Skip to content

Automatic Recovery session

To create a wallet with automatic recovery, you need to set up an encryption session. This session is only valid for a single use.

When using automatic recovery, Shield generates a password that is used for the encryption of the recovery share. The full encryption key can only be accessed if the decryption request includes the user's auth token.

It is worth noting that while automatic recovery makes for smooth user UX (without needing to set up a recovery system upfront when logging in), it comes with tradeoffs. Notably, the root of trust with is in the user's authentication token. This means access to the auth token grants access to the wallet. Accordingly, this token must be properly secured at all times.

For example, in a Next.js API route, you can create an endpoint to generate the encryption session using the Openfort Node SDK.

create-encryption-session.ts
import openfort from "./openfortAdminConfig";
 
export default async function handler(
  req: NextApiRequest,
  res: NextApiResponse
) {
  const session = await openfort.registerRecoverySession( 
    "YOUR_SHIELD_PUBLISHABLE_KEY",
    "YOUR_SHIELD_SECRET_KEY",
    "YOUR_SHIELD_ENCRYPTION_SHARE"
  );
  res.status(200).send({
    session: session,
  });
}