By transforming static key usage rules into dynamic code-driven policies, programmable key management (PKM) is ushering in a new era of seamless, secure, and automated wallet experiences.
From custom access controls to session-based signing, developers can define exactly how and when keys are used all the while keeping keys securely isolated. Through policy controls, keys can be restricted to signing specific types of transactions, rejecting unauthorized requests, or requiring multi-party approvals.
But PKM can seem daunting, especially given its recent development within the still-evolving crypto space. In this article, you'll learn what PKM is, how it differs from traditional key management systems, and discover the ways organizations are leveraging it to ship next-gen wallet experiences at scale.
What is programmable key management?
Programmable key management gives technical teams the ability to define and enforce policies that control when and how a key is used directly at the infrastructure layer.
Because these policies are written as code, they are automatically enforced whenever an onchain action is initiated.
For instance, say a user executes a transaction signing request on a DeFi app. When the request hits an API, the app’s policy engine automatically evaluates it in real time, checking conditions such as who initiated the request, what the transaction is doing, and whether predefined limits are being met. If all conditions are met, the transaction is executed. That’s PKM in a nutshell.
PKM represents a major shift from traditional key management models. Rather than writing policy logic into the application layer or using smart contracts, technical teams can now enforce signing controls within the key management system itself.
We can break PKM down into three core components:
1. Policy engines
Technical teams write policies in code that specify what onchain actions are permitted, and under what conditions. These can range from simple spending limits to multi-step, conditionally triggered workflows.
2. Composable primitives
Users, wallets, and authenticators are treated as modular resources. This enables technical teams to configure access in flexible ways, from multi-user wallets to temporary guest permissions. That composability helps them alter complex permission hierarchies without having to rebuild app logic, so organizations can ship faster, more secure wallet experiences.
3. Trusted execution environments
Some of the best applications of programmable key management use trusted execution environments (TEEs). Keys held within TEEs are never exposed to the application layer or middleware. TEEs are a secure, isolated area of a processor that runs code and processes data separately from the main operating system to protect it from tampering or unauthorized access. This ensures a combination of performance, security, and auditability in a single system.
How PKM differs from traditional key management
Traditional key management systems tend to be static and rigid. Permissions are hardcoded, signing logic lives in the application layer, and observability is minimal. Scaling these systems while maintaining flexibility and security often requires extensive custom engineering.
PKM offers a more modern alternative by shifting critical enforcement responsibilities to the infrastructure itself.
Here's how:
Programmable policies
Policies are expressed in code. Teams can enforce dynamic conditions like spend limits, time delays, or multi-party approvals at the infrastructure level. This enables granular policy enforcement without modifying app logic.
Observable & auditable actions
Every signing request is logged, evaluated, and either accepted or denied according to defined policies. PKM supports full transparency by timestamping each request, identifying who initiated it, what action was attempted, and whether it passed or failed the policy check.
Swift signing operations
Traditional key management systems, especially those based on multi-party computation (MPC), often introduce latency due to distributed coordination. PKM systems that leverage secure enclaves can perform signing operations under 100ms, making them suitable for real-time use cases like automated trading and play-to-earn gaming.
Infrastructure-native enforcement
Instead of relying on smart contracts or external app logic to control onchain actions, PKM evaluates policy directly where the key lives at the infrastructure layer. This reduces complexity by removing the need to replicate signing controls across every app, and it helps mitigate risks like key leakage, inconsistent enforcement, or faulty business logic.
How organizations are leveraging programmable key management
Naturally, as technical teams gain the ability to define and enforce policies across onchain actions, that innovation translates to more intuitive wallet experiences.
From session-based signing to AI agents, here's how organizations are leveraging PKM:
Embedded wallets with flexible control models
With PKM, organizations can provision embedded wallets dynamically while enforcing contextual rules at the key level. For example, their developers can specify whether a given action requires one authenticator, two approvals, or time-based gating, all without adding new code to the app itself.
At Mural Pay, for instance, wallets are generated at onboarding and treated as EOAs through passkey-based authentication. Behind the scenes, programmable policies determine how and when each wallet can sign transactions.
This approach empowers Mural Pay to maintain strong access control while delivering a UX that mirrors web2 flows. Users don’t manage keys, but Mural Pay retains full control over who can use them and how.
