Overview
Authorization keys provide an additional layer of security for actions taken by your app’s wallets. These cryptographic keys help ensure that only actions explicitly authorized by your server are executed on user wallets.
Overview
When you specify an owner of a resource, all requests to update that resource must be signed with this key. Requests to take actions with a wallet must also be signed by the wallet’s owner. This security measure verifies that each request comes from your authorized backend systems and helps prevent unauthorized operations.
Security implications
- With authorization keys: All wallet actions require a valid signature from your server in addition to your app secret, ensuring that only your application can initiate actions
- Without authorization keys: Privy will only require your app secret for wallet actions, which provides less security for production environments
While authorization keys are optional, we strongly recommend enabling them for all production applications to ensure maximum security for your users’ assets.
When to use authorization keys
Authorization keys are particularly important when:
- Your app performs delegated actions on behalf of users
- You’re handling financial transactions or sensitive operations
- You want to prevent potential abuse from unauthorized parties
- Your application is in production with real users and assets
How to set up authorization keys
Create your authorization keys either locally or in the Dashboard and configure this key as the owner of your resource. See our SDK integration guide or REST API documentation for detailed implementation instructions for signing requests.