TinyCloud's passkey/TEE-backed identity provider — it produces and custodies the owner key that roots authority, and brokers sign-in and delegation for apps.

OpenKey

OpenKey is the identity layer of TinyCloud: a passkey / TEE-backed provider that produces and custodies the owner key every capability chain roots in, and brokers SIWE sign-in and delegation issuance for apps. It is how a user gets a self-custodiable DID without managing raw private keys themselves.

Role

In the locked layer model OpenKey sits in Layer 1 alongside the base protocol and the policy engine — it is identity infrastructure, not an app. It supplies the root DID that chain validation terminates at, and it is the trust root for OpenCredentials (the witness issuer is an OpenKey-adjacent service).

Mechanics

OpenKey exposes an API (apps/api/src/routes/keys.ts, delegate.ts) for passkey-backed key operations and for materializing app/manifest delegations — i.e. taking a manifest's capability request and returning a signed delegation without exposing the owner key. TEE backing keeps the key material confidential (cf. tee-dstack). Sign-in surfaces as the SIWE flow the SDK drives in sign-in-flow.

Relationships

Produces the owner DID that roots capabilities / cacao-chain-validation; brokers SIWE and delegation; trust root for OpenCredentials; a Layer-1 peer of the policy-engine (see architecture-layers).

Status & drift

in-progress as documented here. OpenKey has its own repository and is not part of this checkout — this concept is authored from the protocol-level role it plays (sign-in + delegation brokering + identity custody); for its internal API, passkey/WebAuthn details, and TEE attestation specifics, defer to OpenKey's own documentation. Treat code paths here as indicative.

Sources

openkey: apps/api/src/routes/keys.ts, apps/api/src/routes/delegate.ts, README.md (not in this checkout — role authored from protocol context)