cryptographic key generation issue with Turnkey's in-browser API key generation feature, pleade look into it

[khushzynk09]

Turnkey API Key Generation Bug Report

Issue Summary

Turnkey API key generation produces invalid cryptographic key pairs that cannot be used for authentication.

Environment

• Turnkey SDK Version: @turnkey/sdk-server@4.8.0
• API Key Stamper Version: @turnkey/api-key-stamper@0.4.7
• Node.js Version: v22.14.0
• Platform: Windows 10

Steps to Reproduce

1. Go to Turnkey dashboard
2. Navigate to API Keys section
3. Click "Create API key"
4. Select "Generate API keys in-browser"
5. Provide API key name (e.g., "gen-1", "gen-2")
6. Download the generated JSON file
7. Use the keys in Turnkey SDK

Expected Behavior

• Generated public and private keys should form a valid P-256 cryptographic pair
• Keys should work with Turnkey SDK authentication

Actual Behavior

• Generated keys are mathematically invalid
• Public key cannot be derived from private key
• Turnkey SDK rejects keys with error: "unable to load API key: invalid public key"

Evidence

First API Key Generation (gen-1)

• Public Key: 022fbd14baec3997747e817ac24d3ea6098461be7183a7e856f816eaa3bd816149
• Private Key: cd706...2a35
• Curve Type: API_KEY_CURVE_P256
• Status: ❌ Invalid key pair

Second API Key Generation (gen-2)

• Public Key: 035e771436b1adf475ae715ccdd96824ae03a521b144251d47a2ffc2c770926362
• Private Key: a296...c65b
• Curve Type: API_KEY_CURVE_P256
• Status: ❌ Invalid key pair

Technical Details

• Both keys are 66-character public keys and 64-character private keys
• Keys are in correct hex format with no encoding issues
• Node.js crypto module confirms keys are not valid ECDSA pairs
• Turnkey SDK validation fails at convertTurnkeyApiKeyToJwk function

Impact

• Cannot authenticate with Turnkey API
• Cannot use Turnkey SDK for any operations
• Blocks development and testing of Turnkey integration

Request

Please investigate and fix the API key generation algorithm to ensure valid cryptographic key pairs are produced.

Contact

• User: kushwant@zynklabs.xyz
• Organization ID: e336c77b-d34b-4bf2-87bd-0ffb2b9d84e2
• Report Date: August 30, 2025

[t-vila]

hey, how are you trying to use / validate the keys ? I can easily use your gen-2 keypair to authenticate:

import { TurnkeyClient } from "@turnkey/http";
import { ApiKeyStamper } from "@turnkey/api-key-stamper";

async function main() {
  // Initialize a Turnkey client
  const turnkeyClient = new TurnkeyClient(
    { baseUrl: "https://api.turnkey.com" },
    new ApiKeyStamper({
      apiPublicKey: "...",
      apiPrivateKey: "...",
    }),
  );

  const result = await turnkeyClient.getWhoami({
    organizationId: "e336c77b-d34b-4bf2-87bd-0ffb2b9d84e2"
  });

  console.log(result);
}

main().catch((error) => {
  console.error(error);
  process.exit(1);
});

As a side note, would you mind removing the private key data from your post, just for sanity reasons (even they are test keys).

[khushzynk09]

Auth works with @turnkey/http + ApiKeyStamper (getWhoami OK).

When calling createSubOrganization via @turnkey/http:
await client.createSubOrganization({
organizationId: "e336c77b-d34b-4bf2-87bd-0ffb2b9d84e2",
subOrganizationName: test-${Date.now()},
rootQuorumThreshold: 1,
rootUsers: [{ userName: "Default Admin", apiKeys: [], authenticators: [] }],
});

I get: Turnkey error 3: Invalid activity type: (""), try updating your SDK versions.

1. What is the correct request shape for createSubOrganization with @turnkey/http today?
2. Is there a specific ActivityType (e.g., CREATE_SUB_ORGANIZATION_V7) that the client should include automatically?
3. Which exact versions should we use? Current:
   • @turnkey/http:
   • @turnkey/sdk-server:
   • @turnkey/api-key-stamper:
4. If createSubOrganization has moved to a new RPC or name, can you share a working snippet for @turnkey/http?

