Skip to main content

How Web3Auth Works?

Web3Auth operates as a wallet infrastructure, providing enhanced flexibility and security for decentralized applications (dApps) and blockchain wallets. Throughout this documentation, we'll explore the functionality of Web3Auth, showcasing how it produces unique cryptographic key providers for each user and application.

High-Level Architecture

The Web3Auth SDK lives solely on the user/application’s front-end client and handles the interactions between OAuth providers and the Auth Network.

The diagram below describes the relationship between the Web3Auth SDKs and integrating applications. It also depicts the difference between the products Web3Auth offers, to enable a developer-friendly integration of this infrastructure.

This diagram describes the relationship between the Web3Auth SDK and integrating application

Plug and Play SDKs

A Web3Auth Plug and Play integration process is designed to be developer-friendly, requiring only the initialization of the Web3Auth SDKs and the set up of necessary configurations. Once integrated into your application, the SDK facilitates the embedding of the login function. This allows developers to utilize the SDK to authenticate users by invoking the connect function, which can be activated via a login button or any user-triggered event.

Once the user starts the process:

  1. User is redirected to our portal (
  2. Our portal,, then handles the initial process of login
  3. The user is redirected to the login/OAuth provider and carries out the authentication process concerning their auth provider
  4. The user is redirected back to our portal, which then handles the reconstruction of the user’s key
  5. Finally, once the user is successfully authenticated, they are redirected back to the application, with a derived key specific to the application/wallet
Here's a diagram showing this process:
Image working

Core Kit SDKs

The Core Kit SDKs serve as the backbone of the Web3Auth Plug n Play (PnP) SDKs. They form the essence of the Web3Auth infrastructure and allow for direct usage within decentralized applications (dApps) to foster deeper integration. They are further divided into two types of SDKs:

  1. Single Factor Auth SDKs
  2. Multi-Factor SDKs, like tKey SDK

Single Factor Auth SDKs

These SDKs allow for the integration of a single factor of authentication, such as social login, into your dApp. They are designed to be simple to use and can be integrated into your dApp with minimal effort, allowing you to directly use the Web3Auth Network for Wallet Management. This is one of the most common use cases of Web3Auth, however, it is semi-custodial in nature, since the key is custodial to the Auth Provider and the Web3Auth Network.

Single Factor Auth SDK Infrastructure

Multi-Factor Auth SDKs

An integral part of this infrastructure is the tKey SDK, the foundational SDK utilized for the implementation of Web3Auth PnP and Core-Kit.

'tKey' is an abbreviation for Threshold Key, which is responsible for the management of wallet shares produced using threshold cryptography. The tKey SDK manages wallets by generating shares via Shamir's Secret Sharing scheme.

In a typical 2 out of 3 (2/3) setup, the user is provided with three shares: ShareA, ShareB, and ShareC.

  • ShareA is managed and divided across Web3Auth's Auth Network and can be accessed through an OAuth login provider owned by the user, like their Google account.
  • ShareB is stored on the user's device. The method of storage is specific to the device and system. For instance, on mobile devices, the share could be stored in device storage that's secured with biometrics.
  • ShareC serves as a recovery share. It's an extra share that the user can keep on a separate device, download, or base on user input with sufficient entropy. This could include a password, security questions, or a hardware device, among other options.
Web3Auth's Private Key - Key Reconstruction

Like existing 2FA systems, users must prove ownership of at least 2 out of 3 (2/3) shares to retrieve their private key.


With the Web3Auth infrastructure, your key is divided into multiple parts and stored across your devices and our Auth Network. This ensures that your key is always available and never stored in a single place. While in the traditional Web3Auth SDK, your key was dynamically reconstructed in the front end using threshold signatures.

With the new Web3Auth MPC (Multi-Party Computation) architecture, it is never reconstructed. Instead, these partial keys are stored across different locations, and your device is used to make partial signatures for your message/ transaction. These are finally returned to the front end where using TSS (Threshold Signature Scheme), these signatures are combined to make a final signature. You can use this finally signed message/transaction to make a transaction on the blockchain.

The Threshold Signature Scheme (TSS) is a cryptographic primitive for distributed key generation and signing. The use of TSS in Web3Auth's Auth network is a new paradigm that can provide numerous benefits, especially in terms of security.

Showing How Web3Auth Key Generation works

As you can notice in this diagram above, the final output for the right side TSS architecture are the signatures that can be used to make transactions on the blockchain.

Web3Auth Wallet Management Infrastructure

Web3Auth's Wallet Management Infrastructure enhances security by distributing a user's wallet across various key shares, thereby avoiding direct exposure of seed phrases. These key shares form a 'web of trust' and enable wallet management akin to multi-factor account handling. Users employ OAuth logins, trusted devices, and other factors to manage their cryptographic key pairs. Importantly, the complete private keys are not stored anywhere within the Wallet Infrastructure system, including our databases or any participating nodes.

To create a social login share, users interact with the Web3Auth Auth Network, where key generation operates via a 5/9 consensus system. This setup guarantees that wallets remain non-custodial, ensuring that neither Web3Auth, Social Login Providers, nor any other party holding a key share can claim full ownership.

managing wallets

For managing wallets, our infrastructure uses various cryptographic techniques such as Shamir's Secret Sharing, Threshold Cryptography, and Multi Party Computation. To learn more about how we manage wallets, please refer to our Wallet Management and Security of our Infrastructure.