267;uid=268;uid=269;uid=270;uid=271;uid=272;uid=273;uid=274;uid=275;uid=276;uid=277;uid=278;uid=279;uid=280;uid=281;uid=282;uid=283;uid=284;uid=285;uid=286;uid=287;uid=288;uid=289;uid=290;uid=291;uid=292;uid=293;uid=294;uid=295;uid=296;uid=297;uid=298;uid=299;uid=300;uid=301;uid=302;uid=303;uid=304;uid=305;uid=306;uid=307;uid=308;uid=309;uid=310;uid=311;uid=312;uid=313;uid=314;uid=315;uid=316;uid=317;uid=318;uid=319;uid=320;uid=321;uid=322;uid=323;uid=324;uid=325;uid=326;uid=327;uid=328;uid=329;uid=330;uid=331;uid=332;uid=333;uid=334;uid=335;uid=336;uid=337;uid=338;uid=339;uid=340;uid=341;uid=342;uid=343;uid=344;uid=345;uid=346;uid=347;uid=348;uid=349;uid=350;uid=351;uid=352;uid=353;uid=354;uid=355;uid=356;uid=357;uid=358;uid=359;uid=360;uid=361;uid=362;uid=363;uid=364;uid=365;uid=366;uid=367;uid=368;uid=369;uid=370;uid=371;uid=372;uid=373;uid=374;uid=375;uid=376;uid=377;uid=378;uid=379;uid=380;uid=381;uid=382;uid=383;uid=384;uid=385;uid=386;uid=387;uid=388;uid=389;uid=390;uid=391;uid=392;uid=393;uid=394;uid=395;uid=396;uid=397;uid=398;uid=399;uid=400;uid=401;uid=402;uid=403;uid=404;uid=405;uid=406;uid=407;uid=408;uid=409;uid=410;uid=411;uid=412;uid=413;uid=414;uid=415;uid=416;uid=417;uid=418;uid=419;uid=420;uid=421;uid=422;uid=423;uid=424;uid=425;uid=426;uid=427;uid=428;uid=429;uid=430;uid=431;uid=432;uid=433;uid=434;uid=435;uid=436;uid=437;uid=438;uid=439;uid=440;uid=441;uid=442;uid=443;uid=444;uid=445;uid=446;uid=447;uid=448;uid=449;uid=450;uid=451;uid=452;uid=453;uid=454;uid=455;uid=456;uid=457;uid=458;uid=459;uid=460;uid=461;uid=462;uid=463;uid=464;uid=465;uid=466;uid=467;uid=468;uid=469;uid=470;uid=471;uid=472;uid=473;uid=474;uid=475;uid=476;uid=477;uid=478;uid=479;uid=480;uid=481;uid=482;uid=483;uid=484;uid=485;uid=486;uid=487;uid=488;uid=489;uid=490;uid=491;uid=492;uid=493;uid=494;uid=495;uid=496;uid=497;uid=498;uid=499;env=Test;", checkedTicket.DebugInfo());
+    }
+
+    Y_UNIT_TEST(TicketErrorsTest) {
+        TUserContext contextTest(TA_EBlackboxEnv::TA_BE_TEST, NTvmAuth::NUnittest::TVMKNIFE_PUBLIC_KEYS);
+        auto checkedTicket1 = contextTest.Check(UNSUPPORTED_VERSION_USER_TICKET);
+        UNIT_ASSERT_EQUAL(TA_EErrorCode::TA_EC_UNSUPPORTED_VERSION, checkedTicket1.GetStatus());
+
+        auto checkedTicket2 = contextTest.Check(EXPIRED_USER_TICKET);
+        UNIT_ASSERT_EQUAL(TA_EErrorCode::TA_EC_EXPIRED_TICKET, checkedTicket2.GetStatus());
+
+        TUserContext contextProd(TA_EBlackboxEnv::TA_BE_PROD, NTvmAuth::NUnittest::TVMKNIFE_PUBLIC_KEYS);
+        auto checkedTicket3 = contextProd.Check(VALID_USER_TICKET_1);
+        UNIT_ASSERT_EQUAL(TA_EErrorCode::TA_EC_INVALID_BLACKBOX_ENV, checkedTicket3.GetStatus());
+    }
+
+    Y_UNIT_TEST(TicketExceptionsTest) {
+        TUserContext contextTest(TA_EBlackboxEnv::TA_BE_TEST, NTvmAuth::NUnittest::TVMKNIFE_PUBLIC_KEYS);
+        auto checkedTicket = contextTest.Check(EXPIRED_USER_TICKET);
+        UNIT_ASSERT_EQUAL(TA_EErrorCode::TA_EC_EXPIRED_TICKET, checkedTicket.GetStatus());
+
+        UNIT_ASSERT_EXCEPTION(checkedTicket.GetDefaultUid(), TNotAllowedException);
+        UNIT_ASSERT_EXCEPTION(checkedTicket.GetUids(), TNotAllowedException);
+        UNIT_ASSERT_EXCEPTION(checkedTicket.GetScopes(), TNotAllowedException);
+        UNIT_ASSERT_EXCEPTION(checkedTicket.HasScope(""), TNotAllowedException);
+        UNIT_ASSERT_NO_EXCEPTION(bool(checkedTicket));
+        UNIT_ASSERT_NO_EXCEPTION(checkedTicket.DebugInfo());
+        UNIT_ASSERT_NO_EXCEPTION(checkedTicket.GetStatus());
+    }
+
+    Y_UNIT_TEST(ResetKeysTest) {
+        TUserContext context(TA_EBlackboxEnv::TA_BE_TEST, NTvmAuth::NUnittest::TVMKNIFE_PUBLIC_KEYS);
+        auto checkedTicket = context.Check(VALID_USER_TICKET_1);
+        UNIT_ASSERT_EQUAL(TA_EErrorCode::TA_EC_OK, checkedTicket.GetStatus());
+    }
+
+    Y_UNIT_TEST(Consts) {
+        UNIT_ASSERT_VALUES_EQUAL("222", NBlackboxTvmId::Prod);
+        UNIT_ASSERT_VALUES_EQUAL("224", NBlackboxTvmId::Test);
+        UNIT_ASSERT_VALUES_EQUAL("223", NBlackboxTvmId::ProdYateam);
+        UNIT_ASSERT_VALUES_EQUAL("225", NBlackboxTvmId::TestYateam);
+        UNIT_ASSERT_VALUES_EQUAL("226", NBlackboxTvmId::Stress);
+        UNIT_ASSERT_VALUES_EQUAL("239", NBlackboxTvmId::Mimino);
+    }
+}
diff --git a/library/c/tvmauth/src/ut_export/main.c b/library/c/tvmauth/src/ut_export/main.c
new file mode 100644
index 0000000000..d9147c76fd
--- /dev/null
+++ b/library/c/tvmauth/src/ut_export/main.c
@@ -0,0 +1,188 @@
+// DO_NOT_STYLE
+#include <stdio.h>
+#include <string.h>
+
+#include <deprecated.h>
+#include <high_lvl_client.h>
+#include <tvmauth.h>
+
+void foo(int lvl, const char* msg) {
+    (void)lvl;
+    (void)msg;
+    fprintf(stderr, "%s\n", msg);
+}
+
+int main(int argc, char** argv) {
+    (void)argc;
+    (void)argv;
+
+    const char tvmKeys[] = "";
+    const char clientSecret[] = "";
+    const uint32_t tvmId = 123;
+    const char srvTicket[] = "";
+    const char usrTicket[] = "";
+
+    const char* ts = "100500";
+    const char* dst = "456";
+    const char* scopes = "";
+
+    /* Service context */
+    struct TA_TServiceContext* srvCtx = NULL;
+    enum TA_EErrorCode code = TA_CreateServiceContext(
+        tvmId,
+        clientSecret,
+        sizeof(clientSecret),
+        tvmKeys,
+        sizeof(tvmKeys),
+        &srvCtx);
+
+    struct TA_TCheckedServiceTicket* st = NULL;
+    code = TA_CheckServiceTicket(srvCtx, srvTicket, sizeof(srvTicket), &st);
+
+    uint32_t src = 0;
+    code = TA_GetServiceTicketSrc(st, &src);
+
+    size_t count = 0;
+    const char* scope = NULL;
+    int check = 0;
+
+    char debugInfo[512];
