Turnkey’s wallet system supports granular controls on who can access wallets and what actions different users can perform. To enforce these controls, Turnkey’s API must verify the identity of the party requesting a wallet action, ensuring that only authorized actions are executed by the system. This process is known as authentication. Turnkey supports both API authentication and user authentication for authenticating access to wallets.

API authentication

With API authentication, Turnkey authenticates a request from your server directly using an API secret. This ensures that Turnkey only executes requests sent by your servers alone, and no other party. In addition to the API secret, you can also configure authorization policies that control specific wallets, private keys, and other resources. Any requests to use or update these resources require approval according to the corresponding policy. This allows you to enforce granular controls on all Turnkey resources. For backend implementation details, see our Backend Setup guide. API Reference: Create API Keys, Get API Keys

User authentication

Turnkey is a powerful toolkit for progressive authentication of users. With fine-grained control over onboarding flows and wallet connections, you can improve conversion and craft better UX. Using any of Turnkey’s client-side SDKs, your app can authenticate users across web2 and web3 accounts, including:
  • WebAuthN/Passkeys: Biometric or passkey-based login based on the WebAuthn standard. Learn more
  • Email or SMS: Passwordless login via a one-time passcode sent to a user’s email address or phone number. Learn more | SMS Authentication
  • OAuth and social logins: Social login with Google, Apple, Twitter, Discord, GitHub, LinkedIn, and more. Learn more
  • Wallets: External wallet login via Sign-In With Ethereum and Sign-In With Solana. Learn more
Your app can configure each of these authentication methods to be an upfront login method, or as an account that users link later. All of Turnkey’s authentication methods create a common user object, where you can easily find a user’s unique ID and all of the accounts they’ve linked to their profile. A user is a user, regardless of whether they’ve connected with a wallet, email or other account. Once a user successfully authenticates with Turnkey, Turnkey creates a session for that user that your app can use to represent an authenticated session or to make authenticated requests to your backend. For information about managing authenticated sessions, see our Sessions documentation.

Passkey Introduction

Biometric and hardware-based passwordless authentication using WebAuthn standard.

Email Authentication

Passwordless login via one-time codes sent to users’ email addresses.

SMS Authentication

User verification through one-time passwords sent via text message.

Social Logins

OAuth authentication with popular social providers like Google, Apple, and Twitter.

Sessions

Manage authenticated user sessions and access tokens in your application.