Skip to main content
OpenKey can replace browser wallet extensions (MetaMask, WalletConnect, etc.) as the signer for TinyCloud Web SDK. This means users can authenticate to TinyCloud using their OpenKey-managed Ethereum keys, with passkey-based login instead of a browser extension.

Why Use OpenKey with TinyCloud

  • No browser extension required: Users do not need MetaMask or any wallet installed
  • Passkey-based authentication: Biometric or hardware key login instead of seed phrases
  • TEE key security: Private keys are sealed inside a hardware enclave
  • Lower onboarding friction: Non-crypto-native users can get started without understanding wallets
  • Same cryptographic guarantees: OpenKey produces standard Ethereum signatures that TinyCloud verifies the same way as any wallet

Architecture

OpenKey and TinyCloud integration flow
Instead of the wallet extension signing the SIWE message, OpenKey’s TEE-managed key signs it. From TinyCloud’s perspective, the signature is indistinguishable from one produced by MetaMask.

Setup

1

Install dependencies

npm install @tinycloud/web-sdk @openkey/sdk
2

Connect with OpenKey

import { OpenKey, OpenKeyProvider } from '@openkey/sdk';
import { TinyCloudWeb } from '@tinycloud/web-sdk';

// Initialize OpenKey
const openkey = new OpenKey({ appName: 'My TinyCloud App' });

// Connect (passkey auth + key selection)
const authResult = await openkey.connect();
console.log('Connected:', authResult.address);
3

Create provider and sign in to TinyCloud

Pass the OpenKeyProvider directly to TinyCloudWeb — the SDK handles ethers wrapping internally.
const provider = new OpenKeyProvider(openkey, authResult);

const tc = new TinyCloudWeb({
  provider,
});

await tc.signIn();
console.log('TinyCloud session:', tc.address());
tc.signIn() constructs and signs the SIWE message automatically. Do not manually create SIWE messages — TinyCloudWeb handles this for you.
4

Use TinyCloud normally

Once signed in, all TinyCloud operations work exactly the same as with a browser wallet.
await tc.kv.put('profile', {
  name: 'Alice',
  wallet: 'openkey',
});

const result = await tc.kv.get('profile');
if (result.ok) {
  console.log(result.data.data);
}

Complete Example

import { OpenKey, OpenKeyProvider } from '@openkey/sdk';
import { TinyCloudWeb } from '@tinycloud/web-sdk';

async function main() {
  // Step 1: Connect with OpenKey
  const openkey = new OpenKey({ appName: 'My App' });
  const authResult = await openkey.connect();

  // Step 2: Create provider and sign in
  const provider = new OpenKeyProvider(openkey, authResult);
  const tc = new TinyCloudWeb({ provider });
  await tc.signIn();

  // Step 3: Use TinyCloud
  await tc.kv.put('settings', { theme: 'dark', lang: 'en' });
  const result = await tc.kv.get('settings');
  if (result.ok) {
    console.log('Settings:', result.data.data);
  }
}

main().catch(console.error);

Session Management

Check if there’s an existing session before initiating a new sign-in flow: 
import { OpenKey, OpenKeyProvider } from '@openkey/sdk';
import { TinyCloudWeb } from '@tinycloud/web-sdk';

const openkey = new OpenKey({ appName: 'My App' });

if (tc.session()) {
  console.log('Session active:', tc.address());
} else {
  const authResult = await openkey.connect();
  const provider = new OpenKeyProvider(openkey, authResult);
  const tc = new TinyCloudWeb({ provider });
  await tc.signIn();
}

Delegations with OpenKey

Delegations work the same way regardless of whether the signer is OpenKey or a browser wallet. The primary DID is derived from the Ethereum address, which is the same whether the key is in MetaMask or OpenKey. 
// Alice (using OpenKey) delegates to Bob
const delegation = await tc.createDelegation({
  delegateDID: bob.did, // Use the recipient's primary DID (tc.did after signIn)
  actions: ['tinycloud.kv/get', 'tinycloud.kv/list'],
  path: 'shared/',
  expiryMs: 7 * 24 * 60 * 60 * 1000, // 7 days in milliseconds
});
Use the recipient’s primary DID (tc.did after signIn) for delegations. This applies regardless of the signer being used. See the Delegations guide for details.

Comparison: OpenKey vs. Browser Wallet

AspectBrowser Wallet (MetaMask)OpenKey
InstallationBrowser extension requiredNone (web-based)
Key storageUser’s device (local)TEE (server-side, sealed)
AuthenticationWallet unlock (password)Passkey (biometric)
Seed phraseUser must back upNot applicable
Signing UXExtension popupOpenKey popup/iframe
Works on mobileRequires mobile wallet appWorks in any browser
TinyCloud compatibilityNativeVia OpenKeyProvider

Next Steps

Widget Integration

Learn more about the OpenKey widget for connect and sign flows.

OAuth Provider

Use OpenKey as an OAuth provider for server-side apps.

Authentication Guide

Learn more about TinyCloud’s SIWE authentication model.

Delegations Guide

Share access to spaces with delegatable capabilities.