@turnkey/sdk-browser
Advanced tools
A SDK client with browser-specific abstractions for interacting with Turnkey API. Also includes @turnkey/http, a lower-level, fully typed HTTP client.
Turnkey API documentation lives here: https://docs.turnkey.com.
$ npm install @turnkey/sdk-browser
import { Turnkey } from "@turnkey/sdk-browser";
const turnkey = new Turnkey({
apiBaseUrl: "https://api.turnkey.com",
defaultOrganizationId: process.env.TURNKEY_ORGANIZATION_ID,
// Optional: Your relying party ID - for use with Passkey authentication
rpId: process.env.TURNKEY_RP_ID,
});
The Passkey client allows for authentication to Turnkey's API using Passkeys.
const passkeyClient = turnkey.passkeyClient();
// User will be prompted to login with their passkey
await passkeyClient.login();
// Make authenticated requests to Turnkey API, such as listing user's wallets
const walletsResponse = await passkeyClient.getWallets();
The Iframe client can be initialized to interact with Turnkey's hosted iframes for sensitive operations.
The iframeContainer parameter is required, and should be a reference to the DOM element that will host the iframe.
The iframeUrl is the URL of the iframe you wish to interact with.
The example below demonstrates how to initialize the Iframe client for use with Email Auth
by passing in https://auth.turnkey.com as the iframeUrl.
const iframeClient = await turnkey.iframeClient({
// The container element that will host the iframe
iframeContainer: document.getElementById("<iframe container id>"),
iframeUrl: "https://auth.turnkey.com",
});
const injectedResponse = await iframeClient.injectCredentialBundle(
"<Credential from Email>",
);
if (injectedResponse) {
await iframeClient.getWallets();
}
| Flow | URL |
|---|---|
| Email Auth | auth.turnkey.com |
| Email Recovery | recovery.turnkey.com |
| Import Wallet | import.turnkey.com |
| Export Wallet | export.turnkey.com |
The Wallet client is designed for using your Solana or EVM wallet to stamp and approve activity requests for Turnkey's API. This stamping process leverages the wallet's signature to authenticate requests.
The example below showcases how to use an injected Ethereum wallet to stamp requests to Turnkey's API. The user will be prompted to sign a message containing the activity request payload to be sent to Turnkey.
import {
createWalletClient,
custom,
recoverPublicKey,
hashMessage,
} from "viem";
import { privateKeyToAccount } from "viem/accounts";
import { mainnet } from "viem/chains";
import { WalletStamper, EthereumWallet } from "@turnkey/wallet-stamper";
const walletClient = turnkey.walletClient(new EthereumWallet());
// Make authenticated requests to Turnkey API, such as listing user's wallets
// User will be prompted to sign a message to authenticate the request
const walletsResponse = await walletClient.getWallets();
@turnkey/sdk-browser provides TurnkeySDKBrowserClient, which offers wrappers around commonly used Turnkey activities, such as creating new wallets and wallet accounts.
Turnkey now supports persistent, secure, non-extractable authentication using P-256 passkeys stored in IndexedDB. This replaces legacy iframe-based flows for otp, passkey, and OAuth authentication.
The TurnkeyIndexedDbClient provides a long-lived session mechanism where the private key never leaves the browser and is scoped per sub-organization. This client handles login, session persistence, and API request signing entirely on the client side — without requiring iframes or sensitive credential injection.
import { Turnkey } from "@turnkey/sdk-browser";
const turnkey = new Turnkey({
apiBaseUrl: "https://api.turnkey.com",
defaultOrganizationId: "<YOUR_PARENT_ORG_ID>",
rpId: "<YOUR_WEBAUTHN_RELYING_PARTY_ID>",
});
const client = turnkey.indexedDbClient();
const passkeyClient = turnkey.passkeyClient();
// Create authenticated session
const pubKey = await indexedDbClient!.getPublicKey();
await passkeyClient?.loginWithPasskey({
sessionType: SessionType.READ_WRITE,
publicKey: pubKey!,
expirationSeconds: "3600",
});
// Now the client is authenticated and ready to interact with Turnkey API
const wallets = await client.getWallets();
💡 Why IndexedDB?
Keys are stored using the Web Crypto API, marked asnonExtractable, and survive page reloads — offering persistent, tamper-resistant authentication without ever exposing the raw key material.
Authentication via iframeClient() and injected credentials (e.g., from https://auth.turnkey.com) is now considered deprecated for new integrations. These flows required sensitive credential bundles to be delivered via email or OAuth and injected into a sandboxed iframe — a pattern with limited persistence and higher complexity.
Developers are encouraged to migrate to indexedDbClient() for:
Existing iframe use cases like Email Recovery, Wallet Import, and Wallet Export are still supported but should be isolated from authentication logic.
FAQs
JavaScript Browser SDK
The npm package @turnkey/sdk-browser receives a total of 78,488 weekly downloads. As such, @turnkey/sdk-browser popularity was classified as popular.
We found that @turnkey/sdk-browser demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
/Research
Socket found a Rust typosquat (finch-rust) that loads sha-rust to steal credentials, using impersonation and an unpinned dependency to auto-deliver updates.
Research
/Security Fundamentals
A pair of typosquatted Go packages posing as Google’s UUID library quietly turn helper functions into encrypted exfiltration channels to a paste site, putting developer and CI data at risk.
Security News
November CVE publications fell 25% YoY even as 2025 totals rose, showing how a few major CNAs can swing “global” counts and skew perceived risk.