Introduction
Kevo is an embedded wallet infrastructure platform. It lets you add EVM and Solana wallets to your app in minutes, with social logins, no seed phrases, and a server-backed signing architecture designed for seamless multi-device usage.
What is Kevo?
Kevo gives every user in your application a secure embedded wallet without requiring them to manage seed phrases or browser extensions. Users sign in with email, Google, X, or Apple, and Kevo provisions their wallet instantly. When social providers return profile metadata, Kevo exposes it through the SDK for app UI and account badges.
Under the hood, Kevo uses an authenticated server-backed signer with isolated signing boundaries. Your app never handles key material directly, and wallet actions are gated by the user's active session, project configuration, and optional policy controls such as delegations or gas sponsorship limits.
Architecture
SDK & React Library
A TypeScript SDK (@kevo-ws/sdk) with a pre-built React modal, hooks, and a KevoClient for direct API access. Handles auth flows, session restoration, wallet operations, and iframe coordination.
API Server
A Fastify REST API that handles authentication, session issuance, wallet provisioning, sponsorship, exports, and server-side policy enforcement.
Signing Boundary
A dedicated TEE-isolated signing service accessed through an internal boundary. It handles wallet provisioning, signing, export, and key-operation isolation separately from the public API.
Signing Iframe
A sandboxed iframe that owns the wallet UX boundary: secure confirmations, export flows, and isolated browser-side state. The parent page never receives key material.
Supported Chains
Ethereum, Polygon, Arbitrum, Optimism, Base, BNB Chain, and any EVM-compatible network.
Solana mainnet and devnet, plus external wallet sign-in flows like Phantom, Solflare, and Backpack.
Auth Methods
Email OTP
Passwordless sign-in via one-time code sent to email.
OAuth 2.0 sign-in with email, name, and picture when available.
X (Twitter)
OAuth sign-in via X with username, name, and profile image when available.
Apple
Sign in with Apple with email/name when Apple includes them.
Passkey
Device-native passkey sign-in on supported browsers.
EVM Wallet
Connect MetaMask, Rabby, Coinbase, or any EIP-1193 wallet.
Solana Wallet
Connect Phantom, Solflare, or Backpack via challenge-sign.
Key Properties
Seamless on new devices: Users can log in on a new device and continue using their embedded wallet without first restoring a local key share.
No seed phrases: Users never see or manage seed phrases during normal app use. Export remains opt-in and gated behind verification.
Profile-aware UI: The SDK exposes social name, username, and avatar when available, with a deterministic wallet-avatar fallback.
Email linking: Users who sign in with providers that do not expose email can link an email by OTP before private key export.
Session-based: JWTs with short-lived access tokens (15 min) and HttpOnly refresh tokens (7 days).
Isolated signing UX: Sensitive prompts and export flows happen inside a cross-origin iframe. The parent page never touches key material.
Per-project isolation: Users, wallets, and sessions are scoped to your project ID. No cross-project data access.
Server-backed controls: Gas sponsorship, delegations, exports, and admin flows are enforced server-side with project-level policy controls.
Installation
npm install @kevo-ws/sdk # or pnpm add @kevo-ws/sdk
@kevo-ws/sdk, no separate package needed.