SeedKey Extension is a multi-browser extension for passwordless authentication, and part of the SeedKey Open Source ecosystem.
It enables websites to work efficiently with keys and signatures, while giving users independence from cloud platforms.
Based on a seed phrase, the extension generates a master key used to derive keys for a specific domain.
User flow:
- create a new seed phrase
- restore an identity from a seed phrase
Website flow:
- get a public key
- sign a challenge
- 🧩 Features
- 🔍 Interaction Architecture. How it works
- 🔒 Security & Privacy
- 🗺️ Roadmap
- 🤝 Contributing
- 🛡️ Vulnerability Disclosure
- 🧑💻 Development
- 🚩 Usage
- 🔌 Website Integration
- 🕵️ Privacy
- 📄 License
- Identity creation: generate a 12-word seed phrase.
- Recovery: restore an identity from a seed phrase.
- Per-domain keys: derive a separate Ed25519 keypair for each domain.
- Challenge signing: securely sign a challenge from the service.
- Arbitrary message signing: for custom scenarios.
- i18n: EN/RU multilingual support.
- Seed phrase → master key: when creating an identity, the master key is derived from the seed phrase and stored in
browser.storage.local. - Master key → site keys: for each website/domain, a separate Ed25519 keypair is derived.
- Website communication: the website talks to the extension via the content script.
Recommendation: the seed phrase is the primary recovery mechanism. If you implement the protocol on the service side, add additional account recovery options (OAuth/email, etc.).
- The master key must be encrypted with a Device Key and decrypted on each message signing operation.
- permissions:
**storage**— storing encrypted data and settings. - Keys are not stored in the cloud. SeedKey also does not collect any information about you and operates locally in your browser.
- The content script runs on
all_urls(to integrate with any website), but has no other network access.
- Isolation between websites: unique keys per domain.
- Replay protection: one-time
noncewith TTL. - Anti-phishing: verify that the request domain matches the domain inside the challenge.
- Rate limit: limit the number of signatures per domain.
- Improve master key encryption/decryption with the ability to use: WebAuthn/Passkeys/TPM/Keychain/Windows Hello, etc.
- Currently, Mozilla Store and Chrome Store do not support syncing with the registry, and release deployment is done manually. However, we should research and implement mechanisms to push builds via API.
If you have ideas and want to contribute, feel free to open an issue or pull request.
Please do not publish vulnerabilities in public issues.
Report them privately via maks@besssarab.ru
or open a private security advisory on GitHub.
- Node.js: >= 18
npm install
npm run dev
For specific browsers:
npm run dev:firefox
npm run dev:edge
npm run build
- Open
chrome://extensions, enable Developer mode, and load the folder: - Chrome:
.output/chrome-mv3/
Build for all browsers:
npm run build:all
Run tests:
npm test
- Open the extension.
- Choose:
- Create Identity — create a new seed phrase and identity.
- Restore — restore an identity from a seed phrase.
- Save the seed phrase. After creation, you can view it again only within 5 minutes.
- On a supported website, choose Sign in with SeedKey — the site will request a public key and a challenge signature.
In settings, Reset Extension removes the extension’s local data.
The recommended integration approach is to use the client SDK:
- seedkey-sdk-client — a library for working with the extension and sending requests to the backend.
Also check out other ecosystem repositories:
- seedkey-sdk-server — a library for implementing the service yourself.
- seedkey-auth-service — a self-hosted, ready-to-use service.
- seedkey-auth-service-migrations — migrations for seedkey-auth-service
- seedkey-auth-service-helm-chart — a Helm chart for deploying seedkey-auth-service + seedkey-auth-service-migrations.
See PRIVACY.
See LICENSE.