03 / EMBEDDED WALLETS
Embedded Wallets let you ship crypto wallets natively inside your product — without exposing private keys to your application or your team. Each user gets an isolated sub-organization with its own key material, authentication methods, and policies.
Why embedded wallets?
- Non-custodial by default — users control their own credentials; you control the authentication surface
- No key exposure — private keys are generated and stored inside TEE enclaves; they never leave
- Flexible authentication — passkeys, email OTP, SMS OTP, email magic-link, Google OIDC
- Policy-gated signing — apply per-user CEL rules with EVM, Solana, EIP-712, and Tron transaction contexts before any transaction is signed
- EVM-, Solana-, and Tron-first parsing — EVM, Solana, and Tron have in-enclave transaction parsing and policy contexts; other chains support address derivation + raw signing only
Custodial vs. non-custodial
0xkey supports both models through the same sub-organization primitive:Architecture
Each embedded wallet is backed by a sub-organization:Current capabilities
See the Roadmap for the authoritative status matrix.
Get started
Embedded Wallet quickstart
Set up sub-org creation and auth in minutes
Authentication overview
Passkeys, OTP, OAuth, email, and sessions
Sub-organization auth
How sub-org authentication flows work
Wallet Kit setup
Install and configure @0xkey-io/react-wallet-kit