The open-source alternative to Privy. Email auth + smart wallets that you own.
π Live Demo β’ π Docs β’ π GitHub β’ π¬ Discord β’ π¦ Twitter/X
Onkey is an open-source, self-hosted, privacy-first authentication SDK that gives users Web2-style logins (email/phone/passkey) with smart contract wallets under the hood.
Core Value Prop: "Privy but you own the infrastructure. Privacy-first MPC auth that runs on your own servers."
Web3 onboarding is broken. Users either:
- Use MetaMask/hardware wallets: Complicated, requires seed phrases, painful UX for non-technical users
- Use custodial solutions (Privy, Magic): Easier UX but you're locked into a vendor's infrastructure
- Build auth themselves: Reinventing the wheel, managing keys, compliance nightmares
Web2 got it right: email login works. Web3 needs that simplicity without sacrificing security or giving up control of your infrastructure.
Onkey is a self-hosted, open-source authentication SDK that gives your users Web2-style logins (email/OTP) backed by non-custodial smart contract wallets.
| Feature | Onkey | Privy | Magic | Self-Built |
|---|---|---|---|---|
| Email/OTP Login | β | β | β | π’ |
| Self-Hosted | β | β | β | β |
| Open Source | β | β | β | β |
| MPC Security | β (Lit) | β | β | β |
| Smart Accounts (ERC-4337) | β | β | β | β |
| Gasless Txs | β | β | β | β |
| You Control Data | β | β | β | β |
| No Vendor Lock-in | β | β | β | β |
| Setup Time | 15 min | - | - | Weeks |
- Node.js 18+ | pnpm 8+ | Docker & Docker Compose | PostgreSQL 15+ | Redis 7+
git clone https://github.com/somehowliving/onkey.git
cd onkey
pnpm installcp .env.example .env
# Fill in required variables:
# - DATABASE_URL
# - JWT_SECRET (32+ chars)
# - ENCRYPTION_KEY (32 bytes hex)
# - EMAIL_* (SMTP creds)
# - STYTCH_PROJECT_ID, STYTCH_SECRET
# - LIT_NETWORK, LIT_PRIVATE_KEY
# - BUNDLER_URL, PAYMASTER_URL (Pimlico)docker-compose up -d
docker-compose exec backend pnpm db:migratepnpm devBackend: http://localhost:3001
Demo App: http://localhost:3000
π SDK β Download the sdk here
π Demo App β Try email login + send transactions
π Documentation β Full developer guide
π GitHub Repo β Source code
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β User Experience Flow β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
1. User lands on your app
β
2. Click "Login with Email"
β
3. Enter email β OTP sent (instant)
β
4. Enter 6-digit code
β
5. β¨ Logged in with non-custodial smart wallet
β
6. Send a transaction β Gasless (sponsor with Paymaster)
β
7. Done. No seed phrases. No popups. No gas fees.
Frontend (React/Next.js)
β
@onkey/sdk (OnkeyProvider + useOnkey hook)
β
Your Backend (Self-Hosted Fastify)
ββ Email OTP (Stytch)
ββ Session Management (JWT)
ββ Smart Account Creation
ββ Key Management (Lit Protocol MPC)
ββ Transaction Relay
β
Smart Contract (ERC-4337 Account)
β
Blockchain (Base, Arbitrum, etc.)