+    code = TA_GetServiceTicketDebugInfo(st, debugInfo, &count, sizeof(debugInfo));
+
+    uint64_t issuer = 0;
+    code = TA_GetServiceTicketIssuerUid(st, &issuer);
+
+    const char* sub = NULL;
+    code = TA_RemoveTicketSignature(srvTicket, sizeof(srvTicket), &sub, &count);
+
+    char sign[512];
+    code = TA_SignCgiParamsForTvm(
+        srvCtx,
+        ts,
+        sizeof(ts),
+        dst,
+        sizeof(dst),
+        scopes,
+        sizeof(scopes),
+        sign,
+        &count,
+        sizeof(sign));
+
+    code = TA_DeleteServiceTicket(st);
+    code = TA_DeleteServiceContext(srvCtx);
+
+    /* User context */
+    struct TA_TUserContext* usrCtx = NULL;
+    code = TA_CreateUserContext(
+        TA_BE_TEST,
+        tvmKeys,
+        sizeof(tvmKeys),
+        &usrCtx);
+
+    struct TA_TCheckedUserTicket* ut = NULL;
+    code = TA_CheckUserTicket(usrCtx, usrTicket, sizeof(usrTicket), &ut);
+
+    code = TA_GetUserTicketUidsCount(ut, &count);
+
+    uint64_t uid = 0;
+    code = TA_GetUserTicketUid(ut, 0, &uid);
+    code = TA_GetUserTicketDefaultUid(ut, &uid);
+
+    code = TA_GetUserTicketScopesCount(ut, &count);
+    code = TA_GetUserTicketScope(ut, 0, &scope);
+
+    code = TA_HasUserTicketScope(ut, "scope", 5, &check);
+
+    code = TA_GetUserTicketDebugInfo(ut, debugInfo, &count, sizeof(debugInfo));
+
+    code = TA_DeleteUserTicket(ut);
+    code = TA_DeleteUserContext(usrCtx);
+
+    code = TA_RemoveTicketSignature(usrTicket, sizeof(usrTicket), &sub, &count);
+
+    /* Etc */
+    const char* ver = TA_LibVersion();
+    (void)ver;
+    const char* msg = TA_ErrorCodeToString(TA_EC_DEPRECATED);
+    (void)msg;
+
+    printf("%s", TA_BlackboxTvmIdProd);
+    printf("%s", TA_BlackboxTvmIdTest);
+    printf("%s", TA_BlackboxTvmIdProdYateam);
+    printf("%s", TA_BlackboxTvmIdTestYateam);
+    printf("%s", TA_BlackboxTvmIdStress);
+    printf("%s", TA_BlackboxTvmIdMimino);
+
+
+    /* TVM client */
+    struct TA_TTvmApiClientSettings* settings = NULL;
+    code = TA_TvmApiClientSettings_Create(&settings);
+    code = TA_TvmApiClientSettings_SetDiskCacheDir(settings, "", 0);
+
+    char ticket[512];
+    size_t size = 0;
+    struct TA_TTvmClient* client = NULL;
+    TA_TLoggerFunc l = &foo;
+    code = TA_TvmClient_Create(settings, l, &client);
+    code = TA_TvmClient_CheckServiceTicket(client, "", 0, &st);
+    code = TA_TvmClient_CheckUserTicket(client, "", 0, &ut);
+    code = TA_TvmClient_CheckUserTicketWithOverridedEnv(client, "", 0, TA_BE_TEST, &ut);
+    struct TA_TTvmClientStatus* status = NULL;
+    code = TA_TvmClient_GetStatus(client, &status);
+    enum TA_ETvmClientStatusCode statusCode;
+    code = TA_TvmClient_Status_GetCode(status, &statusCode);
+    code = TA_TvmClient_Status_GetLastError(status, &msg, &size);
+    code = TA_TvmClient_DeleteStatus(status);
+    code = TA_TvmClient_GetServiceTicketForAlias(client, "q", 1, 512, ticket, &size);
+    code = TA_TvmClient_GetServiceTicketForTvmId(client, 100500, 512, ticket, &size);
+    code = TA_TvmClient_Delete(client);
+    code = TA_TvmApiClientSettings_Delete(settings);
+
+    settings = NULL;
+    code = TA_TvmApiClientSettings_SetSelfTvmId(settings, 100500);
+    code = TA_TvmApiClientSettings_EnableServiceTicketChecking(settings);
+    code = TA_TvmApiClientSettings_EnableUserTicketChecking(settings, TA_BE_TEST);
+    code = TA_TvmApiClientSettings_EnableServiceTicketsFetchOptionsWithAliases(settings, "qwe", 3, ";", 1);
+    code = TA_TvmApiClientSettings_EnableServiceTicketsFetchOptionsWithTvmIds(settings, "qwe", 3, ";", 1);
+
+    struct TA_TTvmToolClientSettings* setts = NULL;
+    code = TA_TvmToolClientSettings_Create("me", 2, &setts);
+    code = TA_TvmToolClientSettings_SetPort(setts, 1);
+    code = TA_TvmToolClientSettings_SetHostname(setts, "localhost", 9);
+    code = TA_TvmToolClientSettings_SetAuthToken(setts, "qwe", 3);
+    code = TA_TvmToolClientSettings_OverrideBlackboxEnv(setts, TA_BE_TEST);
+
+    client = NULL;
+    code = TA_TvmClient_CreateForTvmtool(setts, foo, &client);
+    code = TA_TvmClient_Delete(client);
+    code = TA_TvmToolClientSettings_Delete(setts);
+
+    code = TA_EC_OK;
+    code = TA_EC_DEPRECATED;
+    code = TA_EC_EMPTY_TVM_KEYS;
+    code = TA_EC_EXPIRED_TICKET;
+    code = TA_EC_INVALID_BLACKBOX_ENV;
+    code = TA_EC_INVALID_DST;
+    code = TA_EC_INVALID_PARAM;
+    code = TA_EC_INVALID_TICKET_TYPE;
+    code = TA_EC_MALFORMED_TICKET;
+    code = TA_EC_MALFORMED_TVM_KEYS;
+    code = TA_EC_MALFORMED_TVM_SECRET;
+    code = TA_EC_MISSING_KEY;
+    code = TA_EC_NOT_ALLOWED;
+    code = TA_EC_SIGN_BROKEN;
+    code = TA_EC_SMALL_BUFFER;
+    code = TA_EC_UNEXPECTED_ERROR;
+    code = TA_EC_UNSUPPORTED_VERSION;
+    code = TA_EC_BROKEN_TVM_CLIENT_SETTINGS;
+    code = TA_EC_PERMISSION_DENIED_TO_CACHE_DIR;
+    code = TA_EC_FAILED_TO_START_TVM_CLIENT;
+
+    enum TA_EBlackboxEnv env = TA_BE_PROD;
+    env = TA_BE_TEST;
+    env = TA_BE_PROD_YATEAM;
+    env = TA_BE_TEST_YATEAM;
+    env = TA_BE_STRESS;
+
+    return 0;
+}
diff --git a/library/c/tvmauth/src/ut_export/main.cpp b/library/c/tvmauth/src/ut_export/main.cpp
new file mode 100644
index 0000000000..bd3e98eac2
--- /dev/null
+++ b/library/c/tvmauth/src/ut_export/main.cpp
@@ -0,0 +1,140 @@
+// DO_NOT_STYLE
+#include <stdio.h>
+
+#include <deprecated_wrapper.h>
+#include <high_lvl_wrapper.h>
+#include <tvmauth_wrapper.h>
+
+void foo(int lvl, const char* msg) {
+    (void)lvl;
+    (void)msg;
+    fprintf(stderr, "%s\n", msg);
+}
+
+int main() {
+    try {
+    const char tvmKeys[] = "";
+    const char clientSecret[] = "";
+    const uint32_t tvmId = 123;