[t-vila]

If you have no other restrictions try to use the latest packages, take a look at these examples:

https://github.com/tkhq/sdk/blob/main/examples/kitchen-sink/src/http/createSubOrganization.ts
https://github.com/tkhq/sdk/blob/main/examples/kitchen-sink/src/sdk-server/createSubOrganization.ts

[khushzynk09]

for the work i am doing -
giving you codes for making you understand how i am using them
(by the way this time i tries by creating a fresh new account (organization) setup through a new mail id ..and am still getting errors
can u help me with if anything is wrong in my codes
embedded.js (services/turnkey/embedded.js)

require("dotenv").config();
const { Turnkey } = require("@turnkey/sdk-server");
const { TurnkeyClient } = require("@turnkey/http");
const { ApiKeyStamper } = require("@turnkey/api-key-stamper");

// Configuration
const TURNKEY_BASE_URL = (process.env.TURNKEY_BASE_URL || "https://api.turnkey.com").trim();
const TURNKEY_ORG_ID = (process.env.TURNKEY_ORG_ID || "").trim();
const TURNKEY_API_PUBLIC_KEY = (process.env.TURNKEY_API_PUBLIC_KEY || "").trim();
const TURNKEY_API_PRIVATE_KEY = (process.env.TURNKEY_API_PRIVATE_KEY || "").trim();

function isHex(str) {
return /^[0-9a-fA-F]+$/.test(str);
}

function validateApiKeys() {
const problems = [];
if (!TURNKEY_API_PUBLIC_KEY) problems.push("TURNKEY_API_PUBLIC_KEY missing");
if (!TURNKEY_API_PRIVATE_KEY) problems.push("TURNKEY_API_PRIVATE_KEY missing");
if (TURNKEY_API_PUBLIC_KEY && (!isHex(TURNKEY_API_PUBLIC_KEY) || TURNKEY_API_PUBLIC_KEY.length !== 66 || !/^0[23]/.test(TURNKEY_API_PUBLIC_KEY))) {
problems.push("Public key must be 66 hex chars, start with 02/03 (compressed P-256)");
}
if (TURNKEY_API_PRIVATE_KEY && (!isHex(TURNKEY_API_PRIVATE_KEY) || TURNKEY_API_PRIVATE_KEY.length !== 64)) {
problems.push("Private key must be 64 hex chars");
}
return problems;
}

const keyProblems = validateApiKeys();
if (keyProblems.length > 0) {
// eslint-disable-next-line no-console
console.warn("[turnkey/embedded] API key validation warnings:", keyProblems);
}

// Initialize Turnkey client
// Fix: Use 03 prefix for public key as it works with the stamper
// const workingPublicKey = TURNKEY_API_PUBLIC_KEY.startsWith('02')
// ? 03${TURNKEY_API_PUBLIC_KEY.substring(2)}
// : TURNKEY_API_PUBLIC_KEY;

const apiKeyStamper = new ApiKeyStamper({
apiPublicKey: TURNKEY_API_PUBLIC_KEY,
apiPrivateKey: TURNKEY_API_PRIVATE_KEY,
});

// One-time sanity stamp in this module context
try {
apiKeyStamper
.stamp(Buffer.from("{}"))
.then(() => {
// eslint-disable-next-line no-console
console.log(
"[turnkey/embedded] Stamper sanity OK",
{ pubLen: TURNKEY_API_PUBLIC_KEY.length, privLen: TURNKEY_API_PRIVATE_KEY.length }
);
})
.catch((e) => {
// eslint-disable-next-line no-console
console.warn("[turnkey/embedded] Stamper sanity FAILED:", e?.message || e);
});
} catch (e) {
// eslint-disable-next-line no-console
console.warn("[turnkey/embedded] Stamper init error:", e?.message || e);
}

// Initialize both HTTP and SDK clients. Prefer HTTP; fall back to SDK if needed.
const httpClient = new TurnkeyClient(
{ baseUrl: TURNKEY_BASE_URL },
apiKeyStamper
);

const sdkClient = new Turnkey(
{ baseUrl: TURNKEY_BASE_URL, defaultOrganizationId: TURNKEY_ORG_ID },
apiKeyStamper
);

