.png)
Verifiable Policy Decisions proves your policies were evaluated correctly and that signing and access decisions ran in isolated, secure enclaves, ensuring every activity was authorized exactly as intended. It’s another foundational step toward end-to-end verifiability across all your critical workflows.
Today, most wallet infrastructure relies on implicit trust and user vigilance to mitigate any mishaps. But as crypto use cases expand, even small lapses such as over-approving a contract or sending funds to the wrong address, can quickly lead to irreversible losses for users.
Developers need greater visibility and control over how activities like wallet creation, signing operations, and user management are handled. Turnkey’s policy engine governs how each of these activities is authorized based on defined, granular policies. Well-designed policies at the signing layer enforce strict rules like: who can authorize transfers, which contracts can be called, and the maximum value that can move in a single request.
Building policies reduces reliance on user vigilance, but these policies alone aren’t enough. Turnkey’s approach removes blind trust from security by ensuring every workflow is verifiable. With Verifiable Policy Decisions developers can be confident that sensitive actions are governed exactly as intended.
How Turnkey’s policy engine works
Before any signature is produced, activities like signing and access are managed based on the policies created. With Turnkey’s policy engine, you can enforce detailed, chain-specific rules, set complex conditions like spending limits or multi-party approvals, and ensure every policy executes exactly as intended. This type of fine-grained control is critical for teams that need a way to automatically govern high volumes or sensitive activities across their wallets.
Here are some examples of the types of policies developers can build:
- Allow a specific user to sign with only passkeys (example)
{
"policyName": "Allow signing with only passkeys",
"effect": "EFFECT_ALLOW",
"consensus": "credentials.any(credential, credential.type == 'CREDENTIAL_TYPE_WEBAUTHN_AUTHENTICATOR')",
"condition": "activity.type == 'ACTIVITY_TYPE_SIGN_TRANSACTION_V2'"
}
- 2 of 3 specific users can create a new policy (example)
{
"policyName": "Require two users with user_tag <USER_TAG_ID> to create policies",
"effect": "EFFECT_ALLOW",
"consensus": "approvers.filter(user, user.tags.contains('<USER_TAG_ID>')).count() >= 2",
"condition": "activity.resource == 'POLICY' && activity.action == 'CREATE'"
}
- Only allow passkey credentials to sign transactions (block SMS, OTP, or other methods) (example)
{
"policyName": "Allow signing with only passkeys",
"effect": "EFFECT_ALLOW",
"consensus": "credentials.any(credential, credential.public_key == '<YOUR_CREDENTIAL_PUBLIC_KEY>')",
"condition": "activity.type == 'ACTIVITY_TYPE_SIGN_TRANSACTION_V2'"
}
Using Turnkey’s policy engine, our customers have found novel ways to automate all activities, from allowing users with a specific tag to mint cryptocurrencies to orchestrating multiple policies for minting, burning, and transferring stablecoins.
Turnkey's support for Programmable Key Management (PKM) meant Preston's team could define and enforce bespoke policies entirely through JSON code rather than writing rigid policy logic directly into the application layer. - Axiom case study
As developers build policies that automatically govern all critical activities from user management to signing operations, having cryptographic proof that your policy decisions have been evaluated in isolated, secure enclaves becomes increasingly important as usage grows.
What this means for developers
- Provable policy decisions
Developers need verifiability, trust is not enough. Verify that all policy engine decisions run inside secure, isolated enclaves, free from external interference.
- Reproducible verification
Confirm activities are processed by our policy engine through independently verifiable hashes.
- Effortless proof
Instantly turn on verifiable proofs across activities, with one line of code.
Expanding verifiable assurances
Verifiable Policy Decisions extends Turnkey’s existing work in building provable, auditable workflows. We recently crossed major milestones, adding measurable confidence for developers:
- Verifiable wallet creation (Live): The world's first visible proof that secure application binaries run inside legitimate isolated enclaves during wallet creation.
- Turnkey Verifiable Cloud (Beta): Extends provable security beyond wallet creation to sensitive computations themselves.
- Major customer adoption: Early adopters, like Anchorage, have already deployed Turnkey Verifiable Cloud in production.
Verifiable Policy Decisions builds on this foundation by providing verifiable proof that policy engine decisions are processed in isolated, secure enclaves.
Turnkey plans to expand verifiable proofs to additional parts of the stack, allowing developers to independently verify all critical operations from kernel to dependencies.
Verifiability for every critical workflowWith this launch, developers gain confidence that their policy decisions, along with wallet creation and other sensitive workflows, execute exactly as intended. Developers can opt-in to produce these verifiable proofs for all Turnkey activities.
By combining enclave execution, reproducible builds, and cryptographic verification, Turnkey is leading the way for provable, auditable operations in crypto infrastructure.
Check out our docs to start verifying policy decisions.
Related articles
