Skip to main content

Documentation Index

Fetch the complete documentation index at: https://turnkey-0e7c1f5b-graham-docs-revamp.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

What is key management?

Turnkey provides infrastructure to store, recover, and operate on cryptographic keys beyond just wallet use cases. Instead of managing raw key material in your own infrastructure, your application delegates key storage to Turnkey’s secure enclaves and controls access through programmable policies. You define who can use a key and under what conditions; Turnkey ensures the key material is never exposed.

Why Turnkey for key management?

Protecting cryptographic keys means solving for secure storage, access control, disaster recovery, and auditability. Turnkey’s infrastructure handles this so your keys remain protected throughout their lifecycle. With Turnkey, you can:
  • Store and import cryptographic keys in hardware-backed secure enclaves where key material never exists in plaintext outside the enclave boundary
  • Gate key access and export through a programmable policy engine, including quorum approval for sensitive operations
  • Authenticate key access through multiple methods including API keys, passkeys, social logins, email, and SMS OTP
  • Maintain a cryptographic audit trail where every key operation is stamped and verifiable
  • Distribute trust between your infrastructure and Turnkey so no single party can access plaintext material

How it works

Your backend authenticates to Turnkey via API key. The policy engine evaluates every request inside the secure enclave before any key operation executes. Keys are stored and operated on entirely within the enclave. Only derived outputs (public keys, encrypted export bundles, and operation results) are returned.

Access control model

Key management is configured through an organization with users, tags, and policies to control access:
  • Users representing human operators and automated services, each with their own credentials (API keys, passkeys)
  • Tags grouping users by role (e.g. recovery-admin, backup-operator)
  • Policies controlling who can access keys and under what conditions: by key ID, operation type, approval threshold, or any combination
Turnkey is deny-by-default. If no policy explicitly allows an action, it is rejected. See Policies and Policy Language.

Security model

  • Keys never leave the enclave. Cryptographic keys live in Trusted Execution Environments (TEEs). All key operations happen inside verifiable infrastructure; only derived outputs are returned.
  • End-to-end encryption for import and export. Key material in transit is encrypted directly to the enclave using HPKE. Plaintext never exists outside the enclave boundary.
  • Policy-gated access. Every key operation is evaluated against policies in the enclave. Users and services can only perform actions they have been explicitly authorized for.
  • Trusted vs. untrusted separation. A breach of your backend does not expose keys. The enclave enforces policies independently of your infrastructure.
For a deeper look, see Security and Secure Enclaves.

Building with Turnkey

Key management integrations are backend-driven. Use Turnkey’s server SDKs to store keys, manage policies, and handle import and export operations programmatically from your infrastructure. Server SDKs are available for TypeScript, Go, Ruby, Python, and Rust. For full control, you can call the Turnkey API directly. The Turnkey Dashboard provides an interface for managing organizations, users, and policies.

Use cases

Key management serves different needs depending on how your application uses cryptographic keys. Choose the pattern that matches your requirements.

Ready to build?