// Helper function to check if Turnkey is configured
function isConfigured() {
return !!(TURNKEY_ORG_ID && TURNKEY_API_PUBLIC_KEY && TURNKEY_API_PRIVATE_KEY);
}

// Create sub-organization for user
async function createSubOrganization(userId, partnerId) {
if (!isConfigured()) {
throw new Error("Turnkey not configured");
}

const problems = validateApiKeys();
if (problems.length > 0) {
throw new Error(Invalid API key configuration: ${problems.join(", ")});
}

try {
const subOrgName = User_${userId}_${partnerId};

// Attempt via HTTP client (recommended)
try {
  const httpRes = await httpClient.createSubOrganization({
    type: "ACTIVITY_TYPE_CREATE_SUB_ORGANIZATION_V7",
    timestampMs: String(Date.now()),
    organizationId: TURNKEY_ORG_ID,
    parameters: {
      subOrganizationName: subOrgName,
      rootQuorumThreshold: 1,
      rootUsers: [
        { userName: `User_${userId}`, apiKeys: [], authenticators: [], oauthProviders: [] },
      ],
    },
  });

  const created = httpRes?.subOrganization || httpRes?.result || httpRes;
  return {
    subOrgId: created?.subOrganizationId || created?.id,
    subOrgName: created?.name || subOrgName,
  };
} catch (httpErr) {
  const msg = String(httpErr?.message || httpErr || "");
  const shouldFallback = msg.includes("Invalid activity type") || msg.includes("try updating your SDK versions");
  if (!shouldFallback) throw httpErr;

  // Fallback to SDK server client
  const sdkRes = await sdkClient.apiClient().createSubOrganization({
    subOrganizationName: subOrgName,
    rootQuorumThreshold: 1,
    rootUsers: [
      { userName: "Default Admin", apiKeys: [], authenticators: [], oauthProviders: [] },
    ],
  });
  return {
    subOrgId: sdkRes?.subOrganization?.subOrganizationId,
    subOrgName: sdkRes?.subOrganization?.name,
  };
}

} catch (error) {
console.error("Turnkey createSubOrganization error:", error);
throw new Error(Failed to create sub-organization: ${error.message});
}
}

// Create wallet in sub-organization
async function createWallet(subOrgId, walletName) {
if (!isConfigured()) {
throw new Error("Turnkey not configured");
}

try {
// Prefer HTTP
try {
const httpRes = await httpClient.createWallet({
organizationId: subOrgId,
walletName,
accounts: [
{
curve: "CURVE_ED25519",
pathFormat: "PATH_FORMAT_BIP32",
path: "m/44'/501'/0'/0'",
addressFormat: "ADDRESS_FORMAT_SOLANA",
},
],
});
const addresses = httpRes?.addresses || httpRes?.result?.addresses || [];
const wallet = httpRes?.wallet || httpRes;
return {
walletId: wallet?.walletId || wallet?.id,
walletName: wallet?.walletName || walletName,
address: addresses[0] || null,
};
} catch (httpErr) {
const msg = String(httpErr?.message || httpErr || "");
const shouldFallback = msg.includes("Invalid activity type") || msg.includes("try updating your SDK versions");
if (!shouldFallback) throw httpErr;

  const sdkRes = await sdkClient.apiClient().createWallet({
    organizationId: subOrgId,
    walletName,
    accounts: [
      {
        curve: "CURVE_ED25519",
        pathFormat: "PATH_FORMAT_BIP32",
        path: "m/44'/501'/0'/0'",
        addressFormat: "ADDRESS_FORMAT_SOLANA",
      },
    ],
  });
  return {
    walletId: sdkRes?.wallet?.walletId,
    walletName: sdkRes?.wallet?.walletName || walletName,
    address: sdkRes?.activity?.result?.createWalletResult?.addresses?.[0] || null,
  };
}

} catch (error) {
console.error("Turnkey createWallet error:", error);
throw new Error(Failed to create wallet: ${error.message});
}
}

