Build
Skip to content

Embedded Wallet Configuration

You can configure a Sequence Embedded Wallet in Builder and integrate your own OAuth accounts to enable easy onboarding to your games. Configuration page in Builder is available here.

The following sections will explain the various ways to configure using an Embedded Wallet in Builder:

  • Login Providers: Web2 based authentication providers
  • Allowed Origins: Specify allowed URL origins to call your Embedded Wallet instance from to prevent configuration key misuse
  • Recovery Wallet: In the event of a wallet ownership turnover for a compromised wallet, specify a recovery wallet to obtain ownership of embedded wallet instance post Trust recovery process
  • Initial Configuration Password: Create a password to secure your Embedded Wallet project instance in Builder
  • Configuration Changes: Update configuration details at anypoint with password protection
  • Parent Wallet: A 2/2 signer delegation of non-custodial security
  • SDK Integrations: Sequence SDK products that allow developers to implement an Embedded Wallet across platforms

Login Providers

Sequence Embedded Wallet supports the following login providers:

Google Auth

If you would like to support Google Auth, you need to make sure that a project is configured at your Google Cloud Console along with the proper OAuth 2.0 client ID. You can follow our guide on how to set it up. After configuring the proper origins and redirect URIs for your project, copy the Client ID and paste it into the Google Client ID field after adding a Google login provider.

Apple Auth

If you would like to offer Apple Auth, you need to make sure that an application is configured at your Apple Developer Console account. More information on how to configure Sign in with Apple can be found here. Once you have all requirements completed, share the unique identifier for the Services ID you created as part of your onboarding package after adding an Apple login provider.

Allowed Origins

This additional security measure will prevent unauthorized usage of your WaaS configuration outside of domains you whitelisted. Add any development and production URLs under Allowed Origins. By default all subpaths under theses hosts will be allowed.

You must define allowed origins with a valid scheme (i.e. https).

Recovery Wallet

WaaS requires the public address for a recovery wallet that you control. This recovery wallet will be used for recovering user wallets in a disaster scenario where a wallet has been compromised, so it must be controlled by you and must be kept safe at all times.

We recommend that:

  • You use Gnosis Safe for setting up the wallet
  • You ensure you have at least 2, ideally 3+ signers configured and required for every transaction
  • Every signer is protected by a hardware wallet

Once the recovery wallet is setup properly, provide the public address for it. Recovery wallet cannot be modified once your configuration is saved.

Initial Configuration Password

Once you have all information prepared, go ahead and create your Embedded Wallet configuration. During initial setup, Builder will prompt you to assign a password to the Embedded Wallet. This password will be required for all subsequent modifications to your Embedded Wallet configuration, so it must be stored safely.

Configuration Changes

To make modifications to your Embedded Wallet configuration, navigate to the Embedded Wallet section again and make the necessary changes. Then click "Save Configuration" and enter your recovery wallet password to deploy the changes.

Parent Wallet

Every embedded wallet parent wallet is a 2/2 signer where the two signers are:

  • Guard - fully controlled by Sequence
  • Authenticator - jointly controlled by Sequence and Quantstamp

And, every child wallet is a 1/1 signer where the signer is the parent wallet of the specific project. So inherently, the custodial security of the 1/1 child wallet inherits the security of the 2/2 parent wallet, as no transactions or signatures can be created without both keys from the parent wallet.

Why deploying a Parent Wallet will future proof integrations

Parent Wallet for an Embedded Wallet configuration must be deployed on-chain to prevent issues with message signing and increased gas cost during transactions. These Parent Wallets can be deployed from Sequence Builder when accessing your Embedded Wallet configuration.

The possible states that an Embedded Wallet can be in and their behaviour:

ScenarioPrerequisitesignMessage Behaviour
None deployedDefault statesignMessage returns an invalid signature
Only parent deployedManually deployed from Builder OR upon first ever transaction from any walletsignMessage returns a valid 6492 signature (very low verification support; use Sequence to validate)
Both parent and child deployedUpon first ever transaction from that specific walletsignMessage returns a valid 1271 signature (moderate verification support; still recommended to use Sequence to validate)

SDK Integrations

Now that you have your Embedded Wallet configuration up, go ahead and follow our guides on how to integrate with the SDKs: