Skip to main content
Delegated Access allows an application developer to act on behalf of a user. When enabled, the developer receives a cryptographic share and a per-wallet API key that allows limited operations such as signing transactions. This gives developers the ability to automate flows (e.g. bots, agents, recurring jobs) while keeping the end-user in full control of what’s allowed.

Implementation Overview

  1. Enable Delegated Access in the dashboard and set defaults.
  2. Register your HTTPS endpoint (server) and add your public encryption key.
  3. Trigger delegation (client) — auto-prompt on sign in or call the hook.
  4. Receive webhook → verify signature → decrypt and store materials (server).
  5. Use the delegated materials to sign on behalf of the user (server).

How it works

1

Developer Setup

Developer configures a secure HTTPS endpoint (where Dynamic will send encrypted key shares) and provides an encryption key (or let’s Dynamic generate one) in the dashboard.
2

Webhook

A webhook is automatically created in the Dynamic environment with events wallet.delegation.created and wallet.delegation.revoked.
3

User Approval

Whenever triggered, the user is prompted to approve delegation.
4

Reshare Ceremony

If approved, Dynamic triggers a reshare ceremony:
  • User gets a new share.
  • Dynamic generates a new server share.
  • A webhook event is triggered for wallet.delegation.created and the developer’s endpoint receives data including the encrypted external share and per-wallet API key.
5

Secure Storage

The developer then decrypts this data and stores it securely (encrypting again on their side is recommended).
6

Delegated Operations

The developer uses our SDK to create a delegated client and perform allowed operations.
Delegated access does not allow exporting private keys, refreshing/resharing, or modifying policies. It is limited to user-approved signing operations.

Glossary

  • Delegated share: The encrypted MPC key share you decrypt and store on your server.
  • Per-wallet API key: API key scoped to a single wallet; sent encrypted to your server.
  • Reshare ceremony: Rotation that issues new user and server shares and produces delegated materials.
  • Delegation prompt: UI asking the user to approve delegation in your app.

Security considerations

  • Encryption: Dynamic encrypts shares before sending. Developers should re-encrypt before storage.
  • Per-wallet API keys: Each wallet has its own API key, scoped only to that wallet.
  • Limited operations: Developers cannot reshare, refresh, or export keys.
  • Audits & compliance: All delegated flows inherit Dynamic’s SOC2 and security posture.
  • Endpoint security: Ensure your delegated access endpoint uses HTTPS and proper authentication.

What's next?

Dashboard Setup