{"id":31278981,"url":"https://github.com/MetaMask/tkey","last_synced_at":"2025-09-24T01:09:40.990Z","repository":{"id":38987777,"uuid":"288894736","full_name":"MetaMask/tkey","owner":"MetaMask","description":"Whitelabel, design and own the full UI/UX with Self-host Web3Auth (tKey). All of the power of threshold key management at your fingertips","archived":false,"fork":false,"pushed_at":"2025-06-06T08:48:40.000Z","size":27153,"stargazers_count":179,"open_issues_count":27,"forks_count":50,"subscribers_count":9,"default_branch":"master","last_synced_at":"2025-09-23T03:02:03.388Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/MetaMask.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":null,"patreon":null,"open_collective":"metamask","ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null,"custom":null}},"created_at":"2020-08-20T03:16:17.000Z","updated_at":"2025-09-05T12:41:25.000Z","dependencies_parsed_at":"2024-01-11T05:30:30.903Z","dependency_job_id":"695eaaaf-7433-4ed2-bc36-59589e6aa89c","html_url":"https://github.com/MetaMask/tkey","commit_stats":{"total_commits":1053,"total_committers":24,"mean_commits":43.875,"dds":0.6828110161443495,"last_synced_commit":"654beb4640145b80b2c8d615968a480698e06d61"},"previous_names":["tkey/tkey"],"tags_count":128,"template":false,"template_full_name":null,"purl":"pkg:github/MetaMask/tkey","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MetaMask%2Ftkey","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MetaMask%2Ftkey/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MetaMask%2Ftkey/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MetaMask%2Ftkey/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/MetaMask","download_url":"https://codeload.github.com/MetaMask/tkey/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MetaMask%2Ftkey/sbom","scorecard":{"id":888886,"data":{"date":"2025-08-11","repo":{"name":"github.com/tkey/tkey","commit":"a5e740eea4140322fc950878f09d8974b4b3761a"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.9,"checks":[{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Code-Review","score":5,"reason":"Found 4/7 approved changesets -- score normalized to 5","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Security-Policy","score":4,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Warn: no linked content found","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Pinned-Dependencies","score":3,"reason":"dependency not pinned by hash detected -- score normalized to 3","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/backward.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/tkey/tkey/backward.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/backward.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/tkey/tkey/backward.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/backward.yml:49: update your workflow using https://app.stepsecurity.io/secureworkflow/tkey/tkey/backward.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/browserTests.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/tkey/tkey/browserTests.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/browserTests.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/tkey/tkey/browserTests.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/buildMocks.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/tkey/tkey/buildMocks.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/buildMocks.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/tkey/tkey/buildMocks.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/buildMocks.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/tkey/tkey/buildMocks.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/buildMocks.yml:62: update your workflow using https://app.stepsecurity.io/secureworkflow/tkey/tkey/buildMocks.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/tkey/tkey/ci.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/tkey/tkey/ci.yml/master?enable=pin","Warn: npmCommand not pinned by hash: .github/workflows/backward.yml:57","Warn: npmCommand not pinned by hash: .github/workflows/backward.yml:62","Warn: npmCommand not pinned by hash: .github/workflows/buildMocks.yml:49","Warn: npmCommand not pinned by hash: .github/workflows/buildMocks.yml:54","Info: 0 out of 10 GitHub-owned GitHubAction dependencies pinned","Info: 0 out of 1 third-party GitHubAction dependencies pinned","Info: 4 out of 8 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/backward.yml:1","Warn: no topLevel permission defined: .github/workflows/browserTests.yml:1","Warn: no topLevel permission defined: .github/workflows/buildMocks.yml:1","Warn: no topLevel permission defined: .github/workflows/ci.