+    const char srvTicket[] = "";
+    const char usrTicket[] = "";
+
+    NTvmAuthWrapper::TScopes sco = std::vector<std::string>();
+    (void)sco;
+    NTvmAuthWrapper::TUids ui = std::vector<uint64_t>();
+    (void)ui;
+
+    NTvmAuthWrapper::TTvmId id = 17;
+    (void)id;
+
+    const char* i = NTvmAuthWrapper::NBlackboxTvmId::Prod;
+    i = NTvmAuthWrapper::NBlackboxTvmId::Test;
+    i = NTvmAuthWrapper::NBlackboxTvmId::ProdYateam;
+    i = NTvmAuthWrapper::NBlackboxTvmId::TestYateam;
+    i = NTvmAuthWrapper::NBlackboxTvmId::Stress;
+    i = NTvmAuthWrapper::NBlackboxTvmId::Mimino;
+
+    const char* ts = "100500";
+    const char* dst = "456";
+    const char* scopes = "";
+
+    /* Service context */
+    NTvmAuthWrapper::TServiceContext srvCtx(tvmId, clientSecret, tvmKeys);
+
+    srvCtx = NTvmAuthWrapper::TServiceContext::CheckingFactory(tvmId, tvmKeys);
+    srvCtx = NTvmAuthWrapper::TServiceContext::SigningFactory(clientSecret, tvmId);
+    srvCtx = NTvmAuthWrapper::TServiceContext::SigningFactory(clientSecret);
+
+    NTvmAuthWrapper::TCheckedServiceTicket st = srvCtx.Check(srvTicket);
+    bool r = bool(st);
+
+    TA_EErrorCode status = st.GetStatus();
+    uint32_t src = st.GetSrc();
+    (void)src;
+
+    std::string debugInfo = st.DebugInfo();
+    uint64_t issuer = st.GetIssuerUid();
+    (void)issuer;
+
+    std::string sub = NTvmAuthWrapper::RemoveTicketSignature(srvTicket);
+
+    std::string sign = srvCtx.SignCgiParamsForTvm(ts, dst, scopes);
+    (void)sign;
+
+    /* User context */
+    NTvmAuthWrapper::TUserContext usrCtx(TA_BE_TEST, tvmKeys);
+
+    NTvmAuthWrapper::TCheckedUserTicket ut = usrCtx.Check(usrTicket);
+    r = bool(ut);
+    status = ut.GetStatus();
+
+    NTvmAuthWrapper::TUids uids = ut.GetUids();
+    (void)uids;
+
+    NTvmAuthWrapper::TUid uid = ut.GetDefaultUid();
+    (void)uid;
+
+    NTvmAuthWrapper::TScopes sc = ut.GetScopes();
+    bool hasScope = ut.HasScope(scopes);
+
+    debugInfo = ut.DebugInfo();
+
+    /* Etc */
+    std::string ver = NTvmAuthWrapper::LibVersion();
+    (void)ver;
+
+    printf("OK");
+
+    {
+    NTvmAuthWrapper::TTvmApiClientSettings settings;
+
+    NTvmAuthWrapper::TTvmClient client(settings, foo);
+    NTvmAuthWrapper::TClientStatus code = client.GetStatus();
+    NTvmAuthWrapper::ThrowIfFatal(TA_EC_OK);
+    st = client.CheckServiceTicket("");
+    ut = client.CheckUserTicket("");
+    ut = client.CheckUserTicket("", TA_BE_TEST);
+
+    std::string t = client.GetServiceTicketFor("asd");
+    t = client.GetServiceTicketFor(100500);
+
+    settings.SetSelfTvmId(100500);
+    settings.EnableServiceTicketChecking();
+    settings.EnableUserTicketChecking(TA_BE_TEST);
+    settings.EnableServiceTicketsFetchOptions(
+        "aaaaaaaaaaaaaaaa",
+        NTvmAuthWrapper::TTvmApiClientSettings::TDstVector({19, 234}));
+    settings.EnableServiceTicketsFetchOptions(
+        "aaaaaaaaaaaaaaaa",
+        NTvmAuthWrapper::TTvmApiClientSettings::TDstMap({
+            {"foo", 19},
+            {"bar", 234},
+        }));
+    settings.SetDiskCacheDir("");
+    }
+
+    {
+    NTvmAuthWrapper::TTvmToolClientSettings settings("me");
+    settings.SetPort(1);
+    settings.SetHostname("localhost");
+    settings.SetAuthtoken("qwe");
+    settings.OverrideBlackboxEnv(TA_BE_TEST);
+    NTvmAuthWrapper::TTvmClient(settings, foo);
+    }
+
+    NTvmAuthWrapper::TTvmApiClientSettings::TDst d(17);
+    (void)d;
+    NTvmAuthWrapper::TTvmApiClientSettings::TAlias t = std::string("123");
+    (void)t;
+
+    } catch (const NTvmAuthWrapper::TContextException&) {
+    } catch (const NTvmAuthWrapper::TEmptyTvmKeysException&) {
+    } catch (const NTvmAuthWrapper::TMalformedTvmKeysException&) {
+    } catch (const NTvmAuthWrapper::TMalformedTvmSecretException&) {
+    } catch (const NTvmAuthWrapper::TNotAllowedException&) {
+    } catch (const NTvmAuthWrapper::TTvmException&) {
+    } catch (...) {
+    }
+
+    return 0;
+}
diff --git a/library/c/tvmauth/src/ut_export/test.py b/library/c/tvmauth/src/ut_export/test.py
new file mode 100644
index 0000000000..ace755b4ab
--- /dev/null
+++ b/library/c/tvmauth/src/ut_export/test.py
@@ -0,0 +1,56 @@
+import os
+import subprocess
+import sys
+
+import yatest.common as yc
+
+
+def test_run():
+    lib_path = yc.build_path() + '/library/c/tvmauth/so/'
+    include_path = yc.source_path() + '/library/c/tvmauth/'
+    test_c_file = yc.source_path() + '/library/c/tvmauth/src/ut_export/main.c'
+    test_cxx_file = yc.source_path() + '/library/c/tvmauth/src/ut_export/main.cpp'
+    global_resources = yc.global_resources()
+    sysroot = []
+    os_sdk = (
+        global_resources.get('SYSROOT_FOR_TEST_RESOURCE_GLOBAL')
+        or global_resources.get('OS_SDK_ROOT_RESOURCE_GLOBAL')
+        or global_resources.get('MACOS_SDK_RESOURCE_GLOBAL')
+    )
+    if os_sdk:
+        sysroot = ['--sysroot', os_sdk]
+    env = os.environ.copy()
+    env.clear()
+    env['LD_LIBRARY_PATH'] = lib_path + ':'
+    if global_resources.get('LD_FOR_TEST_RESOURCE_GLOBAL'):
+        env['PATH'] = global_resources.get('LD_FOR_TEST_RESOURCE_GLOBAL')
+    if global_resources.get('COMPILER_FOR_TEST_RESOURCE_GLOBAL'):
+        env['LD_LIBRARY_PATH'] += global_resources.get('COMPILER_FOR_TEST_RESOURCE_GLOBAL') + '/lib/:'
+    if os_sdk:
+        env['LD_LIBRARY_PATH'] += os_sdk + '/usr/lib/x86_64-linux-gnu/'
+    subprocess.check_call(
+        [yc.c_compiler_path(), '-I' + include_path, '-L' + lib_path, '-ltvmauth', '-std=c99', '-Werror', test_c_file] + sysroot,
+        env=env,
+    )
+    subprocess.check_call(
+        [
+            './a.out',
