[Security] Question regarding my API KEY and Passkey Signups

[maximecd]

Today, my frontend is configured as such :

export const config = createConfig(
    {
        transport: alchemy({
            apiKey: 'my-api-key',
        }),
        chain,
        ssr: true,
        storage: cookieStorage,
        enablePopupOauth: true,
        sessionConfig: {
            expirationTimeMs: 1000 * 60 * 60 * 1, // 1 hour
        },
    },
    uiConfig,
);

While i was implementing Passkey + Email only signups for users, i was wondering one thing :
Since users can get the api key client-side (or even if i proxy, they could use the proxy i guess), what prevents someone from calling

signer.authenticate({
    type: 'passkey',
    email: 'another-(future)[email protected]',
})

in order to create the smart account (and even export the private key).

• Is the smartaccount tied to the email + passkey pair ?
• Let's say, i setup OTP in my app, and someone with my api key signups with passkey with the email of one of my users before them, do they get full access of the account to ?

I've tested this locally :

• User1 creates an account with email ([email protected], not his, he only knows this is someone else's email) + a passkey
• User2 logs in via email and his email ([email protected]) and is now connected, without knowing some else has the same smartaccount
  Did i messed up in the account signup process ?

[moldy530]

if they get an API key from your client they definitely could do that.

If you proxy, you now have some extra controls. Since you're proxying signup requests to your backend, you can check the kind of sign up that's happening. So if you get a Passkey + Email signup, you should first require the user to verify their email. Or you can restrict signup entirely with that method and only allow email based signups (which inherently go through an email verification flow) and then allow users to add a passkey later