Skip to main content

Overview

Embedded Wallets provide secure, user-friendly authentication methods that eliminate the complexity of traditional crypto wallets. Users can access their wallets through familiar authentication patterns like email one-time passwords (OTP), SMS, and social logins, without ever dealing with seed phrases or browser extensions.
Ready to implement authentication? Check out the Implementation Guide for step-by-step integration instructions.

Email OTP

Email OTP is the primary authentication method for Embedded Wallets, providing a secure and familiar experience for users.
  1. User enters email: The user provides their email address in your application
  2. OTP sent: A 6-digit one-time password is sent to their email
  3. User verifies: The user enters the OTP in your application
  4. Wallet access: Upon successful verification, the wallet is created or accessed
  • Time-limited codes: OTPs expire after 10 minutes for security
  • Rate limiting: Protection against brute force attempts
  • Secure delivery: Emails sent through Coinbase’s trusted infrastructure
  • Device binding: Wallets are cryptographically bound to the user’s device
  • No passwords to remember: Users don’t need to create or manage passwords
  • Instant onboarding: New users can create a wallet in seconds
  • Familiar process: Similar to authentication flows users already know
  • Cross-device support: Users can access their wallet from up to 5 devices

Email Customization

By default, all emails are sent without customization. If you’d like to use a custom email template featuring your app’s name and logo, reach out to us on Discord, and we’ll get you set up within one business day.

SMS OTP

SMS-based one-time passwords are available as an additional authentication method, providing users with more flexibility in how they access their wallets.
  1. User enters phone number: The user provides their phone number in your application
  2. OTP sent: A 6-digit one-time password is sent to their phone number
  3. User verifies: The user enters the OTP in your application
  4. Wallet access: Upon successful verification, the wallet is created or accessed
  • Time-limited codes: OTPs expire after 5 minutes for security
  • Rate limiting: Protection against brute force attempts
  • Secure delivery: Text messages sent through Coinbase’s trusted infrastructure
  • Device binding: Wallets are cryptographically bound to the user’s device
  • No passwords to remember: Users don’t need to create or manage passwords
  • Instant onboarding: New users can create a wallet in seconds
  • Familiar process: Similar to authentication flows users already know
  • Cross-device support: Users can access their wallet from up to 5 devices
This feature is currently supported for phone numbers from the following countries - Australia, Brazil, Canada, Colombia, France, Germany, India, Indonesia, Italy, Japan, Kenya, Mexico, Netherlands, Philippines, Poland, Singapore, South Korea, Spain, Sweden, Switzerland, United Arab Emirates, United Kingdom, United States of America. If you’d like to enable the feature in additional regions, reach out to us on Discord.
SMS security considerations:
  • SMS authentication is inherently vulnerable to SIM swapping attacks, where attackers can take over a user’s phone number.
  • You should weigh the convenience of logging in with SMS with the potential for a user’s wallet to be taken control of.

Social login providers

Social login through Google, Apple, and X are supported via our SDK using OAuth 2.0. We offer Coinbase-owned OAuth login, allowing users to recognize and trust Coinbase’s brand during the login process.
  1. User initiates social login: The user clicks on a familiar button like “Sign in with Google” or “Sign in with X”
  2. User logs in: The user is redirected to the login flow from the OAuth provider
  3. User verifies: The user completes login
  4. Wallet access: Upon successful verification, the wallet is created or accessed
  • Time-limited codes: Social login sessions are managed using a refresh and access token model with configurable expiration
  • Rate limiting: Protection against brute force attempts
  • Secure delivery: Login is facilitated by Coinbase’s trusted brand.
  • No passwords to remember: Users don’t need to create or manage passwords
  • Instant onboarding: New users can create a wallet in seconds
  • Familiar process: Similar to authentication flows users already know
  • Cross-device support: Users can access their wallet from up to 5 devices
React Native OAuth setup: OAuth authentication is fully supported in React Native, but requires deep link configuration to handle authentication callbacks. See our complete React Native Social Login Configuration guide for step-by-step instructions. Note: Email and SMS authentication work out-of-the-box in React Native with no additional configuration needed.

Examples

Sign in with social providers using the OAuth flow. Note that the page from which the signInWithOAuth call occurs will be redirected back to after the user authenticates with their provider. The user will be automatically logged-in when @coinbase/cdp-core re-initializes. 
import { initialize, signInWithOAuth } from '@coinbase/cdp-core';

// Initialize the CDP SDK
await initialize({
  projectId: 'your-project-id'
});

// Initiate Google OAuth sign-in
// User will be redirected to Google to complete their login
// After login, they will be redirected back to your app, and the login
// process will be completed automatically by the SDK
try {
  void signInWithOAuth("google");
} catch (error) {
  console.error("Failed to sign in with Google:", error);
}

Auth method linking

Once a user is authenticated, you can enable them to link additional authentication methods to their account. This allows users to sign in using multiple methods (email, SMS, OAuth providers) while maintaining access to the same embedded wallet.
  1. User must be authenticated: The user signs in using any supported method
  2. Initiate linking: User requests to link an additional authentication method
  3. Verify the method: Complete verification (OTP or OAuth flow)
  4. Linked: The new method is now associated with the same user account and wallet
For detailed implementation examples and code snippets, see the Auth Method Linking guide.

Custom authentication

Custom authentication enables applications with existing authentication systems to integrate Embedded Wallets seamlessly. Instead of using CDP’s built-in authentication (email OTP, SMS, OAuth), you can use JWTs from your own identity provider.
  1. Pre-configuration: Configure your JWKS endpoint in CDP Portal
  2. User logs in: User authenticates with your existing auth system
  3. JWT generation: Your identity provider generates a JWT for the user
  4. CDP validation: CDP retrieves your JWKS, validates the JWT and required claims
  5. Wallet access: CDP uses the stable sub claim to get or create an embedded wallet
  • Existing user base: You already have users authenticated via Auth0, Firebase, Cognito, or custom solution
  • Single sign-on (SSO): Users sign in once across your entire platform
  • Enterprise requirements: Need to integrate with corporate identity systems
  • Regulatory compliance: Must use specific authentication providers

Requirements

Your identity provider must:
  • Support JWKS (JSON Web Key Sets) with RS256 or ES256 signing
  • Provide required JWT claims: iss, sub, exp, iat

Getting started

See the complete Custom Authentication guide for setup instructions and code examples.

Multi-Factor Authentication (MFA)

Add an extra layer of security to your embedded wallets with Time-based One-Time Password (TOTP) multi-factor authentication. Users can enroll using popular authenticator apps like Google Authenticator, Authy, or 1Password.
  • Industry-standard TOTP: Compatible with all major authenticator apps
  • Optional enrollment: Let users choose when to enable MFA
  • Flexible verification: Require MFA for specific operations or all sensitive actions
  • Easy integration: Simple SDK methods for enrollment and verification
  • High-value operations: Require MFA for large transactions or withdrawals
  • Account security changes: Mandate MFA when changing authentication settings
  • Compliance requirements: Meet regulatory requirements for additional authentication
  • User preference: Allow security-conscious users to opt-in to enhanced protection

Getting started with MFA

See the complete Multi-Factor Authentication guide for implementation details and code examples.