// Create authenticator (passkey) for user
async function createAuthenticator(subOrgId, authenticatorName) {
if (!isConfigured()) {
throw new Error("Turnkey not configured");
}

try {
try {
const httpRes = await httpClient.createAuthenticators({
organizationId: subOrgId,
authenticators: [
{
authenticatorName,
type: "AUTHENTICATOR_TYPE_WEBAUTHN",
challenge: "placeholder",
},
],
});
const auth = (httpRes?.authenticators || [])[0] || {};
return { authenticatorId: auth.authenticatorId, authenticatorName: auth.authenticatorName };
} catch (httpErr) {
const msg = String(httpErr?.message || httpErr || "");
const shouldFallback = msg.includes("Invalid activity type") || msg.includes("try updating your SDK versions");
if (!shouldFallback) throw httpErr;

  const sdkRes = await sdkClient.apiClient().createAuthenticators({
    organizationId: subOrgId,
    authenticators: [
      {
        authenticatorName,
        type: "AUTHENTICATOR_TYPE_WEBAUTHN",
        challenge: "placeholder",
      },
    ],
  });
  const auth = (sdkRes?.authenticators || [])[0] || {};
  return { authenticatorId: auth.authenticatorId, authenticatorName: auth.authenticatorName };
}

} catch (error) {
console.error("Turnkey createAuthenticator error:", error);
throw new Error(Failed to create authenticator: ${error.message});
}
}

// Sign transaction using authenticator
async function signTransaction(subOrgId, walletId, unsignedTransaction, authenticatorId) {
if (!isConfigured()) {
throw new Error("Turnkey not configured");
}

try {
try {
const httpRes = await httpClient.signTransaction({
organizationId: subOrgId,
type: "TRANSACTION_TYPE_SOLANA",
signWith: walletId,
unsignedTransaction,
authenticatorId,
});
const r = httpRes?.activity?.result?.signTransactionResult || httpRes?.result || httpRes;
return { signedTransaction: r?.signedTransaction, signature: r?.signature };
} catch (httpErr) {
const msg = String(httpErr?.message || httpErr || "");
const shouldFallback = msg.includes("Invalid activity type") || msg.includes("try updating your SDK versions");
if (!shouldFallback) throw httpErr;

  const sdkRes = await sdkClient.apiClient().signTransaction({
    organizationId: subOrgId,
    type: "TRANSACTION_TYPE_SOLANA",
    signWith: walletId,
    unsignedTransaction,
    authenticatorId,
  });
  const r = sdkRes?.activity?.result?.signTransactionResult || {};
  return { signedTransaction: r?.signedTransaction, signature: r?.signature };
}

} catch (error) {
console.error("Turnkey signTransaction error:", error);
throw new Error(Failed to sign transaction: ${error.message});
}
}

module.exports = {
isConfigured,
createSubOrganization,
createWallet,
createAuthenticator,
signTransaction,
};`

---

embedded.js(controllers)-
`const crypto = require("crypto");
const { UserWallet } = require("../models");
const turnkeyEmbedded = require("../services/turnkey/embedded");
const { logDebug, logError } = require("../services/apiLogger");

const rpId = process.env.DEV_RP_ID || "localhost";
const namespace = "embedded-controller";

function toBase64Url(buffer) {
return Buffer.from(buffer)
.toString("base64")
.replace(/=/g, "")
.replace(/+/g, "-")
.replace(///g, "_");
}

exports.onboard = async (req, res) => {
try {
console.log(
"TK env snapshot",
process.env.TURNKEY_ORG_ID,
(process.env.TURNKEY_API_PUBLIC_KEY || "").slice(0, 6),
(process.env.TURNKEY_API_PRIVATE_KEY || "").slice(0, 6)
);
const { partnerId } = req.body;
const userId = req.user.id || req.user.email; // Use email as fallback

if (!partnerId) {
  return res.status(400).json({
    success: false,
    error: { message: "partnerId is required" }
  });
}

// Check if user already has a wallet for this partner
const existingWallet = await UserWallet.findOne({ userId, partnerId });
if (existingWallet) {
  return res.json({
    success: true,
    subOrgId: existingWallet.subOrgId,
    walletId: existingWallet.walletId,
    address: existingWallet.walletAddress,
    message: "User already onboarded"
  });
}

