Skip to main content
Users can be owners and/or signers in Privy.
You can create user self-custodial wallets by setting a user as the owner of the wallet, whether you use your own existing authentication provider or Privy as your authentication provider.
When you make a request to the Privy API with a valid access token for a user, Privy returns a user key for the user. Requests to the Privy API to update or take actions with a resource owned by this user must be signed by the user key. To ensure the security of user keys:
  • User keys are time-bound, meaning they can only sign requests for a limited window before they expire, and a new user key must be requested.
  • When returning a user’s key, Privy encrypts the key under a public-private keypair that your app generates. This ensures that only your server can decrypt the user’s key.
At a high-level, the flow to request user authentication keys is as follows:
1

Configure authentication settings

In the Privy Dashboard, configure your authentication settings from your authentication provider. In particular, register the JWKS.json endpoint that will be used to verify your user’s access token.
If you are using Privy as your authentication provider, you can skip this step.
2

Generate a keypair to encrypt user keys

Generate a public-private keypair (ECH P-256) that will be used to encrypt the user key. Make sure to save both the public and private keys.
3

Request a user key from the Privy API

Make a request to the Privy API with the user’s access token and the public key you generated. Privy will return a user key for the user, encrypted under the public key you provided, which you can decrypt with the corresponding private key.