+        ],
+        env=env,
+        stdout=sys.stdout,
+        stderr=sys.stderr,
+    )
+
+    subprocess.check_call(
+        [yc.cxx_compiler_path(), '-I' + include_path, '-L' + lib_path, '-ltvmauth', '-std=c++11', '-Werror', test_cxx_file]
+        + sysroot,
+        env=env,
+    )
+    subprocess.check_call(
+        [
+            './a.out',
+        ],
+        env=env,
+        stdout=sys.stdout,
+        stderr=sys.stderr,
+    )
diff --git a/library/c/tvmauth/src/utils.h b/library/c/tvmauth/src/utils.h
new file mode 100644
index 0000000000..27122cc012
--- /dev/null
+++ b/library/c/tvmauth/src/utils.h
@@ -0,0 +1,103 @@
+#pragma once
+
+#include <library/c/tvmauth/high_lvl_client.h>
+#include <library/c/tvmauth/tvmauth.h>
+
+#include <library/cpp/tvmauth/ticket_status.h>
+#include <library/cpp/tvmauth/client/misc/async_updater.h>
+#include <library/cpp/tvmauth/client/misc/api/threaded_updater.h>
+#include <library/cpp/tvmauth/client/misc/tool/threaded_updater.h>
+#include <library/cpp/tvmauth/src/utils.h>
+
+#include <string>
+
+namespace NTvmAuth {
+    class TTvmClient;
+}
+
+namespace NTvmAuthC::NUtils {
+    inline TA_EErrorCode CppErrorCodeToC(NTvmAuth::ETicketStatus cppCode) {
+        switch (cppCode) {
+            case NTvmAuth::ETicketStatus::Ok:
+                return TA_EC_OK;
+            case NTvmAuth::ETicketStatus::Expired:
+                return TA_EC_EXPIRED_TICKET;
+            case NTvmAuth::ETicketStatus::InvalidBlackboxEnv:
+                return TA_EC_INVALID_BLACKBOX_ENV;
+            case NTvmAuth::ETicketStatus::InvalidDst:
+                return TA_EC_INVALID_DST;
+            case NTvmAuth::ETicketStatus::InvalidTicketType:
+                return TA_EC_INVALID_TICKET_TYPE;
+            case NTvmAuth::ETicketStatus::Malformed:
+                return TA_EC_MALFORMED_TICKET;
+            case NTvmAuth::ETicketStatus::MissingKey:
+                return TA_EC_MISSING_KEY;
+            case NTvmAuth::ETicketStatus::SignBroken:
+                return TA_EC_SIGN_BROKEN;
+            case NTvmAuth::ETicketStatus::UnsupportedVersion:
+                return TA_EC_UNSUPPORTED_VERSION;
+            default:
+                return TA_EC_UNEXPECTED_ERROR;
+        }
+    }
+
+    inline NTvmAuth::NTvmTool::TClientSettings* Translate(TA_TTvmToolClientSettings* p) {
+        return reinterpret_cast<NTvmAuth::NTvmTool::TClientSettings*>(p);
+    }
+    inline const NTvmAuth::NTvmTool::TClientSettings* Translate(const TA_TTvmToolClientSettings* p) {
+        return reinterpret_cast<const NTvmAuth::NTvmTool::TClientSettings*>(p);
+    }
+
+    inline TA_TTvmToolClientSettings* Translate(NTvmAuth::NTvmTool::TClientSettings* p) {
+        return reinterpret_cast<TA_TTvmToolClientSettings*>(p);
+    }
+
+    inline NTvmAuth::NTvmApi::TClientSettings* Translate(TA_TTvmApiClientSettings* p) {
+        return reinterpret_cast<NTvmAuth::NTvmApi::TClientSettings*>(p);
+    }
+    inline const NTvmAuth::NTvmApi::TClientSettings* Translate(const TA_TTvmApiClientSettings* p) {
+        return reinterpret_cast<const NTvmAuth::NTvmApi::TClientSettings*>(p);
+    }
+
+    inline TA_TTvmApiClientSettings* Translate(NTvmAuth::NTvmApi::TClientSettings* p) {
+        return reinterpret_cast<TA_TTvmApiClientSettings*>(p);
+    }
+
+    inline NTvmAuth::TTvmClient* Translate(TA_TTvmClient* p) {
+        return reinterpret_cast<NTvmAuth::TTvmClient*>(p);
+    }
+    inline const NTvmAuth::TTvmClient* Translate(const TA_TTvmClient* p) {
+        return reinterpret_cast<const NTvmAuth::TTvmClient*>(p);
+    }
+
+    inline TA_TTvmClient* Translate(NTvmAuth::TTvmClient* p) {
+        return reinterpret_cast<TA_TTvmClient*>(p);
+    }
+
+    inline TA_TCheckedUserTicket* Translate(NTvmAuth::TCheckedUserTicket::TImpl* p) {
+        return reinterpret_cast<TA_TCheckedUserTicket*>(p);
+    }
+    inline NTvmAuth::TCheckedUserTicket::TImpl* Translate(TA_TCheckedUserTicket* p) {
+        return reinterpret_cast<NTvmAuth::TCheckedUserTicket::TImpl*>(p);
+    }
+
+    inline TA_TCheckedServiceTicket* Translate(NTvmAuth::TCheckedServiceTicket::TImpl* p) {
+        return reinterpret_cast<TA_TCheckedServiceTicket*>(p);
+    }
+    inline NTvmAuth::TCheckedServiceTicket::TImpl* Translate(TA_TCheckedServiceTicket* p) {
+        return reinterpret_cast<NTvmAuth::TCheckedServiceTicket::TImpl*>(p);
+    }
+
+    inline TA_TTvmClientStatus* Translate(NTvmAuth::TClientStatus* p) {
+        return reinterpret_cast<TA_TTvmClientStatus*>(p);
+    }
+    inline const TA_TTvmClientStatus* Translate(const NTvmAuth::TClientStatus* p) {
+        return reinterpret_cast<const TA_TTvmClientStatus*>(p);
+    }
+    inline NTvmAuth::TClientStatus* Translate(TA_TTvmClientStatus* p) {
+        return reinterpret_cast<NTvmAuth::TClientStatus*>(p);
+    }
+    inline const NTvmAuth::TClientStatus* Translate(const TA_TTvmClientStatus* p) {
+        return reinterpret_cast<const NTvmAuth::TClientStatus*>(p);
+    }
+}
diff --git a/library/c/tvmauth/tvmauth.cpp b/library/c/tvmauth/tvmauth.cpp
new file mode 100644
index 0000000000..ec7952d571
--- /dev/null
+++ b/library/c/tvmauth/tvmauth.cpp
@@ -0,0 +1,281 @@
+// DO_NOT_STYLE
+#include "tvmauth.h"
+
+#include "src/exception.h"
+#include "src/utils.h"
+
+#include <library/cpp/tvmauth/ticket_status.h>
+#include <library/cpp/tvmauth/version.h>
+#include <library/cpp/tvmauth/src/service_impl.h>
+#include <library/cpp/tvmauth/src/user_impl.h>
+#include <library/cpp/tvmauth/src/utils.h>
+
+#include <util/string/cast.h>
+
+using namespace NTvmAuth;
+using namespace NTvmAuthC;
+