onkey/
βββ packages/
β βββ backend/ # Fastify API + Prisma ORM
β βββ mpc/ # Lit Protocol integration
β βββ contracts/ # Solidity smart accounts (Foundry)
β βββ sdk/ # React SDK (@onkey/sdk)
βββ examples/
β βββ nextjs-demo/ # Next.js reference app
βββ docker-compose.yml # Production-like setup
βββ README.md
| Layer | Technology |
|---|---|
| Frontend SDK | React 18, TypeScript, Viem, Permissionless |
| Backend | Fastify 5, Prisma, PostgreSQL, Redis |
| Cryptography | Lit Protocol (MPC ECDSA), Stytch (OTP) |
| Smart Contracts | Solidity 0.8.23, Foundry, OpenZeppelin |
| Account Abstraction | ERC-4337, Pimlico Bundler/Paymaster |
| Deployment | Docker, Docker Compose |
Your users' keys are split using threshold cryptography:
User's Private Key
β
Split into 2-of-2 Shares (Shamir Secret Sharing)
β
ββββββββββββββββ ββββββββββββββββ
β User Share β β Server Share β
β β β β
β Device β β Your DB β
β (IndexedDB) β β (Encrypted) β
ββββββββββββββββ ββββββββββββββββ
β β
β (Signing) β
ββββββββββββββββββ¬ββββββββββββ
β
Lit Protocol (Decentralized)
β
Signature Generated
Why this is secure:
- β No single point of failure (neither user nor server has full key)
- β Server compromise β wallet compromise
- β Device loss β wallet loss (server share lives)
- β Non-custodial (you don't hold keys)
- β Threshold signing via Lit (decentralized)
- At Rest: AES-256-GCM (server shares in database)
- In Transit: HTTPS/TLS 1.3 (required in production)
- Session: JWT with 1-hour expiry
- Rate Limiting: OTP limited to 3/hour per email
# 1. Deploy Onkey backend
docker-compose -f docker-compose.yml up -d
# 2. Configure with your Stytch + Lit + Pimlico credentials
# 3. Use @onkey/sdk in your frontendpnpm add @onkey/sdk viemimport { OnkeyProvider, useOnkey } from '@onkey/sdk';
export function App() {
return (
<OnkeyProvider config={{
backendUrl: 'https://your-onkey-backend.com',
chain: baseSepolia,
bundlerUrl: 'https://api.pimlico.io/v2/...',
paymasterUrl: 'https://api.pimlico.io/v2/...',
}}>
<YourApp />
</OnkeyProvider>
);
}
function LoginComponent() {
const { login, verifyOTP, sendTransaction, address, isAuthenticated } = useOnkey();
const handleLogin = async () => {
await login('user@example.com');
// OTP sent to email
};
const handleVerify = async (code: string) => {
await verifyOTP('user@example.com', code);
// User authenticated, smart account created
};
return (
<>
{isAuthenticated ? (
<>
<p>Wallet: {address}</p>
<button onClick={() => sendTransaction({
to: '0x...',
value: BigInt('1000000000000000')
})}>
Send 0.001 ETH
</button>
</>
) : (
<>
<input placeholder="Enter email" onChange={(e) => setEmail(e.target.value)} />
<button onClick={handleLogin}>Send OTP</button>
<input placeholder="Enter 6-digit code" />
<button onClick={() => handleVerify(code)}>Verify</button>
</>
)}
</>
);
}- Email/OTP authentication via Stytch
- 2-of-2 MPC key generation (Lit Protocol)
- ERC-4337 smart account creation
- Gasless transactions (Pimlico paymaster)
- Self-hosted Docker setup
- React SDK with hooks
- Next.js demo app
- Encrypted key storage
- Session management (JWT)
- Rate limiting
- Production security
| Phase | Features | Timeline |
|---|---|---|
| Phase 2 | Passkeys (WebAuthn), Telegram login, Social recovery, Session keys | Q2 2025 |
| Phase 3 | Multi-chain support, Mobile SDKs, Admin dashboard, Analytics | Q3 2025 |
| Phase 4 | Recovery agents, Account linking, Advanced permissions | Q4 2025 |
- Gaming: Seamless onboarding without wallet complexity
- Finance: Compliant self-hosted auth with full control
- Social: Email login with on-chain profiles
- Payments: Accept crypto with familiar UX
- NFTs: Simpler minting flow for mainstream users
