API Keys

Securely manage authentication credentials for your Okto integration

Understanding Okto API Credentials

The Okto API credentials are essential for integrating Okto into your application. They authenticate your requests and associate them with your Okto Dashboard account. Okto provides two essential credentials for integrating with your application:

  1. Client SWA: A public identifier for your application, representing your client's Smart Wallet Account.
  2. Client Private Key: A confidential key for secure authentication of your client SWA.
  3. Treasury API Key: A confidential key used to authorize actions for your Treasury Wallets.

API Page - Okto Dashboard

These credentials work together to authenticate your requests to the Okto platform and ensure secure communication.

Client SWA

The Client SWA is a unique identifier for your application and you as a Client. It is the smart contract address associated with your client's primary Smart Wallet Account (SWA) on the Okto Chain. It's used to associate your Okto client with your specific app in our system.

Steps to Access Client SWA

  1. Log in to the Okto Dashboard.

  2. Navigate to the API Keys section from the sidebar menu.

API Page - Okto Dashboard

  1. Locate the Client SWA displayed at the top of the API Keys page.

  2. Click the Copy button to copy the Client SWA to your clipboard.

Client Private Key

The Client Private Key is a confidential key used to authenticate API requests associated with your Client SWA. This is the private key (EVM ECDSA format, e.g., 0x...) corresponding to the authority of your Client SWA on the Okto Chain. Keep this secret secure and never share it publicly or include it in client-side code. In case the key is compromised, you can reset the authority.

Steps to Access Client Private Key

  1. Log in to the Okto Dashboard.

  2. Navigate to the API Keys section from the sidebar menu.

  3. Under the "Client Private Key" section, click the Get Client Private Key (or similarly named) button.

  4. Once revealed, copy and securely store the Client Private Key. We recommend that you download this value and store it somewhere safe.

API Page - Okto Dashboard

Note

  • Client SWA and Client Private Key pairs are unique for each environment (e.g., sandbox, production).
  • Ensure you're using the correct pair for the environment you're working in.
  • Okto does not store your Client Private Key, so keep it safe and secret.

Treasury API Key

The Treasury API Key is a confidential key used to authorize actions and generate Okto Auth Tokens for any of your Treasury Wallets. It effectively acts as the session private key for operations performed by your Treasury Wallets. Like the Client Private Key, keep this secret secure.

Steps to Access Treasury API Key

  1. Log in to the Okto Dashboard.

  2. Navigate to the API Keys section from the sidebar menu.

  3. Locate the "Treasury API Key" section.

  4. Click the Get Treasury API Key (or similarly named) button.

  5. Once revealed, copy and securely store the Treasury API Key.

API Page - Okto Dashboard

Important

The Treasury API Key is powerful as it can authorize transactions from any of your Treasury Wallets. Secure it with the utmost care.

Storing Confidential Keys (Client Private Key & Treasury API Key)

  • How Okto stores them: Okto does not store these private keys. If lost, the Client Private Key can be reset (which may involve resetting its authority). The Treasury API Key, if lost, would also require a reset mechanism.
  • How you should store them:
    • Use environment variables or secure secret management systems on your backend.
    • Never hardcode these keys in your application code, especially client-side code.
    • Avoid storing them in version control systems like Git.

Reset Client Private Key

If you lose your Client Private Key or suspect unauthorized use:

  1. Go to the API Keys section on the dashboard.

API Page - Okto Dashboard

  1. Click the Reset button next to the Client Private Key field.

  2. A new Client Private Key will be generated. Copy the Client Private Key and store it securely.

  3. Update all your applications with the new secret to avoid service disruption.

Security Best Practices

  • If anyone obtains your confidential keys, they could potentially make unauthorized requests or transactions.
  • In case of a suspected breach, immediately regenerate the compromised key(s) and update your applications.

FAQ

1. What are the main credentials and their roles?

  • Client SWA: Public identifier of your client application's main smart wallet on Okto.
  • Client Private Key: Secret key to authenticate actions for your Client SWA.
  • Treasury API Key: Secret key to authenticate actions for any of your Treasury Wallets.

2. How do I know which environment (sandbox/production) my API keys belong to?

Each environment’s keys are managed separately. Ensure the environment is indicated in your dashboard (e.g., "Sandbox" or "Production") before copying your keys.

3. What should I do if I accidentally expose a private key?

Immediately reset the compromised key (Client Private Key or Treasury API Key) through the dashboard and update it in your applications to prevent unauthorized access.

4. Can I use the same credentials across multiple applications?

While technically possible, we recommend using separate credentials for each application for better security and management.

Next Steps

With your Okto credentials in hand, you're ready to:

  1. Enable Chains and Tokens for your application
  2. Set up Treasury Wallets
  3. Configure Sponsorship (optional)
  4. Integrate with the Okto SDK

Okto Faucet

Learn how to get Okto testnet tokens for development and testing

Chains & Tokens

Next Page