Stepping into crypto for the first time can be a confusing experience. Seed phrases, browser extensions, confusing terminology… these things are not compatible with a great onboarding experience in general, and even worse they are completely unfamiliar to a new crypto user. Developers building consumer applications on Turnkey have been clear: they want a simpler approach.

So, we’ve launched email authentication at Turnkey. But, true to our security paranoia, we’ve approached it a little differently than we’ve seen anyone else do, maintaining our commitment to exceptional security standards. Let’s dive into it.

First, a bit of background

On Turnkey, every activity needs a cryptographic signature - think of it as a digital "stamp" - from a user that is authorized to take that particular action. That means that a developer building non-custodial wallets into their consumer application needs to register a valid authenticator on behalf of the application’s end users, and request a stamp from that end user to approve each action. You can read more about why we require these stamps and how they protect user funds here.

Until now, Turnkey’s system accepted either a p256 keypair or a webauthn credential (like a passkey) as a valid authenticator.

A better user experience

With this latest product release, end users can now use their email to authenticate a valid session, during which they can opt to have all of their activities automatically stamped.

Developers can now build the following user experience using Turnkey’s SDK:

• End user enters their email address to log in.

• They receive an email with a one-time passcode (magic link & email customization coming soon).

• They navigate back to the sign-in page and enter their new passcode.

• Voila! The user has a valid session.

During this session, they can take as many actions as they want without re-authenticating for one-off actions. This UX is game-changing, especially for use cases like gaming, where the user may take hundreds or even thousands of actions in a short amount of time.

Behind the scenes

In this process behind the scenes, the end user is actually granted an expiring API key that is held in local storage. This key acts like a session key, allowing users to access their wallet and authenticate requests to Turnkey as long as the API key remains unexpired. Email is simply the mechanism through which the API key credential is safely delivered (to read more about how we accomplish that secure delivery, check out our email auth docs or the cryptographic details in our blog post about email recovery).

The flexibility of these expiring API keys opens up a whole new design space for application developers outside of just email authentication. We hope to see more creative applications of this new primitive soon, especially combined with Turnkey’s powerful policy engine. Here are just a few ideas of what’s now possible for developers on Turnkey:

• Allow end users to initiate a session using an existing authenticator, like a passkey, in addition to initiating sessions with email

• Give end users the ability to set their own session length based on their security preferences

• Place limits on the type of actions an end user can take with a session key, while requiring a passkey approval for higher-security activities

Try it out

Ready to start building your own embedded end user wallets? Get started for free on Turnkey here, and head to our integration guide when you’re ready to enable email auth for your users.