> ## Documentation Index
> Fetch the complete documentation index at: https://www.dynamic.xyz/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# generateSessionKeyPair

> Generates a P-256 session key pair for the signed-session flow

## Function Signature

```typescript theme={"system"}
generateSessionKeyPair(): Promise<{
  publicKeyHex: string;
  privateKeyJwk: JsonWebKey;
}>
```

Exported from `@dynamic-labs-wallet/node`.

## Description

Generates a P-256 (ECDSA) session key pair for the signed-session flow. Pass `publicKeyHex` at sign-in (the `sessionPublicKey` parameter of [verifyOtp](/node/reference/auth/email-otp-sign-in), [wallet.signIn, or wallet.verify](/node/reference/auth/wallet-sign-in)) to bind the session key into the minted JWT, and use `privateKeyJwk` with [signSessionMessage](/node/reference/auth/sign-session-message) to implement `getSessionSignature`.

Stateless and custody-agnostic: the SDK does not persist the key. You store `privateKeyJwk` wherever you keep secrets.

The returned JWK is extractable (so it can be handed back to you) and is therefore a convenience path, not a security boundary. If you need a non-extractable key — so a host or operator cannot exfiltrate it — do not use this function: generate the key in a KMS, HSM, or enclave, pass its compressed public key hex at sign-in, and supply a `getSessionSignature` that signs there.

## Parameters

None.

## Returns

* **`publicKeyHex`** (`string`) - The public key as 33-byte compressed SEC1, lowercase hex.
* **`privateKeyJwk`** (`JsonWebKey`) - The private key as a JWK. Store it in your secrets vault; never log it.

## Example

```typescript theme={"system"}
import { generateSessionKeyPair } from '@dynamic-labs-wallet/node';

const { publicKeyHex, privateKeyJwk } = await generateSessionKeyPair();

// Bind the public key into the JWT at sign-in:
const { jwt } = await auth.email.verifyOtp({
  verificationUUID,
  code,
  sessionPublicKey: publicKeyHex,
});
```

## Related Functions

* [`signSessionMessage()`](/node/reference/auth/sign-session-message) - Sign messages with the generated JWK
* [`authenticateJwt()`](/node/reference/auth/authenticate-jwt) - Use the key pair as a session signer
* [`createAuthClient()`](/node/reference/auth/create-auth-client) - Sign-in flows that accept `sessionPublicKey`
