Users
Users can own resources in Privy, meaning actions to update or taking actions on a resource must be explicitly authorized by the user.
You can use user owners regardless if you use your own authentication provider or Privy as your authentication provider.
When you make a request to the Privy API with a valid access token for a user owner, Privy returns a user key for the user. Requests to the Privy API to update or take actions with a resource owned by this user must be signed by the user key.
To ensure the security of user keys:
- User keys are time-bound, meaning they can only sign requests for a limited window before they expire, and a new user key must be requested.
- When returning a user’s key, Privy encrypts the key under a public-private keypair that your app generates. This ensures that only your server can decrypt the user’s key.
At a high-level, the flow to request user authentication keys is as follows:
Configure authentication settings
In the Privy Dashboard, configure your authentication settings from your authentication provider. In particular, register the JWKS.json endpoint that will be used to verify your user’s access token.
If you are using Privy as your authentication provider, you can skip this step.
Generate a keypair to encrypt user keys
Generate a public-private keypair (ECH P-256) that will be used to encrypt the user key. Make sure to save both the public and private keys.
Request a user key from the Privy API
Make a request to the Privy API with the user’s access token and the public key you generated. Privy will return a user key for the user, encrypted under the public key you provided, which you can decrypt with the corresponding private key.