Getting started with Turnkey
Welcome to Turnkey! To make the most out of Turnkey's wallet infrastructure, we've compiled a list of helpful resources for you below.
Getting ready to launch? Ensure you double check our resource limits and rate limits to ensure your implementation will not trigger these limits at production scale. For additional pre-launch guidance, refer to our Launch Checklist to make sure you're ready to launch safely.
About
Turnkey is highly flexible key management infrastructure, purpose-built for security and scale. Our API and open-source SDKs make it easy for you to take your product from 0 to 1, and enable developers to create millions of embedded wallets and automate complex onchain transactions.
Whether you're building a DeFi platform, a payments app, an AI agent, or anything requiring a private key, Turnkey offers the building blocks to bring your ideas to life.
Our solution covers two main use cases:
Embedded Wallets
Create millions of embedded wallets on behalf of your users for a flawless onboarding and in-app experience.
⚡ To start building with embedded wallets, check out our demos, kits and detailed guides:
- Demo Wallet (Next.js, Typescript)
- Embedded Wallet Kit (Next.js, React)
- Sub-Organizations as Wallets
- Sub-Organization Email Auth
- Embedded wallet code examples
- Account Abstraction Wallets
Onchain Automation
Automate even the most complex onchain transactions, from staking management to smart contract interactions.
🔧 To start using Turnkey for onchain automation, check out Quickstart, server signing guide, and explore our API Reference.
Concepts Overview
Before getting started, we highly recommend familiarizing yourself with Turnkey's core concepts below to ensure a smooth implementation.
At the core of Turnkey is an important concept: instead of directly managing private keys, wallets are accessed through authenticators like passkeys, social logins, or API keys:
Here's how that works:
- Organizations (parent orgs) in Turnkey are top-level entities that contain users, wallets, and policies for a business, with the initial "parent organization" typically representing an entire Turnkey-powered application.
- Parent organizations can create sub-organizations (sub-orgs), which are fully segregated organizations nested under the parent organization. Parent orgs cannot modify the contents of a sub-org, and sub-orgs and typically represent an end user.
- Both parent organizations and sub-organizations contain a set of resources and authenticators that you can configure, including their own users, wallets, API keys, private keys, and policies.
- Activities (like signing transactions or creating users) are governed by policies created via Turnkey's policy engine, though root users can bypass the policy engine when meeting root quorum requirements.
- Wallets in Turnkey are HD seed phrases that can generate multiple wallet accounts (addresses) for signing operations.
There is no set relationship between organizations, sub-organizations, activities, wallets, and resources. This makes Turnkey highly flexible and configurable to any use case.
For a more in-depth overview, access our documentation here.
Demos And Examples
- Embedded wallet demo app (web)
- Flutter (mobile) demo app
- Telegram mini-app demo
- Pop-up wallet demo
- React native demo wallet (mobile, web)
- Wallet Kit (pre-generated UI components for user authentication)
- Building a trading bot on Solana: Guide
Feature spotlight: Send crypto via a URL
Moonshot users can now send crypto to their friends via a URL. Under the hood, Turnkey pre-generates a wallet for the new user and loads it with the specified amount of crypto — all authenticated via a biometric passkey (e.g. Face ID).
To see Turnkey in action, check out some of our favorite customer integrations:
- Moonshot: An app that makes trading crypto as easy as buying stocks.
- Infinex: A crypto app to access everything onchain in one place. Founded by Kain from Synthetix.
- Azura: A next-generation DeFi platform to make onchain trading easier.
- PVP Trade: A SocialFi experience to trade tokens with friends on Telegram.
- Spectral: A platform for creating onchain AI agents.
SDKs
Turnkey provides a variety of client libraries for interacting with Turnkey's API and performing common workflows, as well as several wrappers for popular web3 libraries for easy integration into existing dApps.
| Integration | Package |
|---|---|
| JavaScript Browser | @turnkey/sdk-browser |
| JavaScript Server | @turnkey/sdk-server |
| React | @turnkey/sdk-react |
| React Native | See React Native passkey stamper for more details |
| Golang | go-sdk |
| Rust | rust-sdk |
| Ruby | ruby-sdk |
| Command Line | Using the CLI |
| Flutter/Dart | All packages published here |
| Swift | swift-sdk |
| Ethers | @turnkey/ethers |
| Viem | @turnkey/viem |
| CosmJS | @turnkey/cosmjs |
| EIP-1193 | @turnkey/eip-1193-provider |
| Solana | @turnkey/solana |
| Advanced | See docs for more details |
Security
We take security seriously at Turnkey and have built our architecture to ensure that you and your end users' private keys are safe. Our whitepaper covers our holistic security model in-depth and our vision for building verifiable key management infrastructure.
How does Turnkey secure private keys?
Turnkey uses AWS Nitro Enclaves, a type of tamper-proof Trusted Execution Environment (TEE), for all sensitive operations. Private keys are never decrypted outside these enclaves, and only you can authorize key usage with your credentials. Turnkey has also implemented stringent protocols to prevent individual engineers from altering enclave code, ensuring a secure end-to-end deployment process.
Turnkey does not store unencrypted private keys, but rather persists encrypted private key ciphertext inside of our primary and disaster recovery databases. This ciphertext is only to be decrypted from within the bounds of a secure enclave running verified Turnkey applications.
Is Turnkey non-custodial? Who has access to my users' private keys?
Turnkey's novel security architecture means raw private keys themselves are never exposed to Turnkey, your software, or your team. Specifically, Turnkey stores encrypted private keys that are only decrypted when you authenticate to an auditable, tamper-proof secure enclave with your secret (e.g., API key or Passkey credentials). You (and/or your end users, depending on your implementation) remain the owner of your private keys and the funds controlled by those private keys at all times. See quorum deployments for more details on how we provision secure enclaves to ensure you're always in control of your private keys.
Is Turnkey open-source?
Turnkey's infrastructure combines extensive SDK support with open-source packages that allow for straightforward integration across multiple languages and environments. While competitors offers closed or proprietary SDKs that lock you into limited workflows and create dependencies on specific providers, Turnkey's open SDKs enable direct access to both lower-level abstractions and the core API, granting you complete control over your wallet infrastructure.
We've also open-sourced QuorumOS: a minimal, immutable, and deterministic Linux unikernel build system for use cases that require high security and accountability. QuorumOS is a critical part of Turnkey's stack for running applications inside TEEs at modern cloud scale.
Currently, we are working on a verifiable security model for our API, so that third parties can attest to the code that is running inside of Turnkey's secure enclaves.
How can I report a security vulnerability / Is there a bug bounty?
Turnkey highly values the security of our software, services, and systems and we actively encourage the ethical reporting of any security vulnerabilities discovered. We invite researchers and users to report potential security vulnerabilities to our Bug Bounty Program via the form in our docs, or to us via email at security@turnkey.com. When submitting a report via email, please provide a thorough description of the vulnerability, including steps to reproduce it and its potential impact.
If you believe you have found very serious vulnerability, we ask that you encrypt the message to the
security.turnkey.com PGP key (FP: AD6C 3E61 17A5 886E 550E F8BB 3ACD E5EA 8DC7 9275).
This can also be found on Turnkey's website at https://www.turnkey.com/.well-known/security.asc
Support
For support, product feedback, and input, join our community Slack channel here.