AI agents with defined autonomy
One of the most innovative use cases of PKM is the powering of AI agents that can execute transactions, balance portfolios, and analyze market data on behalf of users. AI agents not only automate the most cumbersome onchain actions, but also enable crypto newcomers to overcome the initial web3 learning curve.
Naturally, AI agents require strict guardrails to ensure automated actions align with user intent, which is where PKM comes into play.
For example, when Spectral Labs built its SYNTAX app, its technical team used PKM to ensure agent wallets operate within tightly scoped sessions. An agent might have permission to swap up to $500 worth of stablecoins within 10 minutes, but would trigger policy failure if it attempted to send tokens to an unapproved address or outside a set time window.
This system offers Spectral’s team a way to automate onchain actions while preserving cryptographic security and auditability, something that traditional KMS solutions, with limited real-time logic, can't easily support.
Tiered permissions and delegated access
PKM empowers technical teams to encode tiered access models directly into the key infrastructure. That means low-risk actions, like minting or staking, can execute with lightweight approvals, while high-risk actions such as fund withdrawals require a quorum.
By shifting this logic from the application layer into the infrastructure itself, web3 teams can reduce development complexity and improve response time while ensuring internal controls still govern critical operations. The result is a workflow that adapts to operational risk without slowing onchain actions.
Conditional and session-based transactions
Many blockchain apps, especially in gaming and DeFi, depend on pre-approved transactions that execute based on user-defined conditions. But enforcing those limits through smart contracts or frontend logic often adds fragility.
With PKM, technical teams can define session-based rules that permit certain transaction types, values, or actions, but only for a set duration or within a specific scope. This not only streamlines transaction flows, but also reduces signing fatigue on the user end.
Parallel Studios used this model to build Wayfinder, a system that powers in-game and financial transactions via AI agents. Users authenticate once to initiate a session, and the agent can then perform continuous actions like claiming rewards or swapping items but only within tightly scoped parameters and timeframes.
Because all session logic lives in the policy engine, the app doesn’t need to rebuild signing flows for every new feature or condition. This approach helped Parallel onboard over 550,000 wallets, showing how infrastructure-level control supports both scalability and security.
How to ship PKM-powered wallet experiences with Turnkey
Turnkey’s wallet infrastructure is purpose-built for technical teams aiming to ship PKM-powered wallet experiences without friction. Unlike Wallet-as-a-Service (WaaS) providers that lock developers into rigid defaults, Turnkey offers full control over how keys are created, accessed, and used across your organization.
Here’s how:
Secure embedded wallets
With Turnkey, your technical teams can programmatically create millions of wallets, each governed by segment-specific policies. For instance, one wallet group can be limited to read-only access, while another may require multi-party approval for high-risk transactions — all enforced directly at the infrastructure level, without application-layer complexity.
Robust policy engine
Write real-time policies that define exactly what operations are allowed and under what conditions. For instance, you may want to implement a “spend limit of $1,000/day,” or “require 2-of-3 signatures for withdrawals.” Full audit logs and session tracing also ensure policy decisions are observable, enforceable, and secure.
Composable low-level primitives
With Turnkey, wallets, users, and authenticators are treated as independent, modular resources.
This enables your technical teams to define granular access rules: assigning temporary or shared roles, modeling complex internal hierarchies, or mirroring team structures like Admin, Developer, or Super Admin — all without modifying core app logic.
This composability accelerates integration and reduces long-term complexity by eliminating duplicative permission logic in the app layer.
Secure enclave-based signing
All key material remains protected within Turnkey’s secure enclaves, isolated from both app code and vendor systems. This structure combines hardware-level protection with low-latency performance.
For latency sensitive environments, such as onchain trading platforms or in-game blockchain interactions, this can directly affect UX and execution outcomes by enabling secure, real-time signing.
Flexible authentication and recovery
Turnkey supports passkeys, email-based logins, and session tokens, making it easier to build authentication flows for onboarding web2 users.
Your technical teams can add limited-scope users to wallets for delegated roles or social recovery, enable session-level authorization, or define authenticator groups tied to specific actions, all with fine-grained policy control.
Transform key management into your competitive advantage
PKM isn’t just a backend upgrade. It’s the foundation for building secure, scalable, and production-ready onchain experiences. And the first step to shipping those experiences is partnering with a proven wallet infrastructure provider.
Whether you're building a DeFi app, spinning up embedded wallets, or enabling AI agents with signing authority, Turnkey helps you ship high-performance, programmable experiences, at scale.
Get started with Turnkey today.
Related articles