+const char* TA_BlackboxTvmIdProd = "222";
+const char* TA_BlackboxTvmIdTest = "224";
+const char* TA_BlackboxTvmIdProdYateam = "223";
+const char* TA_BlackboxTvmIdTestYateam = "225";
+const char* TA_BlackboxTvmIdStress = "226";
+const char* TA_BlackboxTvmIdMimino = "239";
+
+const char* TA_ErrorCodeToString(enum TA_EErrorCode code) {
+    switch (code) {
+        case TA_EC_OK:
+            return "libtvmauth.so: OK";
+        case TA_EC_DEPRECATED:
+            return "libtvmauth.so: Deprecated function";
+        case TA_EC_EMPTY_TVM_KEYS:
+            return "libtvmauth.so: Empty TVM keys";
+        case TA_EC_EXPIRED_TICKET:
+            return "libtvmauth.so: Expired ticket";
+        case TA_EC_INVALID_BLACKBOX_ENV:
+            return "libtvmauth.so: Invalid BlackBox environment";
+        case TA_EC_INVALID_DST:
+            return "libtvmauth.so: Invalid ticket destination";
+        case TA_EC_INVALID_PARAM:
+            return "libtvmauth.so: Invalid function parameter";
+        case TA_EC_INVALID_TICKET_TYPE:
+            return "libtvmauth.so: Invalid ticket type";
+        case TA_EC_MALFORMED_TICKET:
+            return "libtvmauth.so: Malformed ticket";
+        case TA_EC_MALFORMED_TVM_KEYS:
+            return "libtvmauth.so: Malformed TVM keys";
+        case TA_EC_MALFORMED_TVM_SECRET:
+            return "libtvmauth.so: Malformed TVM secret: it is empty or invalid base64url";
+        case TA_EC_MISSING_KEY:
+            return "libtvmauth.so: Context does not have required key to check ticket: public keys are too old";
+        case TA_EC_NOT_ALLOWED:
+            return "libtvmauth.so: Not allowed method";
+        case TA_EC_SIGN_BROKEN:
+            return "libtvmauth.so: Invalid ticket signature";
+        case TA_EC_SMALL_BUFFER:
+            return "libtvmauth.so: Small buffer";
+        case TA_EC_UNEXPECTED_ERROR:
+            return "libtvmauth.so: Unexpected error";
+        case TA_EC_UNSUPPORTED_VERSION:
+            return "libtvmauth.so: Unsupported ticket version";
+        case TA_EC_BROKEN_TVM_CLIENT_SETTINGS:
+            return "libtvmauth.so: TVM settings are broken";
+        case TA_EC_PERMISSION_DENIED_TO_CACHE_DIR:
+            return "libtvmauth.so: Permission denied to cache dir";
+        case TA_EC_FAILED_TO_START_TVM_CLIENT:
+            return "libtvmauth.so: TvmClient failed to start with some reason (need to check logs)";
+    }
+
+    return "libtvmauth.so: Unknown error";
+}
+
+TA_EErrorCode TA_DeleteServiceTicket(TA_TCheckedServiceTicket* ticket) {
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        delete NTvmAuthC::NUtils::Translate(ticket);
+        return TA_EC_OK;
+    });
+}
+
+TA_EErrorCode TA_GetServiceTicketSrc(
+    const TA_TCheckedServiceTicket* ticket,
+    uint32_t* srcTvmId) {
+    if (ticket == nullptr || srcTvmId == nullptr)
+        return TA_EC_INVALID_PARAM;
+
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        (*srcTvmId) = reinterpret_cast<const TCheckedServiceTicket::TImpl*>(ticket)->GetSrc();
+        return TA_EC_OK;
+    });
+}
+
+TA_EErrorCode TA_GetServiceTicketDebugInfo(
+    const struct TA_TCheckedServiceTicket* ticket,
+    char* debugInfo,
+    size_t* debugInfoSize,
+    size_t maxDebugInfoSize) {
+    if (ticket == nullptr || debugInfoSize == nullptr)
+        return TA_EC_INVALID_PARAM;
+
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        const TString debugInfoStroka = reinterpret_cast<const TCheckedServiceTicket::TImpl*>(ticket)->DebugInfo();
+        (*debugInfoSize) = debugInfoStroka.size();
+        if (debugInfo == nullptr) {
+            return TA_EC_INVALID_PARAM;
+        }
+        if (maxDebugInfoSize < *debugInfoSize) {
+            return TA_EC_SMALL_BUFFER;
+        }
+        strcpy(debugInfo, debugInfoStroka.c_str());
+        return TA_EC_OK;
+    });
+}
+
+TA_EErrorCode TA_GetServiceTicketIssuerUid(
+    const TA_TCheckedServiceTicket* ticket,
+        uint64_t* uid)
+{
+    if (ticket == nullptr || uid == nullptr)
+        return TA_EC_INVALID_PARAM;
+
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        TMaybe<TUid> u = reinterpret_cast<const TCheckedServiceTicket::TImpl*>(ticket)->GetIssuerUid();
+        *uid = u ? *u : 0;
+        return TA_EC_OK;
+    });
+}
+
+TA_EErrorCode TA_RemoveTicketSignature(
+    const char* ticketBody,
+    size_t ticketBodySize,
+    const char** logableTicket,
+    size_t* logableTicketSize) {
+    if (ticketBody == nullptr || logableTicket == nullptr || logableTicketSize == nullptr)
+        return TA_EC_INVALID_PARAM;
+
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        TStringBuf tempLogableTicket = NTvmAuth::NUtils::RemoveTicketSignature(TStringBuf(ticketBody, ticketBodySize));
+        (*logableTicket) = tempLogableTicket.data();
+        (*logableTicketSize) = tempLogableTicket.size();
+        return TA_EC_OK;
+    });
+}
+
+TA_EErrorCode TA_DeleteUserTicket(
+    TA_TCheckedUserTicket* ticket) {
+    if (ticket == nullptr)
+        return TA_EC_INVALID_PARAM;
+
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        delete NTvmAuthC::NUtils::Translate(ticket);
+        return TA_EC_OK;
+    });
+}
+
+TA_EErrorCode TA_GetUserTicketUidsCount(
+    const TA_TCheckedUserTicket* ticket,
+    size_t* count) {
+    if (ticket == nullptr || count == nullptr)
+        return TA_EC_INVALID_PARAM;
+
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        (*count) = reinterpret_cast<const TCheckedUserTicket::TImpl*>(ticket)->GetUids().size();
+        return TA_EC_OK;
+    });
+}
+
+TA_EErrorCode TA_GetUserTicketUid(
+    const TA_TCheckedUserTicket* ticket,
