Overview
Authorization keys provide an additional layer of security for actions taken by your app’s wallets. These cryptographic keys help ensure that only actions explicitly authorized by your server are executed on user wallets.
Overview
When you specify an owner of a resource, all requests to update that resource must be signed with this key. Requests to take actions with a wallet must also be signed by the wallet’s owner. This security measure verifies that each request comes from your authorized backend systems and helps prevent unauthorized operations.
Generating an Authorization Key
To set up an authorization key:
- Navigate to the page in your Privy Dashboard
- Click the Generate new key button
- Copy and securely store the generated key
Privy does not store this key and cannot help you retrieve it. If you lose access to your key, you’ll need to generate a new one, which will require users to re-grant permissions for delegated actions.
Security Implications
- With authorization keys: All wallet actions require a valid signature from your server in addition to your app secret, ensuring that only your application can initiate actions
- Without authorization keys: Privy will only require your app secret for wallet actions, which provides less security for production environments
While authorization keys are optional, we strongly recommend enabling them for all production applications to ensure maximum security for your users’ assets.
When to Use Authorization Keys
Authorization keys are particularly important when:
- Your app performs delegated actions on behalf of users
- You’re handling financial transactions or sensitive operations
- You want to prevent potential abuse from unauthorized parties
- Your application is in production with real users and assets
Next Steps
After generating your authorization key, you’ll need to implement request signing in your application. See our SDK integration guide or REST API documentation for detailed implementation instructions.
Was this page helpful?