Skip to main content

Function Signature

generateSessionKeyPair(): Promise<{
  publicKeyHex: string;
  privateKeyJwk: JsonWebKey;
}>
Exported from @dynamic-labs-wallet/node.

Description

Generates a P-256 (ECDSA) session key pair for the signed-session flow. Pass publicKeyHex at sign-in (the sessionPublicKey parameter of verifyOtp, wallet.signIn, or wallet.verify) to bind the session key into the minted JWT, and use privateKeyJwk with signSessionMessage to implement getSessionSignature. Stateless and custody-agnostic: the SDK does not persist the key. You store privateKeyJwk wherever you keep secrets. The returned JWK is extractable (so it can be handed back to you) and is therefore a convenience path, not a security boundary. If you need a non-extractable key — so a host or operator cannot exfiltrate it — do not use this function: generate the key in a KMS, HSM, or enclave, pass its compressed public key hex at sign-in, and supply a getSessionSignature that signs there.

Parameters

None.

Returns

  • publicKeyHex (string) - The public key as 33-byte compressed SEC1, lowercase hex.
  • privateKeyJwk (JsonWebKey) - The private key as a JWK. Store it in your secrets vault; never log it.

Example

import { generateSessionKeyPair } from '@dynamic-labs-wallet/node';

const { publicKeyHex, privateKeyJwk } = await generateSessionKeyPair();

// Bind the public key into the JWT at sign-in:
const { jwt } = await auth.email.verifyOtp({
  verificationUUID,
  code,
  sessionPublicKey: publicKeyHex,
});
Last modified on July 9, 2026