+    size_t idx,
+    uint64_t* uid) {
+    if (ticket == nullptr || uid == nullptr)
+        return TA_EC_INVALID_PARAM;
+
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        (*uid) = reinterpret_cast<const TCheckedUserTicket::TImpl*>(ticket)->GetUids()[idx];
+        return TA_EC_OK;
+    });
+}
+
+TA_EErrorCode TA_GetUserTicketDefaultUid(
+    const TA_TCheckedUserTicket* ticket,
+    uint64_t* uid) {
+    if (ticket == nullptr || uid == nullptr)
+        return TA_EC_INVALID_PARAM;
+
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        (*uid) = reinterpret_cast<const TCheckedUserTicket::TImpl*>(ticket)->GetDefaultUid();
+        return TA_EC_OK;
+    });
+}
+
+TA_EErrorCode TA_GetUserTicketScopesCount(
+    const TA_TCheckedUserTicket* ticket,
+    size_t* count) {
+    if (ticket == nullptr || count == nullptr)
+        return TA_EC_INVALID_PARAM;
+
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        (*count) = reinterpret_cast<const TCheckedUserTicket::TImpl*>(ticket)->GetScopes().size();
+        return TA_EC_OK;
+    });
+}
+
+TA_EErrorCode TA_GetUserTicketScope(
+    const TA_TCheckedUserTicket* ticket,
+    size_t idx,
+    const char** scope) {
+    if (ticket == nullptr || scope == nullptr)
+        return TA_EC_INVALID_PARAM;
+
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        (*scope) = reinterpret_cast<const TCheckedUserTicket::TImpl*>(ticket)->GetScopes().at(idx).data();
+        return TA_EC_OK;
+    });
+}
+
+TA_EErrorCode TA_HasUserTicketScope(
+    const struct TA_TCheckedUserTicket* ticket,
+    const char* scope,
+    size_t scopeSize,
+    int* checkingResult) {
+    if (ticket == nullptr || scope == nullptr)
+        return TA_EC_INVALID_PARAM;
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        (*checkingResult) = reinterpret_cast<const TCheckedUserTicket::TImpl*>(ticket)->HasScope(
+            TStringBuf(scope, scopeSize)) ? 1 : 0;
+        return TA_EC_OK;
+    });
+}
+
+TA_EErrorCode TA_GetUserTicketDebugInfo(
+    const struct TA_TCheckedUserTicket* ticket,
+    char* debugInfo,
+    size_t* debugInfoSize,
+    size_t maxDebugInfoSize) {
+    if (ticket == nullptr || debugInfoSize == nullptr)
+        return TA_EC_INVALID_PARAM;
+
+    return CatchExceptions([=]() -> TA_EErrorCode {
+        const TString debugInfoStroka = reinterpret_cast<const TCheckedUserTicket::TImpl*>(ticket)->DebugInfo();
+        (*debugInfoSize) = debugInfoStroka.size();
+        if (debugInfo == nullptr) {
+            return TA_EC_INVALID_PARAM;
+        }
+        if (maxDebugInfoSize < *debugInfoSize) {
+            return TA_EC_SMALL_BUFFER;
+        }
+        strcpy(debugInfo, debugInfoStroka.c_str());
+        return TA_EC_OK;
+    });
+}
+
+const char* TA_LibVersion() {
+    return LibVersion().data();
+}
+
+static_assert(0 == TA_EC_OK, "");
+static_assert(1 == TA_EC_DEPRECATED, "");
+static_assert(2 == TA_EC_EMPTY_TVM_KEYS, "");
+static_assert(3 == TA_EC_EXPIRED_TICKET, "");
+static_assert(4 == TA_EC_INVALID_BLACKBOX_ENV, "");
+static_assert(5 == TA_EC_INVALID_DST, "");
+static_assert(6 == TA_EC_INVALID_PARAM, "");
+static_assert(7 == TA_EC_INVALID_TICKET_TYPE, "");
+static_assert(8 == TA_EC_MALFORMED_TICKET, "");
+static_assert(9 == TA_EC_MALFORMED_TVM_KEYS, "");
+static_assert(10 == TA_EC_MALFORMED_TVM_SECRET, "");
+static_assert(11 == TA_EC_MISSING_KEY, "");
+static_assert(12 == TA_EC_NOT_ALLOWED, "");
+static_assert(13 == TA_EC_SIGN_BROKEN, "");
+static_assert(14 == TA_EC_SMALL_BUFFER, "");
+static_assert(15 == TA_EC_UNEXPECTED_ERROR, "");
+static_assert(16 == TA_EC_UNSUPPORTED_VERSION, "");
+static_assert(17 == TA_EC_BROKEN_TVM_CLIENT_SETTINGS, "");
+static_assert(18 == TA_EC_PERMISSION_DENIED_TO_CACHE_DIR, "");
+static_assert(19 == TA_EC_FAILED_TO_START_TVM_CLIENT, "");
+
+static_assert(0 == TA_BE_PROD, "");
+static_assert(1 == TA_BE_TEST, "");
+static_assert(2 == TA_BE_PROD_YATEAM, "");
+static_assert(3 == TA_BE_TEST_YATEAM, "");
+static_assert(4 == TA_BE_STRESS, "");
diff --git a/library/c/tvmauth/tvmauth.h b/library/c/tvmauth/tvmauth.h
new file mode 100644
index 0000000000..cba66b6bb7
--- /dev/null
+++ b/library/c/tvmauth/tvmauth.h
@@ -0,0 +1,215 @@
+#pragma once
+// DO_NOT_STYLE
+
+#ifndef _TVM_AUTH_H_
+#define _TVM_AUTH_H_
+
+#include <stddef.h>
+#include <stdint.h>
+#include <time.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+enum TA_EErrorCode {
+    TA_EC_OK = 0,
+    TA_EC_DEPRECATED,
+    TA_EC_EMPTY_TVM_KEYS,
+    TA_EC_EXPIRED_TICKET,
+    TA_EC_INVALID_BLACKBOX_ENV,
+    TA_EC_INVALID_DST,
+    TA_EC_INVALID_PARAM,
+    TA_EC_INVALID_TICKET_TYPE,
+    TA_EC_MALFORMED_TICKET,
+    TA_EC_MALFORMED_TVM_KEYS,
+    TA_EC_MALFORMED_TVM_SECRET,
+    TA_EC_MISSING_KEY,
+    TA_EC_NOT_ALLOWED,
+    TA_EC_SIGN_BROKEN,
+    TA_EC_SMALL_BUFFER,
+    TA_EC_UNEXPECTED_ERROR,
+    TA_EC_UNSUPPORTED_VERSION,
+    TA_EC_BROKEN_TVM_CLIENT_SETTINGS,
+    TA_EC_PERMISSION_DENIED_TO_CACHE_DIR,
+    TA_EC_FAILED_TO_START_TVM_CLIENT,
+};
+struct TA_TCheckedServiceTicket;
+struct TA_TCheckedUserTicket;
+
+extern const char* TA_BlackboxTvmIdProd;       /* 222 */
+extern const char* TA_BlackboxTvmIdTest;       /* 224 */
+extern const char* TA_BlackboxTvmIdProdYateam; /* 223 */
+extern const char* TA_BlackboxTvmIdTestYateam; /* 225 */
+extern const char* TA_BlackboxTvmIdStress;     /* 226 */
+extern const char* TA_BlackboxTvmIdMimino;     /* 239 */
+
+enum TA_EBlackboxEnv {
+    TA_BE_PROD = 0,
+    TA_BE_TEST,
+    TA_BE_PROD_YATEAM,
+    TA_BE_TEST_YATEAM,
+    TA_BE_STRESS
+};
+
+const char* TA_ErrorCodeToString(enum TA_EErrorCode code);
+
+/*!
