Skip to main content

Overview

The 0xkey Auth Proxy is a managed, multi-tenant service that signs and forwards authentication requests (OTP, OAuth, signup/suborg creation) to the 0xkey Coordinator (Public API) on your behalf so you don’t need to host your own backend for auth.
  • Host: https://authproxy.0xkey.io
  • What it does: Validates origin, looks up your org’s proxy configuration, signs the request with a proxy-scoped API key, and forwards the request to 0xkey Coordinator.
  • What it doesn’t do: It cannot log in users without their participation (e.g., OTP code entry, OAuth consent). It doesn’t access funds or broader org operations.
Enable and configure the Auth Proxy from the Dashboard → AUTH section (allowed origins, templates, session lengths, etc).

When to use the Auth Proxy

  • Use when you want backend-signed OTP/OAuth/signup flows with origin enforcement and central config. Your frontend calls Auth Proxy endpoints directly.

How it works

  1. Enable in Dashboard. Toggle Auth Proxy ON. 0xkey creates a Proxy User and proxy API key, stored encrypted in the auth proxy config for your org.
  2. Configure Allowed Origins. Only requests from these origins may call the proxy (CORS + origin validation). Each entry must be an exact URL (e.g. https://myapp.com). By default all origins are allowed (*). Note: partial wildcard patterns like https://*.myapp.com are not currently supported.
  3. Your App Calls Auth Proxy. Your frontend hits https://authproxy.0xkey.io/v1/... with your auth proxy config id and the flow parameters. This should be passed to the X-Auth-Proxy-Config-Id header in your request
  4. Proxy Signs & Forwards. Auth Proxy decrypts your proxy key in-memory, signs the activity, and forwards to 0xkey Coordinator.
  5. Coordinator Responds. Proxy returns success / error, plus any response payload (e.g., organizationId, session).
Security notes:
  • Proxy keys are HPKE encrypted inside our enclave; decrypted per request only in memory.
  • Strict separation from 0xkey’s core backend; communicates via public API only.
  • The Auth Proxy does not verify App Proofs produced by 0xkey’s secure enclaves, it simply passes them on to its caller. End-users (SDKs) are expected to perform this verification procedure, not the Auth Proxy. Public attestation and App Proof HTTP queries are Coming soon in Phase 1 — see Secure enclaves and the Roadmap.

Base URL

All endpoints are under https://authproxy.0xkey.io

Authentication & headers

  • Auth Proxy Config Id (required): identifies your parent org’s proxy config.
    • Send as header:
  • CORS & Origin: Requests must originate from a whitelisted origin set in the dashboard.

Endpoints

Signup (Create Sub-Organization)

POST /v1/signup Onboard a new user by creating a sub-organization. Optionally creates a wallet. Request Body
Response

Init OTP

POST /v1/otp_init Initialize an OTP (SMS or email) for a user. Request Body
Response

Verify OTP

POST /v1/otp_verify Verify the OTP code previously sent to the user’s contact. Request Body
Response

OTP Login

POST /v1/otp_login Login using a verification token and public key. Request Body
Response

OAuth2 Authenticate

POST /v1/oauth2_authenticate Authenticate with an OAuth 2.0 provider and receive an OIDC token issued by 0xkey in response. Request Body
Response

OAuth Login

POST /v1/oauth_login Login using an OIDC token and public key. Request Body
Response

Get Account

POST /v1/account Return organization id associated with a given filter (e.g. email, phone, credential ID, OIDC token). Request Body
Response

Get Wallet Kit Config

POST /v1/wallet_kit_config Return Wallet Kit feature toggles for the calling organization. Request Body
Response

Configuration (Dashboard → AUTH)

  • Enable/Disable the Auth Proxy for your org
  • Allowed Frontend Origins (CORS enforcement)
  • Email/SMS Customization
  • Session Expiration