tKey is the underlying SDK used to implement Web3Auth Plug n Play. This package can also be used to self host Web3Auth in your own system. tKey stands for Threshold Key, which refers to the management keys & shares generated using threshold cryptography.
v16 Breaking Change: All cryptographic primitives have been migrated from
bn.js/elliptic/Bufferto nativebigint/@noble/curves/Uint8Array. See the Migration Guide below.
The tKey SDK manages private keys by generating shares of it using Shamir Secret Sharing. For example, for a 2 out of 3 (2/3) setup, we give the
user three shares: ShareA, ShareB, and ShareC.
- ShareA is stored on the userβs device: Implementation is device and system specific. For example, on mobile devices, the share could be stored in device storage secured via biometrics.
- ShareB is managed and split across Web3Auth's Auth Network, accessed by an OAuth login provider that a user owns.
- ShareC is a recovery share: An extra share to be kept by the user, possibly kept on a separate device, downloaded or based on user input with enough entropy (eg. password, security questions, hardware device etc.).
Similar to existing 2FA systems, a user needs to prove ownership of at least 2 out of 3 (2/3) shares, in order to retrieve his private key.
For more information, check out the technical overview. Before integrating you can also check out the example for tKey.
To use the SDK in your application, please refer to our SDK Reference in Web3Auth Documentation
- Typescript compatible. Includes Type definitions
- Fully composable API
- Module support (Include only those modules which you require)
- Modern cryptography via
@noble/curves(secp256k1, ed25519) - Zero dependency on
Bufferβ uses nativeUint8Array - Audited
| Packages | @latest Version |
Size | Description |
|---|---|---|---|
| π tKey Standard Package | |||
@tkey/default |
 |
 |
Bundles Core and Modules into one importable package |
| π Core | |||
@tkey/core |
 |
 |
Core functionalities for creating a tkey |
| πβπ¦Ί Service Provider | |||
@tkey/service-provider-torus |
 |
 |
@service-provider-base with DirectAuth functionality |
| π³ Storage Layer | |||
@tkey/storage-layer-torus |
 |
 |
get/set metadata for various shares |
| π Modules | |||
@tkey/chrome-storage |
 |
 |
Add/remove a share from chrome extension storage |
@tkey/web-storage |
 |
 |
Add/remove a share from local and file storage |
@tkey/security-questions |
 |
 |
Add/remove a security question and password as a share for tkey |
@tkey/share-transfer |
 |
 |
Transfer share from another device |
@tkey/seed-phrase |
 |
 |
Store and use seedphrases on metadata |
@tkey/private-keys |
 |
 |
Store extra private keys on tKey metadata |
@tkey/share-serialization |
 |
 |
Import/export a share from tKey |
| π Low-Level | |||
@tkey/common-types |
 |
 |
Shared TypeScript Types |
v16 removes all legacy cryptography dependencies in favor of modern, audited alternatives:
| Before | After |
|---|---|
bn.js (BN) |
Native bigint |
elliptic |
@noble/curves/secp256k1 |
@toruslabs/tweetnacl-js |
@noble/curves/ed25519 |
Buffer |
Uint8Array |
What you need to change:
- Private keys and share values are now
bigintinstead ofBN. Replacenew BN(hex, 16)withBigInt(\0x${hex}`)`. - Public keys and encrypted data are now
Uint8Arrayinstead ofBuffer. UsehexToBytes/bytesToHexfrom@toruslabs/metadata-helpersfor conversions. BNStringtype has been removed. APIs now usebigintdirectly (wasBN | string).- JSON serialization of objects containing
bigintrequires thebigIntReplacerfrom@tkey/common-types:import { bigIntReplacer } from "@tkey/common-types"; JSON.stringify(thresholdKey, bigIntReplacer);
@tkey/tsshas been removed from this package and will be migrated separately.
- This package requires a peer dependency of
@babel/runtime - Node 22+
npm install
npm run pack:lerna
Each sub package is distributed in 3 formats
esmbuilddist/<MODULE_NAME>.esm.jsin es6 formatcommonjsbuilddist/<MODULE_NAME>.cjs.jsin es5 formatumdbuilddist/<MODULE_NAME>.umd.min.jsin es5 format without polyfilling corejs minified
By default, the appropriate format is used for your specified usecase You can use a different format (if you know what you're doing) by referencing the correct file
The cjs build is not polyfilled with core-js. It is upto the user to polyfill based on the browserlist they target
CDN's serve the non-core-js polyfilled version by default. You can use a different
jsdeliver
<script src="https://cdn.jsdelivr.net/npm/<MODULE_NAME>"></script>unpkg
<script src="https://unpkg.com/<MODULE_NAME>"></script>This is a plugin that works only on the client side. So please register it as a ssr-free plugin.
