02 / CORE CONCEPTS
0xkey is built around a small set of composable primitives. Understanding them makes every integration decision straightforward.
How 0xkey works
Instead of directly managing private keys, wallets are accessed through authenticators — passkeys, API keys, or OAuth tokens. The enclave evaluates your policies before any signing operation proceeds.Organizations
An organization is the top-level container for your application’s resources: users, wallets, and policies.
Sub-organizations are the foundation of 0xkey’s embedded wallet model — each user gets their own isolated key space.
Users
A user is a resource inside an organization that can submit activities using a valid credential.
Users authenticate with one or more credentials: API keys, passkeys, or OAuth tokens. Multiple credential types can be attached to a single user.
Wallets
A wallet in 0xkey is an HD seed phrase that can derive many chain accounts (addresses). The seed never leaves the enclave.- One wallet can hold accounts across multiple chains
- Accounts are derived by
addressFormat(e.g.,ETHEREUM,SOLANA) - Signing requests reference a specific wallet account, not the seed directly
Policies
Policies govern all activities in an organization. Every signing operation, user creation, and resource modification is evaluated against the applicable policies before it proceeds.- Policies use a simple condition language (
effect,consensus,condition) - Root users can bypass the policy engine when the root quorum threshold is met
- Policies can target specific users, user tags, wallet accounts, or activity types
Activities
An activity is any state-changing operation submitted to the 0xkey API — signing a transaction, creating a wallet, adding a user, etc.- Activities are submitted as HTTP
POSTrequests to/public/v1/submit/* - Each activity goes through the policy engine before execution
- The response includes an
activityobject with astatusfield (PENDING,COMPLETE,FAILED, etc.) - Some activities require additional approvals and enter a
PENDING_CONSENSUSstate
/public/v1/query/* and do not go through the policy engine.