Wallet / Auth·EVM · Solana
Privy
Auth and embedded wallets for consumer crypto apps. Email, social, SMS, and passkey login with progressive wallet onboarding across EVM and Solana.
- 01consumer apps
- 02embedded wallets
- 03email/social login
- 04progressive onboarding
- 05server-side auth verification
- pnpm add @privy-io/react-auth
- pnpm add @privy-io/server-auth
| Variable | Scope | Description |
|---|---|---|
| NEXT_PUBLIC_PRIVY_APP_ID | Client | Privy App ID from the Privy dashboard (client-safe). |
| PRIVY_APP_SECRET | Server | Privy App Secret used by `@privy-io/server-auth` to verify access tokens and call admin APIs. Server-only. |
Use Privy for authentication and embedded wallets. Wrap the app in `PrivyProvider` from `@privy-io/react-auth` with `appId={process.env.NEXT_PUBLIC_PRIVY_APP_ID}` and a `config` object specifying `loginMethods` (e.g. ['email','google','wallet']) and `embeddedWallets: { createOnLogin: 'users-without-wallets' }`. Read auth state with the `usePrivy()` hook (`ready`, `authenticated`, `user`, `login`, `logout`) and access wallets via `useWallets()` — always check `wallet.ready` before signing. On the server, verify the user's access token with `new PrivyClient(appId, appSecret).verifyAuthToken(token)` from `@privy-io/server-auth` before trusting any address from the client.
- ⚑`usePrivy().ready` and `useWallets().ready` are independent — gate UI on both before reading `user` or signing transactions, otherwise you will hit race conditions on first load.
- ⚑Never trust a wallet address sent from the browser; always call `verifyAuthToken` server-side with `PRIVY_APP_SECRET` and derive the address from the verified claims.
- ⚑Embedded-wallet signing requires the user to have completed MFA setup if you enabled it in the dashboard — handle the `useMfaEnrollment` flow or signing calls will throw.
- ⚑Solana support requires explicitly enabling Solana in your Privy dashboard config and importing the Solana hooks (`useSolanaWallets`); EVM-only apps will silently ignore Solana wallet objects.
- ⚑React Native and Expo use a separate package (`@privy-io/expo`) — do not import `@privy-io/react-auth` in mobile builds.