Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.tinycloud.xyz/llms.txt

Use this file to discover all available pages before exploring further.

OpenKey is a Trusted Execution Environment (TEE) based key management service built by TinyCloud Labs. It generates, stores, and signs with Ethereum private keys entirely inside a hardware-isolated enclave, so keys never exist in plaintext outside the TEE. Users authenticate with passkeys (WebAuthn), making the experience passwordless and phishing-resistant. OpenKey also functions as an OAuth 2.1 provider, allowing third-party applications to request signing operations on behalf of users. An embeddable widget and client SDK let any web application offer a “Sign with OpenKey” flow without requiring browser extensions or seed phrases.

Key Features

TEE Key Generation

Private keys are generated and sealed inside a Trusted Execution Environment. They never leave the enclave in plaintext.

Passkey Authentication

Passwordless, phishing-resistant login using WebAuthn. No seed phrases to lose.

Message Signing

Sign arbitrary messages and EIP-712 typed data. Supports both personal_sign and raw formats.

OAuth 2.1 Provider

Third-party apps authenticate users and request signing through a standard OAuth flow with PKCE.

Embeddable Widget

Drop-in popup or iframe widget for connect and sign flows. No browser extension required.

TinyCloud Integration

Use OpenKey as the signer for TinyCloud Web SDK, replacing MetaMask or other wallet extensions.

Architecture

OpenKey architecture - client, TEE, and database

How It Works

1

User registers with email or Google

The user verifies their identity via email OTP or Google OAuth. This creates their account.
2

Passkey is created

During registration, the user registers a WebAuthn passkey (biometric or hardware key). All future logins use this passkey.
3

First key is auto-generated

When the account is created, an Ethereum private key is generated inside the TEE and sealed with a TEE-derived encryption key. The sealed blob is stored in the database.
4

Signing happens inside the TEE

When a sign request arrives, the API unseals the private key in memory, signs the message, and returns the signature. The plaintext key exists only in TEE memory during signing.

How OpenKey Relates to TinyCloud

TinyCloud uses Sign-In with Ethereum (SIWE) for authentication, which traditionally requires a browser wallet extension like MetaMask. OpenKey provides an alternative signer for that SIWE flow: users get an Ethereum key managed by OpenKey and authenticate to TinyCloud without installing any extension. This lowers the barrier to entry for non-crypto-native users while preserving the same cryptographic guarantees. OpenKey OAuth is a separate flow for token-based access to your own application. Use TinyCloud Integration when you want OpenKey to sign TinyCloud’s SIWE session flow, and use OAuth Provider when you need OAuth 2.1 tokens. See TinyCloud Integration for setup details.

Next Steps

Quickstart

Create an account, generate a key, and sign your first message.

Widget Integration

Embed OpenKey connect and sign flows in your application.

OAuth Provider

Use OpenKey as an OAuth 2.1 provider for your app.

TinyCloud Integration

Use OpenKey as the signer for TinyCloud’s SIWE flow.