Embedded wallets · Sovereign custody

Wallets your users never think about. Keys you never hand over.

SignerKit is a self-hosted, Privy-compatible API for embedded EVM + Solana wallets. Email login, keys sealed in your own cloud KMS, signing isolated from everything else.

EVM Solana Cloud KMS-backed Isolated signer Per-tenant isolation

The custody model

SignerKit signs. It never surrenders the key.

Keys are encrypted in your cloud key-management service and only ever used inside a hardened signing service — never exposed to your app, your logs, or the browser.

01 · SIGN IN

Email login, embedded wallet

Users log in with a one-time code and get a wallet automatically — nothing to install, no seed phrase to manage.

02 · STAY SEALED

Encrypted, isolated, never exposed

Keys are encrypted at rest in cloud KMS and only ever handled inside an isolated signing service — not your API, not your logs, not the client.

03 · SIGN

You get a signature, not a key

SignerKit returns a valid signature; broadcasting stays on your side. Custody stays sovereign and every action is auditable.

What you ship

Everything an embedded wallet needs — one API.

Email login → wallet

A 6-digit code provisions an embedded wallet automatically. No seed phrase for your users to lose.

Dual-chain, one identity

EVM and Solana wallets per user, provisioned together, under a single login.

Message & transaction signing

Sign arbitrary messages or serialized transactions; you broadcast on your own RPC.

Step-up key export

Users can export their recovery phrase — gated behind a second factor. Their keys, their choice.

TOTP MFA

Authenticator-based second factor for sensitive actions.

Delegated signing

Grant automation the right to sign within a policy — without ever holding the key.

Signed webhooks

Get notified of key account and signing events — each delivery is signed, so you can trust it's really from SignerKit.

Per-tenant isolation

Every account's users, wallets, and keys are cryptographically separated from every other.


Integrate

A frontend SDK and a backend SDK. That's the surface.

Drop a provider into your frontend for email login, wallets, and signing. Use the backend SDK to verify logins and sign for users within a policy. The hooks mirror Privy, so migrating is close to a find-and-replace.

🤖 Building with an AI? Your dashboard has a complete, copy-paste integration spec — hand it to Claude or Cursor and it wires SignerKit in for you.
Get your keys →
Security by construction

Built so a breach of one part can't unlock the keys.

The architecture assumes components get compromised and makes sure the key material still doesn't leak.

Encrypted in cloud KMS

Keys are encrypted at rest in a managed cloud key service. Plaintext key material is never stored.

Isolated signing

Keys are only ever used inside a hardened signing service — not your app, and not exposed to the internet.

Per-account isolation

Every account's users, wallets, and keys are cryptographically separated from every other.

Nothing sensitive in logs

Recovery phrases, keys, and one-time codes are redacted by construction; audit rows carry metadata only.

Audit trail on every sensitive op

Login, wallet creation, signing, export, delegation — each recorded with who, when, and from where.

Proven on real chains

Signed transactions are continuously verified end-to-end — broadcast and confirmed on live networks.

Own your users' keys.
Ship it this afternoon.

Create a merchant account, mint your App ID + Secret, and drop SignerKit into your app.