- Privacy: Run infrastructure on your own servers
- Compliance: Full audit trail, custom policies
- Security: No vendor dependencies, reduce attack surface
- Cost: Scale without per-user SaaS fees
- Control: Fork, modify, integrate with internal systems
POST /auth/login β Send OTP
{
"email": "user@example.com"
}POST /auth/verify β Verify OTP & create session
{
"email": "user@example.com",
"code": "123456",
"methodId": "email_..." // from /auth/login
}GET /auth/me β Get user info (requires JWT)
Authorization: Bearer <token>
POST /mpc/sign β Sign a transaction (requires JWT)
{
"userOpHash": "0x...",
"userShare": "encrypted-share"
}See full API docs: docs/API.md
# Unit tests
pnpm test
# Integration tests (requires Docker)
pnpm test:integration
# Contract tests
cd packages/contracts
forge testDeploy on Base Sepolia (testnet):
cd packages/contracts
forge script script/Deploy.s.sol:DeployScript \
--rpc-url base-sepolia \
--broadcast \
--verify- Quick Start β Get running in 5 minutes
- Developer Guide β Backend + SDK integration
- API Reference β All endpoints
- Security β Threat model & best practices
- Deployment β Production checklist
- Architecture β Deep dive (included in source)
We welcome contributions! Help us build the most user-friendly Web3 auth.
# 1. Fork & clone
git clone https://github.com/somehowliving/onkey.git
# 2. Create feature branch
git checkout -b feat/amazing-feature
# 3. Make changes & test
pnpm test
# 4. Submit PR
# Describe what you've built and whyDevelopment Setup:
pnpm install
pnpm dev # Runs all packages in watch mode
pnpm lint # Code quality
pnpm format # Auto-format with PrettierAreas we need help:
- Passkeys (WebAuthn) implementation
- Mobile SDKs (React Native, Flutter)
- Additional login methods (Telegram, Discord, Twitter)
- Admin dashboard
- Analytics & monitoring
- Documentation translations
- Example apps (different frameworks)
| Metric | Onkey | Industry Avg |
|---|---|---|
| Setup Time | 15 min | Hours/Days |
| Data Ownership | 100% | 0% |
| Vendor Lock-in | None | High |
| Code Transparency | Open Source | Black Box |
| Cost (Scale) | Your infra | Per user SaaS |
| Customization | Unlimited | Limited |
- Auth Time: < 2 seconds (email β logged in)
- Transaction Latency: < 5 seconds (sign β mined)
- Network Uptime: 99.9%+ (self-hosted)
- Key Recovery: Instant (with server share)
- β MPC implementation: Audited by [Lit Protocol]
- β Smart contracts: Internal review + Foundry tests
- β³ Full security audit: In progress (Q1 2025)
Report: SECURITY.md
MIT Β© 2025 Onkey Contributors
View License
You're free to:
- β Use commercially
- β Modify & fork
- β Distribute
- β Private use
You must:
- β Include license & copyright
- Discord: Join Community β Get help, discuss features
- GitHub Discussions: Discussions
- Twitter/X: @OnkeyAuth β Updates & announcements
- Email: nidhiyp05@gmail.com β Direct contact
Built with:
- Lit Protocol β MPC & threshold signing
- Stytch β Email OTP infrastructure
- OpenZeppelin β Smart contract libraries
- Pimlico β ERC-4337 bundler & paymaster
- Viem β Blockchain interactions
- Fastify β Backend framework
Current (v1.0) v1.5 v2.0 v3.0
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
Email OTP β + Passkeys β + Mobile SDKs β + AI
β
MPC Keys + Telegram + Multi-chain + DeFi
β
Smart Accts + Recovery + Analytics + Permissions
β
Gasless Txs + Sessions + Dashboard + Bridges
Web3 adoption is blocked by UX. Users want Web2 simplicity but Web3 doesn't have it. Privy proved the model works, but companies shouldn't be locked into closed infrastructure.
Onkey's mission: Give every developer the power to offer Privy-level UX while maintaining full control of their security, data, and infrastructure.
