Private Key Management

Sauce considers security to be of the utmost importance. We believe that for web3 to go mainstream, users need a private key management solution that is easy to use and leaves little room for human error. Our team has spent years working at the intersection of security and user-experience.

At a high level, we have been excited about using secure enclaves to provide users with the best possible key management solution. We outline our approach here.

Private Key Management

Private keys are managed in secure enclaves by Turnkey. Turnkey are industry leaders in private key management, the founding team previously having built Coinbase Custody. A secure enclave is a trusted execution environment, which is a private, confidential computing environment that neither Sauce nor Turnkey can see into. All signing operations occur within the secure enclave and are authenticated by a user’s passkey or an API key managed by the user’s browser.

On the web, users use their passkey to authenticate a request for a time bound API key (15 minute expiry) so that subsequent trades in the same session are seamless. Passkeys are cryptographic keypairs guarded by a device’s biometric sensors (i.e. fingerprint and facial recognition). Passkeys are built on FIDO standards.

The time-bound API key is stored in the browser similar to how Hyperliquid and dYdX store user’s private keys in the browser. Our approach additionally adds the restriction that these keys are time-bound and stored in IndexedDB rather than Local Storage. These additions greatly reduce the surface area for a hack, compared to our peers.

On mobile, the user’s API key is stored in the device’s keychain and guarded by biometrics. This is the same approach that popular wallets like MetaMask, Phantom and Uniswap use.

Exporting Private Key

Requests to export the seed phrase from the secure enclave are always authenticated by the user and the seed phrase is encrypted in transit such that only the user can decrypt it. More specifically, a public/private key pair is generated on the client and then the seed phrase is encrypted with that public key in transit.

Key Recovery

In the event that a user has lost their device, they can contact us to start the key recovery flow:

• There is a 3 day waiting period to help prevent a hacker from being able to recover a user’s account through accessing their email.

• The waiting period may be expedited if the user can prove their identity for an email connected to their legal name.

• At the end of the 3 day period, we kick off the account recovery process. We email you a link where you can add a new passkey that gives you access to your account.

In the future, Sauce will provide a 2FA backup option where you’ll be able to register an security key or authenticator app to expedite the recovery process.