// Check if Turnkey is configured
if (!turnkeyEmbedded.isConfigured()) {
  await logError({
    namespace,
    message: "Turnkey not configured for embedded wallet onboarding",
    context: { userId, partnerId },
    errorCode: "TURNKEY_NOT_CONFIGURED"
  });
  return res.status(500).json({
    success: false,
    error: { message: "Wallet service not available" }
  });
}

// Step 1: Create sub-organization for user
const { subOrgId, subOrgName } = await turnkeyEmbedded.createSubOrganization(userId, partnerId);

// Step 2: Create wallet in sub-organization
const walletName = `UserWallet_${userId}_${partnerId}`;
const { walletId, address } = await turnkeyEmbedded.createWallet(subOrgId, walletName);

// Step 3: Store mapping in database
await UserWallet.create({
  userId,
  partnerId,
  subOrgId,
  walletId,
  walletAddress: address,
});

await logDebug({
  namespace,
  message: "User onboarded successfully",
  context: { userId, partnerId, subOrgId, walletId, address }
});

return res.json({
  success: true,
  subOrgId,
  walletId,
  address,
  message: "User onboarded successfully"
});

} catch (error) {
console.error("Onboard error details:", error);
await logError({
namespace,
message: "Failed to onboard user",
context: { userId: req.user?.id, partnerId: req.body?.partnerId },
errorCode: "ONBOARD_ERROR",
rawError: error
});

return res.status(500).json({
  success: false,
  error: { 
    message: "Failed to onboard user",
    details: error.message 
  }
});

}
};

exports.startRegister = async (req, res) => {
try {
const { partnerId } = req.body;
const userId = req.user.id || req.user.email;

if (!partnerId) {
  return res.status(400).json({
    success: false,
    error: { message: "partnerId is required" }
  });
}

// Get user's wallet record
const userWallet = await UserWallet.findOne({ userId, partnerId });
if (!userWallet) {
  return res.status(404).json({
    success: false,
    error: { message: "User not onboarded. Please onboard first." }
  });
}

const challenge = crypto.randomBytes(32);
const userIdBuffer = crypto.randomBytes(32);

const publicKey = {
  challenge: challenge,
  rp: { name: "Zynk", id: rpId },
  user: {
    id: userIdBuffer,
    name: req.user?.email || "user@zynk.local",
    displayName: req.user?.email || "Zynk User",
  },
  pubKeyCredParams: [
    { type: "public-key", alg: -7 }, // ES256
  ],
  authenticatorSelection: {
    authenticatorAttachment: "platform",
    userVerification: "preferred",
  },
  timeout: 120000,
};

// Store challenge for verification (in production, use Redis/session)
// For now, we'll use a simple approach
userWallet.tempChallenge = toBase64Url(challenge);
await userWallet.save();

await logDebug({
  namespace,
  message: "Started passkey registration",
  context: { userId, partnerId, subOrgId: userWallet.subOrgId }
});

return res.json({
  success: true,
  publicKey: {
    ...publicKey,
    challenge: toBase64Url(publicKey.challenge),
    user: { ...publicKey.user, id: toBase64Url(publicKey.user.id) },
  }
});

} catch (error) {
await logError({
namespace,
message: "Failed to start passkey registration",
context: { userId: req.user?.id, partnerId: req.body?.partnerId },
errorCode: "START_REGISTER_ERROR",
rawError: error
});

return res.status(500).json({
  success: false,
  error: { message: "Failed to start registration" }
});

}
};

exports.finishRegister = async (req, res) => {
try {
const { partnerId, attestationObject, clientDataJSON } = req.body;
const userId = req.user.id || req.user.email;

if (!partnerId || !attestationObject || !clientDataJSON) {
  return res.status(400).json({
    success: false,
    error: { message: "partnerId, attestationObject, and clientDataJSON are required" }
  });
}

// Get user's wallet record
const userWallet = await UserWallet.findOne({ userId, partnerId });
if (!userWallet) {
  return res.status(404).json({
    success: false,
    error: { message: "User not onboarded" }
  });
}

// Verify challenge (in production, verify against stored challenge)
// For now, we'll proceed with creating the authenticator

