Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.tinycloud.xyz/llms.txt

Use this file to discover all available pages before exploring further.

OpenKey can replace browser wallet extensions (MetaMask, WalletConnect, etc.) as the signer for TinyCloud’s SIWE sign-in flow. TinyCloud still uses SIWE for authentication; OpenKey supplies the Ethereum signer so users can authenticate with passkeys instead of a browser extension.

Why Use OpenKey with TinyCloud

  • No browser extension required: Users do not need MetaMask or any wallet installed
  • Passkey-based authentication: Biometric or hardware key login instead of seed phrases
  • TEE key security: Private keys are sealed inside a hardware enclave
  • Lower onboarding friction: Non-crypto-native users can get started without understanding wallets
  • Same cryptographic guarantees: OpenKey produces standard Ethereum signatures that TinyCloud verifies the same way as any wallet

Architecture

OpenKey and TinyCloud integration flow
Instead of the wallet extension signing the SIWE message, OpenKey’s TEE-managed key signs it. From TinyCloud’s perspective, the signature is indistinguishable from one produced by MetaMask.
TinyCloud’s default nonce behavior is fine for standard sign-in flows. If your app is a relying party that needs to verify a nonce, issue a one-time nonce from your server and thread it through the auth request. Do not generate nonces in the browser.

Setup

1

Install dependencies

npm install @tinycloud/web-sdk @openkey/sdk
2

Connect with OpenKey

import { OpenKey, OpenKeyProvider } from '@openkey/sdk';
import { TinyCloudWeb } from '@tinycloud/web-sdk';

// Initialize OpenKey
const openkey = new OpenKey({ appName: 'My TinyCloud App' });

// Connect (passkey auth + key selection)
const authResult = await openkey.connect();
console.log('Connected:', authResult.address);
3

Create provider and sign in to TinyCloud

Pass the OpenKeyProvider directly via TinyCloudWeb’s provider property shorthand. The SDK handles ethers wrapping internally.
const provider = new OpenKeyProvider(openkey, authResult);

const tc = new TinyCloudWeb({
  provider,
});

await tc.signIn();
console.log('TinyCloud session:', tc.address());
tc.signIn() constructs and signs the SIWE message automatically. Do not manually create SIWE messages — TinyCloudWeb handles this for you.
4

Use TinyCloud normally

Once signed in, all TinyCloud operations work exactly the same as with a browser wallet.
await tc.kv.put('profile', {
  name: 'Alice',
  wallet: 'openkey',
});

const result = await tc.kv.get('profile');
if (result.ok) {
  console.log(result.data.data);
}

Complete Example

import { OpenKey, OpenKeyProvider } from '@openkey/sdk';
import { TinyCloudWeb } from '@tinycloud/web-sdk';

async function main() {
  // Step 1: Connect with OpenKey
  const openkey = new OpenKey({ appName: 'My App' });
  const authResult = await openkey.connect();

  // Step 2: Create provider and sign in
  const provider = new OpenKeyProvider(openkey, authResult);
  const tc = new TinyCloudWeb({ provider });
  await tc.signIn();

  // Step 3: Use TinyCloud
  await tc.kv.put('settings', { theme: 'dark', lang: 'en' });
  const result = await tc.kv.get('settings');
  if (result.ok) {
    console.log('Settings:', result.data.data);
  }
}

main().catch(console.error);

Session Management

Check if there’s an existing session before initiating a new sign-in flow: 
import { OpenKey, OpenKeyProvider } from '@openkey/sdk';
import { TinyCloudWeb } from '@tinycloud/web-sdk';

const openkey = new OpenKey({ appName: 'My App' });

if (tc.session()) {
  console.log('Session active:', tc.address());
} else {
  const authResult = await openkey.connect();
  const provider = new OpenKeyProvider(openkey, authResult);
  const tc = new TinyCloudWeb({ provider });
  await tc.signIn();
}

Delegations with OpenKey

Delegations work the same way regardless of whether the signer is OpenKey or a browser wallet. The primary DID is derived from the Ethereum address, which is the same whether the key is in MetaMask or OpenKey. 
// Alice (using OpenKey) delegates to Bob
const delegation = await tc.createDelegation({
  delegateDID: bob.did, // Use the recipient's primary DID (tc.did after signIn)
  actions: ['tinycloud.kv/get', 'tinycloud.kv/list'],
  path: 'shared/',
  expiryMs: 7 * 24 * 60 * 60 * 1000, // 7 days in milliseconds
});
Use the recipient’s primary DID (tc.did after signIn) for delegations. This applies regardless of the signer being used. See the Delegations guide for details.

Comparison: OpenKey vs. Browser Wallet

AspectBrowser Wallet (MetaMask)OpenKey
InstallationBrowser extension requiredNone (web-based)
Key storageUser’s device (local)TEE (server-side, sealed)
AuthenticationWallet unlock (password)Passkey (biometric)
Seed phraseUser must back upNot applicable
Signing UXExtension popupOpenKey popup/iframe
Works on mobileRequires mobile wallet appWorks in any browser
TinyCloud compatibilityNativeVia OpenKeyProvider

Next Steps

Widget Integration

Learn more about the OpenKey widget for connect and sign flows.

OAuth Provider

Use OpenKey OAuth for token-based apps. TinyCloud itself uses SIWE, not OAuth.

Authentication Guide

Learn more about TinyCloud’s SIWE authentication model.

Delegations Guide

Share access to spaces with delegatable capabilities.