Skip to main content
Method on the externalJwt flow of a createAuthClient client. signIn exchanges a JWT signed by the environment’s configured external issuer (Bring Your Own Auth) for a Dynamic user JWT. The environment must have third-party auth configured in the dashboard (issuer, JWKS URL, audience); Bring Your Own Auth is an enterprise feature. The SDK never mints or verifies the external JWT — you supply it, it is used once for the exchange, and it is never persisted or logged. Dynamic verifies it server-side against the environment’s configuration. See Sign In with an External JWT for the agent flow.

signIn

Function Signature

Parameters

  • jwt (string) - A JWT signed by the environment’s configured external issuer, with at least iss, sub, and exp claims. Each distinct sub is a distinct Dynamic user with its own wallets. Used once for the exchange — never persist or log it.
  • sessionPublicKey (string, optional) - Compressed P-256 public key hex from generateSessionKeyPair. Binds the session key into the minted JWT — required if you will use a session signer with authenticateJwt for backUpToDynamic flows.

Returns

  • Promise<AuthResult> - { jwt, expiresAt, userId }. Pass jwt to authenticateJwt; never log it.

Example

Error Handling

A blank jwt throws "externalJwt.signIn requires a jwt" before any network call.
Sign-in endpoints are rate limited per IP address (429 when exceeded) — see Rate Limit Policies.
Last modified on July 17, 2026