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":9,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Warn: project license file does not contain an FSF or OSI license."],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 27 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":2,"reason":"8 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8","Warn: Project is vulnerable to: GHSA-xffm-g5w8-qvg7","Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw","Warn: Project is vulnerable to: GHSA-fjxv-7rqg-78g4","Warn: Project is vulnerable to: GHSA-h7cp-r72f-jxh6","Warn: Project is vulnerable to: GHSA-v62p-rq8g-8h59","Warn: Project is vulnerable to: GHSA-52f5-9888-hmc6","Warn: Project is vulnerable to: GHSA-cxrh-j4jr-qwg3"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-24T11:00:42.037Z","repository_id":38987777,"created_at":"2025-08-24T11:00:42.037Z","updated_at":"2025-08-24T11:00:42.037Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":276662397,"owners_count":25682029,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-23T02:00:09.130Z","response_time":73,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-09-24T01:02:37.624Z","updated_at":"2025-09-24T01:09:40.973Z","avatar_url":"https://github.com/MetaMask.png","language":"TypeScript","readme":"# tKey\n\n[![lerna](https://img.shields.io/badge/maintained%20with-lerna-cc00ff.svg)](https://lerna.js.org/)\n[![code style: prettier](https://img.shields.io/badge/code_style-prettier-ff69b4.svg?style=flat-square)](https://github.com/prettier/prettier)\n![npm](https://img.shields.io/npm/dw/@tkey/core)\n\ntKey is the underlying SDK used to implement [Web3Auth Plug n Play](https://github.com/web3auth/web3auth). This package can also be used to self host Web3Auth in your own system. tKey stands for Threshold Key, which refers to the management keys \u0026 shares generated using threshold cryptography.\n\n## The `tKey` SDK\n\nThe `tKey` SDK manages private keys by generating shares of it using Shamir Secret Sharing. For example, for a 2 out of 3 (2/3) setup, we give the\nuser three shares: ShareA, ShareB, and ShareC.\n\n- **ShareA** is stored on the user’s device: Implementation is device and system specific. For example, on mobile devices, the share could be stored\n in device storage secured via biometrics.\n- **ShareB** is managed and split across Web3Auth's Auth Network, accessed by an OAuth login provider that a user owns.\n- **ShareC** is a recovery share: An extra share to be kept by the user, possibly kept on a separate device, downloaded or based on user input with\n enough entropy (eg. password, security questions, hardware device etc.).\n\nSimilar to existing 2FA systems, a user needs to prove ownership of at least 2 out of 3 (2/3) shares, in order to retrieve his private key.\n\nFor more information, check out the [technical overview](https://hackmd.io/Tej2tf83SZOxZmz70ObEpg). Before integrating you can also check out the example for [tKey](https://github.com/tkey/tkey-example).\n\n### To use the SDK in your application, please refer to our [SDK Reference](https://web3auth.io/docs/sdk/self-host/installation) in Web3Auth Documentation\n\n## Features\n\n- Typescript compatible. Includes Type definitions\n- Fully composable API\n- Module support (Include only those modules which you require)\n- [Audited](https://github.com/tkey/audit)\n\n## Packages\n\n| Packages | `@latest` Version | Size | Description |\n| ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------- |\n| πŸ‰ **tKey Standard Package** |\n| `@tkey/default` | [![npm version](https://img.shields.io/npm/v/@tkey/default?label=%22%22)](https://www.npmjs.com/package/@tkey/default/v/latest) | [![minzip](https://img.shields.io/bundlephobia/minzip/@tkey/default?label=%22%22)](https://bundlephobia.com/result?p=@tkey/default@latest) | Bundles `Core` and `Modules` into one importable package |\n| 🏠 **Core** |\n| `@tkey/core` | [![npm version](https://img.shields.io/npm/v/@tkey/core?label=%22%22)](https://www.npmjs.com/package/@tkey/core/v/latest) | [![minzip](https://img.shields.io/bundlephobia/minzip/@tkey/core?label=%22%22)](https://bundlephobia.com/result?p=@tkey/core@latest) | Core functionalities for creating a tkey |\n| πŸ•β€πŸ¦Ί **Service Provider** |\n| `@tkey/service-provider-torus` | [![npm version](https://img.shields.io/npm/v/@tkey/service-provider-torus?label=%22%22)](https://www.npmjs.com/package/@tkey/service-provider-torus/v/latest) | [![minzip](https://img.shields.io/bundlephobia/minzip/@tkey/service-provider-torus?label=%22%22)](https://bundlephobia.com/result?p=@tkey/service-provider-torus@latest) | `@service-provider-base` with DirectAuth functionality |\n| πŸ—³ **Storage Layer** |\n| `@tkey/storage-layer-torus` | [![npm version](https://img.shields.io/npm/v/@tkey/storage-layer-torus?label=%22%22)](https://www.npmjs.com/package/@tkey/storage-layer-torus/v/latest) | [![minzip](https://img.shields.io/bundlephobia/minzip/@tkey/storage-layer-torus?label=%22%22)](https://bundlephobia.com/result?p=@tkey/storage-layer-torus@latest) | get/set