// Create authenticator in Turnkey
const authenticatorName = `Passkey_${userId}_${partnerId}`;
const { authenticatorId } = await turnkeyEmbedded.createAuthenticator(
  userWallet.subOrgId,
  authenticatorName
);

// Store authenticator ID
userWallet.authenticatorId = authenticatorId;
userWallet.tempChallenge = null; // Clear temporary challenge
await userWallet.save();

await logDebug({
  namespace,
  message: "Passkey registration completed",
  context: { userId, partnerId, authenticatorId }
});

return res.json({
  success: true,
  authenticatorId,
  message: "Passkey registered successfully"
});

} catch (error) {
await logError({
namespace,
message: "Failed to complete passkey registration",
context: { userId: req.user?.id, partnerId: req.body?.partnerId },
errorCode: "FINISH_REGISTER_ERROR",
rawError: error
});

return res.status(500).json({
  success: false,
  error: { message: "Failed to complete registration" }
});

}
};

exports.startSignSolana = async (req, res) => {
try {
const { partnerId } = req.body;
const userId = req.user.id || req.user.email;

if (!partnerId) {
  return res.status(400).json({
    success: false,
    error: { message: "partnerId is required" }
  });
}

// Get user's wallet record
const userWallet = await UserWallet.findOne({ userId, partnerId });
if (!userWallet) {
  return res.status(404).json({
    success: false,
    error: { message: "User not onboarded" }
  });
}

if (!userWallet.authenticatorId) {
  return res.status(400).json({
    success: false,
    error: { message: "User has no registered passkey. Please register first." }
  });
}

const challenge = crypto.randomBytes(32);
const allowCredentialId = crypto.randomBytes(32); // In real implementation, get from stored credential

const publicKey = {
  challenge: challenge,
  rpId,
  allowCredentials: [
    { type: "public-key", id: allowCredentialId, transports: ["internal"] },
  ],
  userVerification: "preferred",
  timeout: 120000,
};

// Store challenge for verification
userWallet.tempChallenge = toBase64Url(challenge);
await userWallet.save();

await logDebug({
  namespace,
  message: "Started Solana transaction signing",
  context: { userId, partnerId, walletAddress: userWallet.walletAddress }
});

return res.json({
  success: true,
  publicKey: {
    ...publicKey,
    challenge: toBase64Url(publicKey.challenge),
    allowCredentials: [
      { ...publicKey.allowCredentials[0], id: toBase64Url(allowCredentialId) },
    ],
  }
});

} catch (error) {
await logError({
namespace,
message: "Failed to start Solana signing",
context: { userId: req.user?.id, partnerId: req.body?.partnerId },
errorCode: "START_SIGN_ERROR",
rawError: error
});

return res.status(500).json({
  success: false,
  error: { message: "Failed to start signing" }
});

}
};

exports.finishSignSolana = async (req, res) => {
try {
const { partnerId, assertion, unsignedTransaction } = req.body;
const userId = req.user.id || req.user.email;

if (!partnerId || !assertion || !unsignedTransaction) {
  return res.status(400).json({
    success: false,
    error: { message: "partnerId, assertion, and unsignedTransaction are required" }
  });
}

// Get user's wallet record
const userWallet = await UserWallet.findOne({ userId, partnerId });
if (!userWallet) {
  return res.status(404).json({
    success: false,
    error: { message: "User not onboarded" }
  });
}

// Verify challenge (in production, verify against stored challenge)
// For now, we'll proceed with signing

// Sign transaction using Turnkey
const { signedTransaction, signature } = await turnkeyEmbedded.signTransaction(
  userWallet.subOrgId,
  userWallet.walletId,
  unsignedTransaction,
  userWallet.authenticatorId
);

// Clear temporary challenge
userWallet.tempChallenge = null;
await userWallet.save();

await logDebug({
  namespace,
  message: "Solana transaction signed successfully",
  context: { userId, partnerId, signature }
});

return res.json({
  success: true,
  signedTx: signedTransaction,
  signature,
  message: "Transaction signed successfully"
});

} catch (error) {
await logError({
namespace,
message: "Failed to sign Solana transaction",
context: { userId: req.user?.id, partnerId: req.body?.partnerId },
errorCode: "FINISH_SIGN_ERROR",
rawError: error
});

return res.status(500).json({
  success: false,
  error: { message: "Failed to sign transaction" }
});

