Skip to main content
Delegated Access allows an application developer to act on behalf of a user. When enabled, the developer receives a cryptographic share and a per-wallet API key that allows limited operations such as signing transactions. This gives developers the ability to automate flows (e.g. bots, agents, recurring jobs) while keeping the end-user in full control of what’s allowed.

Supported Chains

Delegated access is currently supported for:
  • EVM (Ethereum, Polygon, Arbitrum, etc.)
  • Solana

Implementation Overview

  1. Enable Delegated Access in the dashboard and set defaults.
  2. Register your HTTPS endpoint (server) and add your public encryption key.
  3. Trigger delegation (client) — auto-prompt on sign in or call the hook.
  4. Receive webhook → verify signature → decrypt and store materials (server).
  5. Use the delegated materials to sign on behalf of the user (server).

How it works

1

Developer Setup

Developer configures a secure HTTPS endpoint (where Dynamic will send encrypted key shares) and provides an encryption key (or let’s Dynamic generate one) in the dashboard.
2

Webhook

A webhook is automatically created in the Dynamic environment with events wallet.delegation.created and wallet.delegation.revoked.
3

User Approval

Whenever triggered, the user is prompted to approve delegation.
4

Reshare Ceremony

If approved, Dynamic triggers a reshare ceremony:
  • User gets a new share.
  • Dynamic generates a new server share.
  • A webhook event is triggered for wallet.delegation.created and the developer’s endpoint receives data including the encrypted external share and per-wallet API key.
5

Secure Storage

The developer then decrypts this data and stores it securely (encrypting again on their side is recommended).
6

Delegated Operations

The developer uses our SDK to create a delegated client and perform allowed operations.
Delegated access does not allow exporting private keys, refreshing/resharing, or modifying policies. It is limited to user-approved signing operations.

Glossary

  • Delegated share: The encrypted MPC key share you decrypt and store on your server.
  • Per-wallet API key: API key scoped to a single wallet; sent encrypted to your server.
  • Reshare ceremony: Rotation that issues new user and server shares and produces delegated materials.
  • Delegation prompt: UI asking the user to approve delegation in your app.

Security considerations

  • Encryption: Dynamic encrypts shares before sending. Developers should re-encrypt before storage.
  • Per-wallet API keys: Each wallet has its own API key, scoped only to that wallet.
  • Limited operations: Developers cannot reshare, refresh, or export keys.
  • Audits & compliance: All delegated flows inherit Dynamic’s SOC2 and security posture.
  • Endpoint security: Ensure your delegated access endpoint uses HTTPS and proper authentication.

What's next?

Dashboard Setup