> ## Documentation Index
> Fetch the complete documentation index at: https://docs.turnkey.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Credentials

> Credentials are how users authenticate to Turnkey. Turnkey only stores public keys; private keys never leave your device.

## Types

**Authenticators** — WebAuthn devices registered on Turnkey: passkeys, biometrics, and hardware keys. Used to sign requests directly, using the [WebAuthn standard](https://www.w3.org/TR/webauthn-2/) (no passwords).

**API keys** — Cryptographic key pairs used to sign API requests. Turnkey supports P-256, SECP256K1, and Ed25519 curves. Come in two forms:

* *Long-lived* — created via the dashboard, CLI, or [API](/api-reference/activities/create-api-keys). You generate the key pair; Turnkey stores the public key.
* *Expiring* — issued automatically when a user authenticates via email, SMS, OAuth, or wallet auth. Short-lived by default (15 minutes), with a configurable expiration window.

## Credential types

Each issuance path produces a credential of a specific type, which Turnkey returns in API responses. You can retrieve the type and public key for any API key via [GetAPIKey](/api-reference/queries/get-api-key).

| Credential type                               | Issued by                                                                                                               |
| --------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- |
| `CREDENTIAL_TYPE_WEBAUTHN_AUTHENTICATOR`      | [Passkeys](/features/authentication/passkeys/introduction)                                                              |
| `CREDENTIAL_TYPE_API_KEY_P256`                | [Manually created API keys](/api-reference/activities/create-api-keys)                                                  |
| `CREDENTIAL_TYPE_OTP_AUTH_KEY_P256`           | [Email OTP](/features/authentication/email) or [SMS](/features/authentication/sms) auth                                 |
| `CREDENTIAL_TYPE_EMAIL_AUTH_KEY_P256`         | [Email auth — credential bundle method](/features/authentication/email) (legacy)                                        |
| `CREDENTIAL_TYPE_RECOVER_USER_KEY_P256`       | [Email recovery](/features/authentication/email) (legacy)                                                               |
| `CREDENTIAL_TYPE_OAUTH_KEY_P256`              | [Social logins](/features/authentication/social-logins)                                                                 |
| `CREDENTIAL_TYPE_API_KEY_SECP256K1`           | [Wallet auth — Ethereum/SECP256K1](/solutions/embedded-wallets/integration-guide/react/using-external-wallets/overview) |
| `CREDENTIAL_TYPE_API_KEY_ED25519`             | [Wallet auth — Solana/ED25519](/solutions/embedded-wallets/integration-guide/react/using-external-wallets/overview)     |
| `CREDENTIAL_TYPE_READ_WRITE_SESSION_KEY_P256` | [Read-write sessions](/api-reference/activities/create-read-write-session)                                              |
| `CREDENTIAL_TYPE_LOGIN`                       | [IndexedDB auth](/sdks/advanced/indexed-db-stamper) — OTP, passkey, or OAuth                                            |