Before this: read the Agent Wallets overview, install
@dynamic-labs-wallet/node, and configure third-party auth for your environment in the dashboard (issuer, JWKS URL, audience). Bring Your Own Auth is an enterprise feature.Generate a session key pair
generateSessionKeyPair returns a P-256 key pair: publicKeyHex (33-byte compressed public key, lowercase hex) and privateKeyJwk (the private key as a JWK). The SDK stores nothing — you persist the JWK in your secrets vault.
Sign in with externalJwt.signIn
createAuthClient performs Dynamic sign-in flows headlessly — the server-side counterpart to the JS client SDK’s sign-in. It holds configuration only: no secrets, no persistence. Obtaining the external JWT is your application’s job: the SDK never mints or verifies it — you supply it, it is used once for the exchange, and it is never persisted or logged. Dynamic verifies it server-side against the environment’s configured issuer, JWKS URL, and audience.
sub claim in your issuer’s JWTs is a distinct Dynamic user with its own wallets, so keep an agent’s subject stable across runs to keep operating the same user’s wallets — and give each agent its own subject to keep their wallets separate. Re-authentication at the refresh limit is another exchange with a fresh JWT from your issuer — programmatic if your issuer mints programmatically, so no human is required. This also keeps each agent’s lifecycle in your hands: an agent your issuer stops minting JWTs for cannot sign in again once its current session can no longer be refreshed.
Sign-in resolves to { jwt, expiresAt, userId }. externalJwt.signIn throws before any network call when jwt is blank. Sign-in fails with a descriptive error when the external JWT’s signature or claims fail verification, when the environment does not have third-party auth configured (the server responds 422 with This feature is not enabled), when the account requires MFA (the headless client does not support MFA), or when the environment uses cookie-based auth (the response carries no JWT in the body).