metadata for various shares |\n| πŸ”Œ **Modules** |\n| `@tkey/chrome-storage` | [![npm version](https://img.shields.io/npm/v/@tkey/chrome-storage?label=%22%22)](https://www.npmjs.com/package/@tkey/chrome-storage/v/latest) | [![minzip](https://img.shields.io/bundlephobia/minzip/@tkey/chrome-storage?label=%22%22)](https://bundlephobia.com/result?p=@tkey/chrome-storage@latest) | Add/remove a share from chrome extension storage |\n| `@tkey/web-storage` | [![npm version](https://img.shields.io/npm/v/@tkey/web-storage?label=%22%22)](https://www.npmjs.com/package/@tkey/web-storage/v/latest) | [![minzip](https://img.shields.io/bundlephobia/minzip/@tkey/web-storage?label=%22%22)](https://bundlephobia.com/result?p=@tkey/web-storage@latest) | Add/remove a share from local and file storage |\n| `@tkey/security-questions` | [![npm version](https://img.shields.io/npm/v/@tkey/security-questions?label=%22%22)](https://www.npmjs.com/package/@tkey/security-questions/v/latest) | [![minzip](https://img.shields.io/bundlephobia/minzip/@tkey/security-questions?label=%22%22)](https://bundlephobia.com/result?p=@tkey/security-questions@latest) | Add/remove a security question and password as a share for tkey |\n| `@tkey/share-transfer` | [![npm version](https://img.shields.io/npm/v/@tkey/share-transfer?label=%22%22)](https://www.npmjs.com/package/@tkey/share-transfer/v/latest) | [![minzip](https://img.shields.io/bundlephobia/minzip/@tkey/share-transfer?label=%22%22)](https://bundlephobia.com/result?p=@tkey/share-transfer@latest) | Transfer share from another device |\n| `@tkey/seed-phrase` | [![npm version](https://img.shields.io/npm/v/@tkey/seed-phrase?label=%22%22)](https://www.npmjs.com/package/@tkey/seed-phrase/v/latest) | [![minzip](https://img.shields.io/bundlephobia/minzip/@tkey/seed-phrase?label=%22%22)](https://bundlephobia.com/result?p=@tkey/seed-phrase@latest) | Store and use seedphrases on metadata |\n| `@tkey/private-keys` | [![npm version](https://img.shields.io/npm/v/@tkey/private-keys?label=%22%22)](https://www.npmjs.com/package/@tkey/private-keys/v/latest) | [![minzip](https://img.shields.io/bundlephobia/minzip/@tkey/private-keys?label=%22%22)](https://bundlephobia.com/result?p=@tkey/private-keys@latest) | Store extra private keys on tKey metadata |\n| `@tkey/share-serialization` | [![npm version](https://img.shields.io/npm/v/@tkey/share-serialization?label=%22%22)](https://www.npmjs.com/package/@tkey/share-serialization/v/latest) | [![minzip](https://img.shields.io/bundlephobia/minzip/@tkey/share-serialization?label=%22%22)](https://bundlephobia.com/result?p=@tkey/share-serialization@latest) | Import/export a share from tKey |\n| πŸ‰ **Low-Level** |\n| `@tkey/common-types` | [![npm version](https://img.shields.io/npm/v/@tkey/common-types?label=%22%22)](https://www.npmjs.com/package/@tkey/common-types/v/latest) | [![minzip](https://img.shields.io/bundlephobia/minzip/@tkey/common-types?label=%22%22)](https://bundlephobia.com/result?p=@tkey/common-types@latest) | Shared [TypeScript](https://www.typescriptlang.org/) Types |\n\n## Building the SDK Locally\n\n### Requirements\n\n- This package requires a peer dependency of `@babel/runtime`\n- Node 18+\n\n### Installation\n\n```\nnpm install\nnpm run pack:lerna\n```\n\n## Bundling\n\nEach sub package is distributed in 3 formats\n\n- `esm` build `dist/\u003cMODULE_NAME\u003e.esm.js` in es6 format\n- `commonjs` build `dist/\u003cMODULE_NAME\u003e.cjs.js` in es5 format\n- `umd` build `dist/\u003cMODULE_NAME\u003e.umd.min.js` in es5 format without polyfilling corejs minified\n\nBy default, the appropriate format is used for your specified usecase\nYou can use a different format (if you know what you're doing) by referencing the correct file\n\nThe cjs build is not polyfilled with core-js.\nIt is upto the user to polyfill based on the browserlist they target\n\n### Directly in Browser\n\nCDN's serve the non-core-js polyfilled version by default. You can use a different\n\njsdeliver\n\n```js\n\u003cscript src=\"https://cdn.jsdelivr.net/npm/\u003cMODULE_NAME\u003e\"\u003e\u003c/script\u003e\n```\n\nunpkg\n\n```js\n\u003cscript src=\"https://unpkg.com/\u003cMODULE_NAME\u003e\"\u003e\u003c/script\u003e\n```\n\n### Tips for NUXT\n\nThis is a plugin that works [only on the client side](https://nuxtjs.org/guide/plugins/#client-side-only). So please register it as a ssr-free plugin.\n","funding_links":["https://opencollective.com/metamask"],"categories":["TypeScript"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FMetaMask%2Ftkey","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FMetaMask%2Ftkey","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FMetaMask%2Ftkey/lists"}