Skip to main content
03 / EMBEDDED WALLETS
Embedded Wallets let you ship crypto wallets natively inside your product — without exposing private keys to your application or your team. Each user gets an isolated sub-organization with its own key material, authentication methods, and policies.

Why embedded wallets?

  • Non-custodial by default — users control their own credentials; you control the authentication surface
  • No key exposure — private keys are generated and stored inside TEE enclaves; they never leave
  • Flexible authentication — passkeys, email OTP, SMS OTP, email magic-link, Google OIDC
  • Policy-gated signing — apply per-user CEL rules with EVM, Solana, EIP-712, and Tron transaction contexts before any transaction is signed
  • EVM-, Solana-, and Tron-first parsing — EVM, Solana, and Tron have in-enclave transaction parsing and policy contexts; other chains support address derivation + raw signing only

Custodial vs. non-custodial

0xkey supports both models through the same sub-organization primitive:

Architecture

Each embedded wallet is backed by a sub-organization:
The parent org cannot modify sub-org contents — only the sub-org’s own credentialed users can take action, subject to its policies.

Current capabilities

See the Roadmap for the authoritative status matrix.

Get started

Embedded Wallet quickstart

Set up sub-org creation and auth in minutes

Authentication overview

Passkeys, OTP, OAuth, email, and sessions

Sub-organization auth

How sub-org authentication flows work

Wallet Kit setup

Install and configure @0xkey-io/react-wallet-kit