EIP-7702 passkey wallet infrastructure for app developers. Avok ships the pieces you need to add a real wallet to a web app without asking the user to install one, and without putting the private key on your server.
The user creates a passkey. Avok turns that passkey into an Ethereum account, encrypts a recovery copy with the passkey's WebAuthn PRF output, and stores the encrypted blob onchain. Your app delegates code to that account using EIP-7702. The user can pay gas themselves, or your app can sponsor gas and bill the user in a stablecoin you choose.
The private key never leaves the device. The backend only sees signed intents.
npm install @avokwalletjs/react @avokwalletjs/serverBackend (one file, a Node process):
import "dotenv/config";
import { createAvokServer, readAvokEnv } from "@avokwalletjs/server";
const server = createAvokServer({ env: readAvokEnv() });
server.listen();Frontend (one provider, one hook):
import { AvokProvider, useAvokCreateWallet } from "@avokwalletjs/react";
export function App() {
return (
<AvokProvider configUrl="/avok/config">
<CreateWallet />
</AvokProvider>
);
}
function CreateWallet() {
const { createWallet } = useAvokCreateWallet();
return <button onClick={() => createWallet({ name: "My wallet" })}>Create wallet</button>;
}The backend reads its config from environment variables. The minimum is:
AVOK_APP_ID=my-app
AVOK_PROFILE=arc-testnet:usdc
AVOK_RPC_URL=https://your-rpc.example
AVOK_CORS_ORIGINS=http://localhost:5173
AVOK_SPONSOR_PRIVATE_KEY=0x...
AVOK_ALLOWED_APP_CONTRACTS=0xYourTokenOrContractSee docs/configuration.md for the full list and packages/cli for an avok init command that writes a starting .env.example and a avok-server.mjs for you.
appWallet. Your app owns the relayer. The user signs a typed intent, your server pays the native gas, and the user reimburses your sponsor in a token you choose. Good for product flows where you do not want the user to think about gas. The relayer can only call contracts you explicitly allowlist.
powerWallet. The user pays native gas directly from the same account. The relayer is only used for the first onboarding transaction and for backup operations. Good for the export path, advanced users, and anything that should feel like a normal wallet.
Both modes share the same account, the same passkeys, and the same onchain backup. The user can switch between them per transaction.
| Package | Purpose |
|---|---|
@avokwalletjs/react |
React provider and hooks. The fastest way in. |
@avokwalletjs/server |
Node backend with the /avok/config, /avok/quote, /avok/onboard, /avok/relay routes. |
@avokwalletjs/core |
Passkey creation, PRF encryption, signing, delegation checks. Used by @avokwalletjs/react. |
@avokwalletjs/sponsor |
Fee quoting, signed-intent validation, relay queue, storage adapters (SQLite and Postgres). |
@avokwalletjs/contracts |
Solidity implementation and ABI metadata for the wallet contract. |
@avokwalletjs/config |
Supported chain and primary-token registry. |
@avokwalletjs/cli |
avok init, avok inspect, avok deploy, avok verify. |
Unaudited; an independent security review is currently in progress. Mainnet use is supported, but until the audit completes you should treat balances as at-risk.
If the user loses every passkey enrolled on their account and they did not export the private key, the account is permanently inaccessible. There is no Avok-side recovery path. Read docs/security.md and docs/multi-passkey.md before shipping.
- Architecture
- Security model
- Threat model
- appWallet mode
- powerWallet mode
- React Native & Expo
- Multi-passkey backup
- Live pricing
- Frontend security
- Configuration reference
- Hosting notes
examples/demo-app is a working end-to-end Vite app that exercises wallet creation, EIP-7702 onboarding with onchain backup, appWallet relay, powerWallet send, passkey management, sign-in, message signing, and private-key export against Arc Testnet. Run it locally:
git clone https://github.com/xanderslabs/avokwallet.git
cd avok
pnpm install
cp examples/demo-app/.env.example examples/demo-app/.env.local
# fill in AVOK_RPC_URL and AVOK_SPONSOR_PRIVATE_KEY
pnpm devSee CONTRIBUTING.md. Changes that touch any of the published packages need a changeset (pnpm changeset).
MIT. See LICENSE.