- A human — the agent signs them in with email OTP (the human relays the code) or a wallet signature (the human signs the sign-in message with their own wallet), then acts on their behalf.
- The agent itself — the agent authenticates with an agent signing token: a secp256k1 private key that the agent holds, which serves as its identity. It signs in programmatically and mints its own JWT — no human in the loop, including at re-authentication time.
- API token (
authenticateApiToken) — your server-level credential. Wallets belong to your developer account. See the Node SDK Quickstart. - Delegated access (
createDelegatedEvmWalletClient) — the user approves delegation in your client app and Dynamic sends credentials to your webhook. See Delegated Access for EVM Wallets. - Agent wallets (
authenticateJwt) — the agent completes a Dynamic sign-in directly (email OTP or Sign-In With Ethereum), receives a user JWT, and acts as that user. No browser required, and with an agent signing token, no human required.
Before you start: Node.js 18+, a Dynamic environment ID from the Dynamic Dashboard, embedded wallets enabled for your environment, and the auth methods your agent signs in with (email, external wallet) enabled in the dashboard. Install
@dynamic-labs-wallet/node version 1.0.62 or later (auth client and session-key helpers) alongside your chain package, for example @dynamic-labs-wallet/node-evm.DynamicSvmWalletClient, DynamicBtcWalletClient, and DynamicTonWalletClient inherit the same authentication methods.
How the flow works
- Generate a session key pair. The public key travels; the private key stays in your custody.
- Sign in — with email OTP (human user) or a private key (human user or autonomous agent) — and pass the session public key, which binds it into the minted JWT.
- Use agent wallets: call
authenticateJwtwith the JWT and agetSessionSignaturecallback, then create wallets and sign withbackUpToDynamic: true. The SDK attaches a signed-session proof to backup and recovery calls automatically. - Refresh the JWT with
refreshAuthTokenfor long-running sessions, and sign in again when the refresh limit is reached.