Authorization keys provide an additional layer of security for actions taken by your app’s wallets. These cryptographic keys help ensure that only actions explicitly authorized by your server are executed on user wallets.

Enforcing ownership on a resource

When you specify an owner of a resource, all requests to update that resource must be signed with the associated key. Requests to take actions with a wallet must also be signed by the wallet’s owner. This security measure verifies that each request comes from authorized actors.

Resources can be owned by a user or directly by an authorization key.

  • If a user is an owner of a resource, requests to take action on the resource must be approved by the user, via a signature from a user authorization key.
  • If an authorization key is an owner of a resource, requests to take action on the resource must be approved via a signature from the authorization key. Typically, the authorization key is a persistent key managed by your application server.

Security implications

If you are securing resources controlled by your application server, authorization keys are optional, though strongly recommended.

  • With authorization keys: All wallet actions require a valid signature from your server in addition to your app secret, ensuring that only your application can initiate actions.
  • Without authorization keys: Privy will only require your app secret for wallet actions, which provides less security for production environments.

When to use authorization keys

Authorization keys are particularly important when:

  • Your app performs actions on behalf of users.
  • You’re handling financial transactions or sensitive operations.
  • You want to prevent potential abuse from unauthorized parties.
  • Your application is in production with real users and assets.

How to set up authorization keys

Create authorization keys locally or via the Dashboard and configure this key as the owner of your resource (e.g. a wallet or policy). See our SDK integration guide or REST API documentation for detailed implementation instructions for signing requests.

Authorization keys provide an additional layer of security for actions taken by your app’s wallets. These cryptographic keys help ensure that only actions explicitly authorized by your server are executed on user wallets.

Enforcing ownership on a resource

When you specify an owner of a resource, all requests to update that resource must be signed with the associated key. Requests to take actions with a wallet must also be signed by the wallet’s owner. This security measure verifies that each request comes from authorized actors.

Resources can be owned by a user or directly by an authorization key.

  • If a user is an owner of a resource, requests to take action on the resource must be approved by the user, via a signature from a user authorization key.
  • If an authorization key is an owner of a resource, requests to take action on the resource must be approved via a signature from the authorization key. Typically, the authorization key is a persistent key managed by your application server.

Security implications

If you are securing resources controlled by your application server, authorization keys are optional, though strongly recommended.

  • With authorization keys: All wallet actions require a valid signature from your server in addition to your app secret, ensuring that only your application can initiate actions.
  • Without authorization keys: Privy will only require your app secret for wallet actions, which provides less security for production environments.

When to use authorization keys

Authorization keys are particularly important when:

  • Your app performs actions on behalf of users.
  • You’re handling financial transactions or sensitive operations.
  • You want to prevent potential abuse from unauthorized parties.
  • Your application is in production with real users and assets.

How to set up authorization keys

Create authorization keys locally or via the Dashboard and configure this key as the owner of your resource (e.g. a wallet or policy). See our SDK integration guide or REST API documentation for detailed implementation instructions for signing requests.