Delegated Access Setup

Enable and set defaults

In the developer dashboard, navigate to Embedded Wallets → Delegated Access and toggle on “Delegated Access”. Recommended defaults:

Prompt users on sign in: ON (auto-prompt users on their next sign in)
Require delegation: OFF (let users skip; enforce later in your app if needed)

Provide encryption key (server)

Dynamic encrypts the delegated materials before sending to your server using a hybrid approach using RSA and AES. Provide your public key, or let Dynamic generate a key pair for you.

Register your Delegated Access endpoint (server)

Provide a verified HTTPS URL that receives wallet.delegation.created (and wallet.delegation.revoked). After adding the URL, we send a ping to verify reachability. View events in the Webhooks section of the dashboard. When a user approves delegation, your endpoint receives wallet.delegation.created with encrypted materials under data. Verify the signature and store securely. See Receiving for payload and decryption.

Before processing any webhook, verify signatures. Dynamic sends a signature in the x-dynamic-signature-256 header. Compute HMAC-SHA256 of the raw request body with your webhook secret (from the webhook detail page in the dashboard) and compare with the header value using a constant-time comparison. The payload you hash must match exactly as received.

Example (Node):

import * as crypto from "crypto";

export const verifySignature = ({
  secret,
  signature,
  payload,
}: { secret: string; signature: string; payload: any }) => {
  const payloadSignature = crypto
    .createHmac("sha256", secret)
    .update(JSON.stringify(payload))
    .digest("hex");
  const trusted = Buffer.from(`sha256=${payloadSignature}`, "ascii");
  const untrusted = Buffer.from(signature, "ascii");
  return crypto.timingSafeEqual(trusted, untrusted);
};

Trigger delegation from your app

Once setup is complete, choose your SDK to learn how to trigger delegation and use delegated materials: