Appearance
Authenticated signers
Authenticated signers enable users to fully control self-custodial wallets.
Authorization keys are the core primitive for control of Privy's TEE-based wallet API. Authorization key signatures are used to authenticate directly with the Privy wallet API.
They enable a fully configurable control model for wallets, which includes the entire spectrum from user-custodial wallets to powerful service-level controls. If an authorization key is set as a signer on the wallet, than it can transact funds on the wallet.
Self-custodial wallets
TIP
All Privy client-side SDKs enable fully user self-custodial wallets by default via authenticated signers.
Self-custodial Privy wallets are those owned by an authorization key that the user controls. For example, you can configure fully user self-custodial wallets:
- Using an authenticated signer as the authorization key
- Using a user's passkey directly as the authorization key
Authenticated signers are authorization keys that users control directly via an authentication method. Privy infrastructure manages issuing session-based authorization keys to users via the Privy authenticated signer service.
Authentication methods
Privy integrates directly with any OIDC or JWT-based authentication system and also offers dozens of login methods natively, including email, SMS, social login, passkeys, and more. The authenticated signer service ensures that if a user is logged in, they always have access to their wallet.
Multi-factor authentication
Privy also enables multi-factor authentication for access to authenticated signers. Supported additional factors include:
- Authenticator apps (TOTP)
- Biometric verification (passkeys)
- SMS confirmation
- Hardware security keys
This means your app can require additional user verification for sensitive wallet operations.
Client-side authenticated signers
Client-side authenticated signers are session-based authorization keys available via Privy client SDKs, and issued on the user's device. These authorization keys are managed internally by the Privy SDK and are used to authenticate with Privy's wallet API. Authenticated signers are only accessible when the user is authenticated.
Client-side authenticated signers are managed within the secure environments directly on user devices. In particular, Privy secures authenticated signers using browser-enforced isolation via iframes. The Privy iframe runs in a separate process with its own isolated memory space, completely separated from your application.
Client-side authenticated signers are generated directly on the user's device, secured using distributed key sharding, and persisted with Privy's key management infrastructure. See user device execution environment for more information about this architecture. Note this core architecture can be used to secure either authenticated signers or on-device wallets directly.
Authenticated signer API
INFO
This feature is currently in development and will be available in an upcoming release.
The authenticated signer API enables one-time or session-based authorization keys to be issued directly via a REST API. This API can be called from either your app's frontend or backend.
The authenticated signer API manages authorization keys from within trusted execution environments (TEEs)—see TEE architecture for more information. The authenticated signer API integrates with any asymmetric JWT-based authentication system, such as Privy's native authentication system, Auth0, Firebase, or any OIDC or OAuth authentication provider. Authentication is verified within the TEE.
- If applicable, register your JWT verification public key or JWKS.json endpoint. You can do so via the Privy Dashboard or directly with the authenticated signer API.
- Make a request to the authenticated signer API using the authentication token from your JWT-based authentication system.
- The TEE issues an encrypted one-time or session-based authenticated signer in response.
- Use this authenticated signer as the authorization key for requests to the Privy wallet API.
