Embedded Wallet-as-a-Service (WaaS): White-labeled wallets built for scale

Embedded WaaS with Turnkey gives platforms a complete foundation for shipping white-labeled wallets: isolated user environments, configurable authentication, co-managed signing controls, and a non-custodial model.

Each end user gets a dedicated sub-organization with their own wallets, credentials, policies, and activity logs, fully segregated from other users and from the platform's management layer. The platform retains co-signing authority for billing, compliance, and risk controls. The end user retains the ability to export their wallet independently at any time.

This article covers how the architecture works, how to implement it step by step, and how teams are using it today.

Why embedding wallets is an infrastructure problem

Wallet infrastructure is where developer platforms hit a fundamental tradeoff. The deeper the integration, the more control you need over authentication, signing, and policy enforcement. But building and operating that stack yourself means taking on key management, secure storage, and recovery as core responsibilities.

Most embedded wallet approaches handle this by abstracting the wallet behind a managed service. The platform gets a simpler integration, but gives up control over how wallets are provisioned, how policies are enforced, and how users recover access. The wallet is embedded in name, but the infrastructure decisions are made by someone else.

Co-managed models introduce a different challenge. When both the platform and the end user share control over a wallet, the system needs to enforce that both parties approve fund-moving transactions. If that enforcement happens at the application layer, it can be bypassed. If it happens at the signing layer, it cannot.

For platforms building developer-facing products, these constraints compound. Every downstream developer inherits the platform's wallet architecture. If the foundation limits policy flexibility, authentication options, or custody models, those limits propagate to every integration built on top.

What Embedded WaaS delivers

Embedded WaaS must do more than provision wallets. It must define how tenants are isolated, how control is shared, how policies are enforced, and how users maintain sovereignty over their own keys.

Turnkey provides the infrastructure to support these requirements.

Dedicated user accounts

Automatically provision each user with isolated wallets, ready-to-use authentication, and configurable access controls.

Each end user's wallets, credentials, policies, and activity logs are fully isolated from other users and from the platform's management layer. Sub-organizations are self-contained data boundaries. The platform can initiate auth and recovery flows but cannot sign transactions or modify policies within a user's sub-org.

Platform controls

Define team access and permissions at the platform level, including co-signing requirements, spending limits, and recovery flows.

Platforms can withhold co-signature for billing enforcement or compliance holds at the infrastructure level. If the platform withholds approval, the transaction does not execute.

No transaction executes without the end user's authentication. End users remain in control of their keys, while platform controls allow you to manage transaction-level approvals.

White-labeled integration

Build your own SDKs, APIs, and UI components on top of Turnkey, with full control over how downstream developers integrate your product.

Turnkey's SDK is fully open source, enabling platforms to fork and customize every component, from authentication flows to wallet UI. Downstream developers never interact with Turnkey directly. Wire the wallet into your onboarding and runtime flows so every integration inherits a working embedded wallet.

The platform controls the full developer experience, with the flexibility to evolve or replace infrastructure without breaking integrations.

How to set up Embedded WaaS with Turnkey

Embedded WaaS separates tenant isolation, access control, and signing authority into distinct layers. The platform defines how control is shared between itself and each end user, with enforcement handled at the cryptographic layer.

Here is a typical implementation flow:

1. Define the tenant model and ownership boundaries

Map each end user to a Turnkey sub-organization. The standard approach is one sub-org per end user. Each sub-org is fully isolated. Wallets, policies, authenticators, and activity inside one user’s environment are completely separate from others.

Track the relationship between your platform's user IDs and their corresponding Turnkey sub-org IDs in your own database.

2. Design the sub-organization control model

Decide who has control inside each sub-org. There are two root users: the end user, authenticated with a passkey (or similar), and your platform, authenticated with an API key. Both participate in control, but the end user is always required to approve transactions. Nothing can execute without them.

3. Create a default wallet setup

Standardize what each sub-org includes: wallets, supported chains/accounts, and default policies. On creation, add both root users, create the wallet(s), and set the export policy first. The export policy ensures users can always export their keys and access funds independently, preserving a non-custodial model.

4. Build your own integration layer

Create the SDK, APIs, or UI components that downstream developers will integrate with. The goal is to abstract away Turnkey entirely and expose only your platform's intended wallet, auth, and signing flows.

5. Integrate wallets into your product flow

Make the wallet a built-in part of your user experience. Create the sub-org, set up authentication, and initialize the wallet automatically, then load it each session with streamlined approvals.

For transactions, collect user approval, run backend checks, and co-sign or reject. For recovery, allow users to export their wallet from settings, with exports encrypted to a user-controlled key so neither your platform nor Turnkey can access the data.

Embedded WaaS with Turnkey: wallets as infrastructure

Embedded WaaS with Turnkey lets platforms build wallets into their developer products without owning custody or managing key infrastructure.

Teams get dedicated user accounts, platform-level controls, and a white-labeled integration surface in a single infrastructure layer. Keys are generated and used inside secure enclaves. Transactions sign in under 100ms at scale. Authentication supports passkeys, email, SMS, and social login. Turnkey's SDK is fully open source, so platforms can fork and customize every component.

Define your wallet structures, authentication flows, and authorization rules. Turnkey handles the rest: secure key generation, policy enforcement, enclave isolation, and audit logging.

If you are ready to build embedded wallets into your platform, explore the documentation to get started.

Start building with Turnkey today.

‍