> ## Documentation Index
> Fetch the complete documentation index at: https://docs.0xkey.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Overview

> 0xkey — programmable key and wallet infrastructure built on Trusted Execution Environments.

<div className="eyebrow">00 / OVERVIEW</div>

**0xkey** is the programmable <em className="accent">account layer</em> for applications that need real private keys. Every signing operation runs inside a Trusted Execution Environment (TEE); raw keys never leave the enclave. Whether you're building DeFi, payments, or AI agents, 0xkey gives you the cryptographic primitives and authentication surface to ship securely.

<CardGroup cols={2}>
  <Card title="Quickstart" icon="rocket" href="/getting-started/quickstart">
    Set up your organization and make your first API call
  </Card>

  <Card title="Embedded Wallets" icon="wallet" href="/embedded-wallets/overview">
    Create in-app wallets for your users
  </Card>

  <Card title="Company Wallets" icon="building" href="/company-wallets/overview">
    Institutional signing automation (coming soon)
  </Card>

  <Card title="API reference" icon="code" href="/api-reference/overview">
    Explore all available endpoints
  </Card>

  <Card title="Roadmap" icon="map" href="/0xkey/roadmap">
    See what's available today vs. coming soon
  </Card>
</CardGroup>

***

## What 0xkey provides

0xkey's Phase 1 focus is **Embedded Wallets** and **public API compatibility**. All private key operations are performed inside TEE enclaves — raw keys never leave the enclave boundary.

### Embedded Wallets

Create wallets on behalf of your users with a fully customizable authentication layer.

| Feature                 | Description                                                                                     |
| :---------------------- | :---------------------------------------------------------------------------------------------- |
| **Authentication**      | Passkeys (WebAuthn), Email OTP, SMS OTP (**Partial** — API only), Email magic-link, Google OIDC |
| **Sub-organizations**   | Each user gets a fully isolated organization                                                    |
| **Sessions**            | Read-write API key sessions with HPKE credential bundles; read-only sessions are API-only today |
| **Policy engine**       | CEL-based policies with EVM, Solana, EIP-712, and Tron transaction contexts                     |
| **Signing**             | secp256k1, Ed25519, P-256 inside the enclave; address derivation for all major chains           |
| **Embedded Wallet Kit** | TypeScript / React (`@0xkey-io/react-wallet-kit`) and an Auth Proxy for backend forwarding      |

In-enclave transaction parsing and policy contexts cover **EVM**, **Solana**, and **Tron** today; other chains support **address derivation + raw signing** only. On-chain broadcast is not yet wired (Phase 1 returns a mock for `eth_send_raw_transaction` and errors for high-level send activities). See the [Roadmap](/0xkey/roadmap) for the full status matrix.

### Company Wallets

Institutional signing automation with role-based policies and multi-party approvals — see [Company Wallets](/company-wallets/overview) (**coming soon**). Phase 1 focuses on Embedded Wallets; see the [Roadmap](/0xkey/roadmap).

***

## Core concepts

0xkey uses a hierarchical model of organizations, users, and wallets. Instead of directly managing private keys, wallets are accessed through authenticators.

* **Organizations** — top-level entities that represent your application
* **Sub-organizations** — isolated organizations for each end user; parent orgs cannot modify their contents
* **Users** — resources within an org that submit activities via credentials (API key, passkey, OAuth)
* **Wallets** — HD seed phrases that derive multiple chain accounts
* **Policies** — govern all signing activities; root users can bypass the policy engine
* **Activities** — any state-changing operation (sign, create, update) submitted to the API

Read the full [Concepts overview](/concepts/overview) for details.

***

## Architecture

0xkey runs all security-critical workloads inside **secure enclaves** powered by QuorumOS. Key properties:

* Raw private keys are **never exposed** to 0xkey engineers, your software, or your team
* Every organization change is **cryptographically stamped** inside the enclave before the policy engine acts on it
* No single engineer can deploy enclaves or reconstruct secrets

Learn more in the [Security](/security/our-approach) section.

***

## Start building

<CardGroup cols={2}>
  <Card title="Account setup" icon="user-plus" href="/getting-started/quickstart">
    Create your organization and API keypair
  </Card>

  <Card title="Embedded Wallet quickstart" icon="bolt" href="/getting-started/embedded-wallet-quickstart">
    Integrate wallets in minutes with the Wallet Kit
  </Card>

  <Card title="Authentication" icon="lock" href="/authentication/overview">
    Passkeys, OTP, OAuth, and email auth
  </Card>

  <Card title="API overview" icon="terminal" href="/developer-reference/api-overview/intro">
    Stamps, queries, and activity submissions
  </Card>
</CardGroup>
