Authentication
Proxying signed requests
Turnkey has an open CORS policy for its public API. This means your frontend can choose to POST sign requests straight to https://api.turnkey.com. Your frontend can also choose to forward the requests via a backend server (which POSTs the signed request to Turnkey).
How should you decide what to do? Here are some considerations:
- A backend proxy can be useful if you need to inspect and persist activity results. For example: if your users are creating wallets, you might want to persist the addresses. If your users are signing transactions, you might want to broadcast on their behalf.
- Another reason why a backend server could be beneficial is monitoring, feature toggles, and validation: with a proxy you’re able to control which requests are proxied and which aren’t. You can also perform additional validation before signed requests are forwarded to Turnkey.
- POSTing signed requests directly from your app frontend to Turnkey saves you the burden of running a proxy server, and takes you out of the loop so that your end-users interact directly with Turnkey. This is a “hands-off” approach that can work well if you want to give your end-users maximum flexibility and ownership over their sub-organization.