externalJwt flow of a createAuthClient client. signIn exchanges a JWT signed by the environment’s configured external issuer (Bring Your Own Auth) for a Dynamic user JWT.
The environment must have third-party auth configured in the dashboard (issuer, JWKS URL, audience); Bring Your Own Auth is an enterprise feature. The SDK never mints or verifies the external JWT — you supply it, it is used once for the exchange, and it is never persisted or logged. Dynamic verifies it server-side against the environment’s configuration. See Sign In with an External JWT for the agent flow.
signIn
Function Signature
Parameters
jwt(string) - A JWT signed by the environment’s configured external issuer, with at leastiss,sub, andexpclaims. Each distinctsubis a distinct Dynamic user with its own wallets. Used once for the exchange — never persist or log it.sessionPublicKey(string, optional) - Compressed P-256 public key hex from generateSessionKeyPair. Binds the session key into the minted JWT — required if you will use a session signer with authenticateJwt forbackUpToDynamicflows.
Returns
Promise<AuthResult>-{ jwt, expiresAt, userId }. PassjwttoauthenticateJwt; never log it.
Example
Error Handling
A blankjwt throws "externalJwt.signIn requires a jwt" before any network call.
Related Functions
createAuthClient()- Create the auth client- Email OTP sign-in - Email-based alternative
- Wallet sign-in - Private-key-based alternative
authenticateJwt()- Use the minted JWT