0xkey delivers a secure, flexible solution for embedding end-user wallets directly into your application. Users sign in with familiar methods (passkeys, email, OAuth), without seed phrases, browser extensions, or external wallets. 0xkey lets you compose your app’s core experiences (onboarding, wallet flows, and transactions) with full control, without restricting critical product decisions to pre-built flows. Keys stay inside hardware-backed Trusted Execution Environments (TEEs), ensuring private keys are never exposed to your developers or to 0xkey. You can use the Embedded Wallet Kit for fast integration, or 0xkey SDKs and the API for more customization. Leading apps use 0xkey for embedded consumer wallets in production — see Customers.
Key implementation decisions
0xkey enables developers to tailor non-custodial, embedded user wallets across dimensions such as custody model, authentication, and more. See the key implementation decisions below to curate the exact user experience you need. For a full map of embedded wallet capabilities, see the Features overview.Custody model
Choose how much control users and your app have over signing:
Configure via policies
and sub-organization settings. See
Delegated Access for non-custodial, hybrid, and
app-controlled options.
Authentication
Balance security and friction for your audience:- Passkeys: Phishing-resistant, biometric. See passkey authentication.
- OAuth / email: Familiar, low-friction. See Authentication Overview.
- SMS: Market-dependent; consider risk and compliance.
Session management
Choose how users stay authorized and where session credentials live:- Read-write vs read-only: Read-write sessions (OTP, OAuth, passkey sessions) let users perform multiple signed actions in a time window. Read-only sessions suit low-touch apps where you mainly need to read data (e.g., via parent-org access or a read-only session token).
- Storage: IndexedDB (web) for persistent, client-held sessions without exposing keys to your JavaScript; SecureStorage (mobile); or LocalStorage (keys in app-accessible storage).
- Session duration: Default: 15 minutes (configurable via
expirationSeconds).
Wallet architecture
Choose where keys are generated and how wallets interact with the blockchain.
0xkey supports both. See Wallets Concept and
Transaction Management for derivation and gas sponsorship.
Gas sponsorship
Provide gasless UX by sponsoring gas for your users. 0xkey supports sponsored transactions and relay integration so users can sign and send without holding native tokens. See Transaction Management for gas sponsorship, transaction construction, broadcast, nonce management and monitoring capabilities.Key portability
Enable key portability and define whether users can import or export private keys. Enabling export can support user sovereignty and long-term trust. See Import wallets and export wallets.Core security principles
Embedded consumer wallet with 0xkey is built on these key principles:- Keys never leave the enclave: Private keys live in Trusted Execution Environments (TEEs). All derivation and signing happen inside verifiable infrastructure; only signatures are returned. Remote attestation lets you verify enclave integrity. Raw keys are never exposed to your app or to 0xkey.
- Authenticator-bound requests: Every sensitive operation is signed by a user-held authenticator (passkey, email, etc.). The enclave verifies the signature and then performs the operation. No request, no signing; a compromise outside the enclave cannot move funds. See Authentication Overview for supported methods and Enclave to end-user secure channel for how requests are verified.
- Scoped, programmable control: Choose non-custodial, hybrid, or app-controlled custody. Policies and sub-organization isolation limit who can sign what.
- Trusted vs. untrusted separation: Verification and execution run only inside secure enclaves. Trusted and untrusted infrastructure are strictly separated so that a breach of your app or backend does not expose keys or signing capability.
Architecture at a glance
User authentication flows into a signed request to 0xkey. Inside the enclave, the policy engine evaluates the request; key derivation and signing follow, and only the signature is returned. Your app can then broadcast the transaction through another provider or with 0xkey Transaction Management. For data flow and infrastructure details, see Embedded Wallets overview and Secure enclaves.
Example: Neobank-style embedded consumer wallet
Typical requirements and how 0xkey addresses them:Setting up your embedded consumer wallet
Follow these steps to launch an embedded consumer wallet experience inside your app.1
Create a 0xkey Org & Configure Authentication
Create an organization in the 0xkey Dashboard and choose how end users authenticate (Email OTP, Passkeys, OAuth).Docs
2
Add 0xkey to Your Client App
Install and initialize the 0xkey SDK at app startup so sessions and wallet operations are ready immediately.Docs
3
Implement Login, Signup & Session Handling
Build your login/signup flow and gate wallet actions until:
- The user is authenticated
- The 0xkey client is initialized
4
Create a Sub-Organization & Wallet Per User
On first login:
- Create a sub-organization
- Create a wallet
- Create required accounts (e.g., Ethereum, Solana)
5
Enable Core Wallet Actions in the UI
Expose wallet functionality directly inside your app.Signing DocsImport / Export / Recovery (Optional) Docs
Next steps
Ready to build? You can start with the Embedded Wallets Quickstart, explore the Features overview, or browse the Code Examples Hub.