HomeDocumentation Index
Fetch the complete documentation index at: https://turnkey-0e7c1f5b-graham-docs-revamp.mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
What are company wallets?
Company wallets are custodial wallets owned and operated by your organization. Your team controls the keys and defines who can sign, what they can sign, and under what conditions. The wallets belong to your business; Turnkey provides the infrastructure to operate them securely at scale. Where embedded wallets give each end user their own wallet, company wallets centralize control within your organization. Your backend services, operators, and automated systems sign transactions through Turnkey’s API, governed by role-based access controls and the policy engine.Why Turnkey for company wallets?
Managing company-controlled keys means solving for security, access control, multi-chain support, and automation, all without exposing private keys to your team or your infrastructure. Turnkey handles this so you can focus on your operations. With Turnkey, you can:- Sign millions of transactions with sub-100ms latency via secure enclaves
- Define role-based access controls so each operator, service, or team member can only sign what they’re authorized to
- Require multi-party approval for high-value or sensitive operations
- Support any blockchain with chain-agnostic, arbitrary signing
- Automate workflows like sweeps, payouts, and contract interactions via API
- Import existing keys or export them when needed
How it works
Your backend authenticates to Turnkey via API key. Inside the secure enclave, the policy engine evaluates the request against the signing policies you’ve defined. If approved, the enclave signs and returns the signature. If denied, no signature is produced. Private keys never leave the secure enclave. Your operators and services interact with signatures, not keys.Access control model
Company wallets use a single organization (or sub-organizations for tenant isolation). Within that org, you define:- Users representing human operators and automated services, each with their own credentials (API keys, passkeys)
- Tags grouping users by role (e.g.
deployer,treasury-ops,sweeper) - Policies controlling what each role can sign: by recipient address, contract address, function selector, chain ID, transaction value, or any combination
Security model
- Keys never leave the enclave. Private keys live in Trusted Execution Environments (TEEs). All signing happens inside verifiable infrastructure; only signatures are returned.
- Role-scoped access. Every signing request is evaluated against policies in the enclave. Operators and services can only perform actions they’ve been explicitly authorized for.
- Multi-party approval. For sensitive operations, require multiple approvers before the enclave will sign. See Co-signing transactions.
- Trusted vs. untrusted separation. A breach of your backend does not expose keys or signing capability. The enclave enforces policies independently of your infrastructure.
Building with Turnkey
Most company wallet integrations are backend-driven. Use Turnkey’s server SDKs to create wallets, sign transactions, and manage policies programmatically from your infrastructure. Server SDKs are available for TypeScript, Go, Ruby, Python, and Rust. For full control, you can call the Turnkey API directly. The Turnkey Dashboard serves as an internal GUI for managing wallets, users, and policies. If you need a custom operator-facing interface, you can build one using the Embedded Wallet Kit. See the Company Wallets Quickstart to get started.Use cases
Company wallets serve different needs depending on what you’re building. Choose the pattern that matches your operations.Ready to build?
- Company Wallets Quickstart — set up your organization, create wallets, and sign your first transaction
- Policy Quickstart — define access controls and signing rules for your team
- SDK Reference — server SDKs for TypeScript, Go, Ruby, Python, and Rust