+ * Free memory of service ticket.
+ * @param[in] ticket
+ * @return Error code
+ */
+enum TA_EErrorCode TA_DeleteServiceTicket(struct TA_TCheckedServiceTicket* ticket);
+
+/*!
+ * Source of request, your client.
+ * @param[in] ticket Parsed ticket
+ * @param[out] srcTvmId Integer identifier of client
+ * @return Error code
+ */
+enum TA_EErrorCode TA_GetServiceTicketSrc(
+    const struct TA_TCheckedServiceTicket* ticket,
+    uint32_t* srcTvmId);
+
+/*!
+ * Return debug info for ticket
+ * @param[in] ticket
+ * @param[out] debugInfo
+ * @param[out] debugInfoSize
+ * @param[in] maxDebugInfoSize
+ * @return Error code
+ */
+enum TA_EErrorCode TA_GetServiceTicketDebugInfo(
+    const struct TA_TCheckedServiceTicket* ticket,
+    char* debugInfo,
+    size_t* debugInfoSize,
+    size_t maxDebugInfoSize);
+
+/*!
+ * Return uid of developer, who got ServiceTicket with grant_type=sshkey
+ * uid == 0 if issuer uid is absent
+ * @param[in] ticket
+ * @param[out] uid
+ * @return Error code
+ */
+enum TA_EErrorCode TA_GetServiceTicketIssuerUid(
+    const struct TA_TCheckedServiceTicket* ticket,
+    uint64_t* uid);
+
+/*!
+ * Return part of ticket which can be safely logged.
+ * WARNING: Do not free returned pointer.
+ * WARNING: logableTicket is not zero-ended string (it is substring of ticketBody)
+ * WARNING: Use logableTicketSize to read valid amount of symbols.
+ * @param[in] ticketBody
+ * @param[in] ticketBodySize
+ * @param[out] logableTicket
+ * @param[out] logableTicketSize
+ * @return Error code
+ */
+enum TA_EErrorCode TA_RemoveTicketSignature(
+    const char* ticketBody,
+    size_t ticketBodySize,
+    const char** logableTicket,
+    size_t* logableTicketSize);
+
+/*!
+ * Free memory of user ticket.
+ * @param[in] context
+ * @return Error code
+ */
+enum TA_EErrorCode TA_DeleteUserTicket(struct TA_TCheckedUserTicket* context);
+
+/*!
+ * Return number of UIDs in the ticket.
+ * @param[in] ticket
+ * @param[out] count
+ * @return Error code
+ */
+enum TA_EErrorCode TA_GetUserTicketUidsCount(
+    const struct TA_TCheckedUserTicket* ticket,
+    size_t* count);
+
+/*!
+ * Return UID from ticket by ordinal index
+ * @param[in] ticket
+ * @param[in] idx
+ * @param[out] uid
+ * @return Error code
+ */
+enum TA_EErrorCode TA_GetUserTicketUid(
+    const struct TA_TCheckedUserTicket* ticket,
+    size_t idx,
+    uint64_t* uid);
+
+/*!
+ * Return default UID. Default UID is the chosen one which should be considered as primary.
+ * @param[in] ticket
+ * @param[out] uid
+ * @return Error code
+ */
+enum TA_EErrorCode TA_GetUserTicketDefaultUid(
+    const struct TA_TCheckedUserTicket* ticket,
+    uint64_t* uid);
+
+/*!
+ * Return number of scopes in the ticket.
+ * @param[in] ticket
+ * @param[out] count
+ * @return Error code
+ */
+enum TA_EErrorCode TA_GetUserTicketScopesCount(
+    const struct TA_TCheckedUserTicket* ticket,
+    size_t* count);
+
+/*!
+ * Return scope by ordinal index.
+ * WARNING: Do not free returned pointer.
+ * @param[in] ticket
+ * @param[in] idx
+ * @param[out] scope
+ * @return Error code
+ */
+enum TA_EErrorCode TA_GetUserTicketScope(
+    const struct TA_TCheckedUserTicket* ticket,
+    size_t idx,
+    const char** scope);
+
+/*!
+ * Check if user ticket has the scope
+ * @param[in] ticket
+ * @param[in] scope
+ * @param[in] scopeSize Size of string containing scope
+ * @param[out] checkingResult Equal to 1 if scope is present in ticket and to 0 otherwise
+ * @return Error code
+ */
+enum TA_EErrorCode TA_HasUserTicketScope(
+    const struct TA_TCheckedUserTicket* ticket,
+    const char* scope,
+    size_t scopeSize,
+    int* checkingResult);
+
+/*!
+ * Return debug info for ticket
+ * @param[in] ticket
+ * @param[out] debugInfo
+ * @param[out] debugInfoSize
+ * @param[in] maxDebugInfoSize
+ * @return Error code
+ */
+enum TA_EErrorCode TA_GetUserTicketDebugInfo(
+    const struct TA_TCheckedUserTicket* ticket,
+    char* debugInfo,
+    size_t* debugInfoSize,
+    size_t maxDebugInfoSize);
+
+/*!
+ * Return library version.
