Authorization keys enable users to fully control self-custodial wallets within a trusted execution environment (TEE). They are not applicable for on-device wallets.

Interacting directly with user authorization keys is an advanced setting.

If you are using Privy via a client-side SDK, user authorization keys are entirely invisible—you do not have to manually interact with authorization keys in order to create or transact with wallets.

Self-custodial Privy wallets are those owned by an authorization key that the user controls. For example, you can configure fully user self-custodial wallets by:

  • Authenticating a user with the User authorization key API to issue an authorization key
  • Directly adding the user’s passkey as the authorization key

User authorization keys are authorization keys that users control directly via an authentication method. Privy infrastructure manages issuing session-based authorization keys to users via the User authorization key API. This configuration results in cryptographically-enforced user custody of wallets.

Learn more about the User authorization key API architecture here.

All Privy client-side SDKs enable fully user self-custodial wallets by default.

Authentication methods

Privy integrates directly with any OIDC or JWT-based authentication system and also offers dozens of login methods natively, including email, SMS, social login, passkeys, and more. The User authorization key API ensures that if a user is logged in, they always have access to their wallet.