+ * @return version
+ */
+const char* TA_LibVersion();
+
+#ifdef __cplusplus
+}
+#endif
+#endif
diff --git a/library/c/tvmauth/tvmauth_wrapper.h b/library/c/tvmauth/tvmauth_wrapper.h
new file mode 100644
index 0000000000..a719e4999c
--- /dev/null
+++ b/library/c/tvmauth/tvmauth_wrapper.h
@@ -0,0 +1,224 @@
+#pragma once
+// DO_NOT_STYLE
+
+#ifndef _TVM_AUTH_WRAPPER_H_
+#define _TVM_AUTH_WRAPPER_H_
+
+#include "tvmauth.h"
+
+#include <memory>
+#include <string>
+#include <vector>
+
+namespace NTvmAuthWrapper {
+    using TTvmId = uint32_t;
+    using TScopes = std::vector<std::string>;
+    using TUid = uint64_t;
+    using TUids = std::vector<TUid>;
+
+    using TA_EErrorCode = TA_EErrorCode;
+
+    namespace NBlackboxTvmId {
+        static const char* Prod = "222";
+        static const char* Test = "224";
+        static const char* ProdYateam = "223";
+        static const char* TestYateam = "225";
+        static const char* Stress = "226";
+        static const char* Mimino = "239";
+    }
+
+    class TTvmException: public std::exception {
+    private:
+        const char* Message;
+    public:
+        TTvmException(const char* message)
+            : Message(message)
+        {
+        }
+        const char* what() const noexcept override {
+            return Message;
+        }
+    };
+    class TContextException: public TTvmException {
+        using TTvmException::TTvmException;
+    };
+    class TEmptyTvmKeysException: public TContextException {
+        using TContextException::TContextException;
+    };
+    class TMalformedTvmKeysException: public TContextException {
+        using TContextException::TContextException;
+    };
+    class TMalformedTvmSecretException: public TContextException {
+        using TContextException::TContextException;
+    };
+    class TNotAllowedException: public TTvmException {
+        using TTvmException::TTvmException;
+    };
+
+    inline std::string LibVersion() {
+        return std::string(TA_LibVersion());
+    }
+
+    inline void ThrowIfFatal(TA_EErrorCode status) {
+        switch (status) {
+            case TA_EErrorCode::TA_EC_EMPTY_TVM_KEYS:
+                throw TEmptyTvmKeysException("Empty TVM keys");
+            case TA_EErrorCode::TA_EC_MALFORMED_TVM_KEYS:
+                throw TMalformedTvmKeysException("Malformed TVM keys");
+            case TA_EErrorCode::TA_EC_MALFORMED_TVM_SECRET:
+                throw TMalformedTvmSecretException("Malformed TVM secret");
+            case TA_EErrorCode::TA_EC_NOT_ALLOWED:
+                throw TNotAllowedException("Method cannot be used in non-valid ticket");
+            case TA_EErrorCode::TA_EC_INVALID_PARAM:
+            case TA_EErrorCode::TA_EC_SMALL_BUFFER:
+            case TA_EErrorCode::TA_EC_UNEXPECTED_ERROR:
+            case TA_EErrorCode::TA_EC_BROKEN_TVM_CLIENT_SETTINGS:
+            case TA_EErrorCode::TA_EC_PERMISSION_DENIED_TO_CACHE_DIR:
+            case TA_EErrorCode::TA_EC_FAILED_TO_START_TVM_CLIENT:
+                throw std::runtime_error(TA_ErrorCodeToString(status));
+            default:
+                break;
+        }
+    }
+
+    inline std::string RemoveTicketSignature(const std::string& ticketBody) {
+        const char* ticketWithoutSignature;
+        size_t realSize;
+        ThrowIfFatal(TA_RemoveTicketSignature(ticketBody.c_str(), ticketBody.size(), &ticketWithoutSignature, &realSize));
+        return std::string(ticketWithoutSignature, realSize);
+    }
+
+    class TCheckedServiceTicket {
+        friend class TServiceContext;
+        friend class TTvmClient;
+    public:
+        TCheckedServiceTicket(TCheckedServiceTicket&& o) = default;
+        TCheckedServiceTicket& operator=(TCheckedServiceTicket&& o) = default;
+
+        explicit operator bool() const {
+            return (GetStatus() == TA_EErrorCode::TA_EC_OK);
+        }
+
+        TTvmId GetSrc() const {
+            TTvmId src;
+            ThrowIfFatal(TA_GetServiceTicketSrc(Ptr.get(), &src));
+            return src;
+        }
+
+        TA_EErrorCode GetStatus() const {
+            return Status;
+        }
+
+        std::string DebugInfo() const {
+            char buffer[1024];
+            size_t realSize;
+            TA_EErrorCode resultCode = TA_GetServiceTicketDebugInfo(Ptr.get(), buffer, &realSize, 1024);
+            if (resultCode == TA_EErrorCode::TA_EC_SMALL_BUFFER) {
+                std::string res(realSize, 0);
+                ThrowIfFatal(TA_GetServiceTicketDebugInfo(Ptr.get(), (char*)res.data(), &realSize, realSize));
+                return res;
+            }
+            ThrowIfFatal(resultCode);
+            return std::string(buffer, realSize);
+        }
+
+        /*!
+         * Return uid of developer, who got ServiceTicket with grant_type=sshkey
+         * @return uid
+         */
+        TUid GetIssuerUid() const {
+            TUid u = 0;
+            ThrowIfFatal(TA_GetServiceTicketIssuerUid(Ptr.get(), &u));
+            return u;
+        }
+
+    private:
+        TCheckedServiceTicket(TA_TCheckedServiceTicket* ptr, TA_EErrorCode status)
+            : Ptr(ptr, TA_DeleteServiceTicket)
+            , Status(status) {
+        }
+
+        std::unique_ptr<TA_TCheckedServiceTicket, decltype(&TA_DeleteServiceTicket)> Ptr;
+        TA_EErrorCode Status;
+    };
+
+    class TCheckedUserTicket {
+        friend class TTvmClient;
+        friend class TUserContext;
+    public:
+        TCheckedUserTicket(TCheckedUserTicket&& o) = default;
+        TCheckedUserTicket& operator=(TCheckedUserTicket&& o) = default;
+
+        explicit operator bool() const {
+            return (GetStatus() == TA_EErrorCode::TA_EC_OK);
+        }
+
+        TUids GetUids() const {
+            size_t count;
+            TUid scope;
+            ThrowIfFatal(TA_GetUserTicketUidsCount(Ptr.get(), &count));
+
+            TUids r(count);
+            for (size_t i = 0; i < count; ++i) {
+                ThrowIfFatal(TA_GetUserTicketUid(Ptr.get(), i, &scope));
+                r[i] = scope;
+            }
+
+            return r;
+        }
+
+        TUid GetDefaultUid() const {
+            TUid defaultUid;
+            ThrowIfFatal(TA_GetUserTicketDefaultUid(Ptr.get(), &defaultUid));
+            return defaultUid;
+        }
+
+        TScopes GetScopes() const {
+            size_t count;
+            const char* scope;
+            ThrowIfFatal(TA_GetUserTicketScopesCount(Ptr.get(), &count));
+
+            TScopes r(count);
+            for (size_t i = 0; i < count; ++i) {
+                ThrowIfFatal(TA_GetUserTicketScope(Ptr.get(), i, &scope));
+                r[i] = std::string(scope);
+            }
+
+            return r;
+        }
+
+        bool HasScope(const std::string& scopeName) const {
+            int result;
+            ThrowIfFatal(TA_HasUserTicketScope(Ptr.get(), scopeName.c_str(), scopeName.size(), &result));
+            return (result != 0);
+        }
+
+        TA_EErrorCode GetStatus() const {
+            return Status;
+        }
+
+        std::string DebugInfo() const {
+            char buffer[1024];
+            size_t realSize;
+            TA_EErrorCode resultCode = TA_GetUserTicketDebugInfo(Ptr.get(), buffer, &realSize, 1024);
+            if (resultCode == TA_EErrorCode::TA_EC_SMALL_BUFFER) {
+                std::string res(realSize, 0);
+                ThrowIfFatal(TA_GetUserTicketDebugInfo(Ptr.get(), (char*)res.data(), &realSize, realSize));
+                return res;
+            }
+            ThrowIfFatal(resultCode);
+            return std::string(buffer, realSize);
+        }
+
+    private:
+        TCheckedUserTicket(TA_TCheckedUserTicket* ptr, TA_EErrorCode status)
+            : Ptr(ptr, TA_DeleteUserTicket)
+            , Status(status) {
+        }
+
+        std::unique_ptr<TA_TCheckedUserTicket, decltype(&TA_DeleteUserTicket)> Ptr;
+        TA_EErrorCode Status;
+    };
+}
+
+#endif