}
};

exports.broadcastTx = async (req, res) => {
try {
const { signedTx } = req.body;

if (!signedTx) {
  return res.status(400).json({
    success: false,
    error: { message: "signedTx is required" }
  });
}

// In production, broadcast to Solana network
// For now, return a stub response
const txSig = `stub-tx-sig-${Date.now()}`;

await logDebug({
  namespace,
  message: "Transaction broadcasted (stub)",
  context: { txSig }
});

return res.json({
  success: true,
  txSig,
  message: "Transaction broadcasted successfully"
});

} catch (error) {
await logError({
namespace,
message: "Failed to broadcast transaction",
errorCode: "BROADCAST_ERROR",
rawError: error
});

return res.status(500).json({
  success: false,
  error: { message: "Failed to broadcast transaction" }
});

}
};`

---

embedded.js(routes)
`const express = require("express");

const router = express.Router();

const embeddedController = require("../controllers/embedded");
const { authMiddleware } = require("../middlewares/auth");

// Auth all embedded endpoints for now; adjust RBAC later
router.use(authMiddleware);

// Onboard user -> create sub-org + wallet (stubbed)
router.post("/onboard", embeddedController.onboard);

// Passkey registration
router.post("/authenticator/start", embeddedController.startRegister);
router.post("/authenticator/finish", embeddedController.finishRegister);

// Signing flow (Solana)
router.post("/sign/solana/start", embeddedController.startSignSolana);
router.post("/sign/solana/finish", embeddedController.finishSignSolana);

// Optional broadcast (stub)
router.post("/tx/broadcast", embeddedController.broadcastTx);

module.exports = router;`

[khushzynk09]

[khushzynk09]

errors iam getting-
node scripts/test_onboard_api.js
Testing Onboard API...

1. Checking Turnkey configuration...
   Configured: true
   ✅ Turnkey is configured

2. Testing sub-organization creation...
   [turnkey/embedded] Stamper sanity OK { pubLen: 66, privLen: 64 }
   Turnkey createSubOrganization error: TurnkeyRequestError: Turnkey error 3: user missing valid credential: 681ff2ec-f30e-4507-9345-eafd355f8759 (Details: [])
   at TurnkeyClient.request (C:\Users\khush\OneDrive\Desktop\ZYNK_ANOM\anomaly\node_modules@turnkey\http\dist_generated_\services\coordinator\public\v1\public_api.client.js:2513:19)
   at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
   at async Object.createSubOrganization (C:\Users\khush\OneDrive\Desktop\ZYNK_ANOM\anomaly\services\turnkey\embedded.js:98:23)
   at async testOnboardAPI (C:\Users\khush\OneDrive\Desktop\ZYNK_ANOM\anomaly\scripts\test_onboard_api.js:48:40) {
   details: [],
   code: 3
   }
   ❌ Error: Failed to create sub-organization: Turnkey error 3: user missing valid credential: 681ff2ec-f30e-4507-9345-eafd355f8759 (Details: [])
   Error details: Error: Failed to create sub-organization: Turnkey error 3: user missing valid credential: 681ff2ec-f30e-4507-9345-eafd355f8759 (Details: [])
   at Object.createSubOrganization (C:\Users\khush\OneDrive\Desktop\ZYNK_ANOM\anomaly\services\turnkey\embedded.js:136:11)
   at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
   at async testOnboardAPI (C:\Users\khush\OneDrive\Desktop\ZYNK_ANOM\anomaly\scripts\test_onboard_api.js:48:40)

[khushzynk09]

node scripts/test_onboard_api.js
Testing Onboard API...

1. Checking Turnkey configuration...
   Configured: true
   ✅ Turnkey is configured
2. Testing sub-organization creation...
   [turnkey/embedded] Stamper sanity OK { pubLen: 66, privLen: 64 }
   Turnkey createSubOrganization error: TurnkeyRequestError: Turnkey error 16: could not verify api key signature organizationId=e336c77b-d34b-4bf2-87bd-0ffb2b9d84e2: invalid signature (Details: [{"@type":"type.googleapis.com/errors.v1.TurnkeyErrorDetail","turnkeyErrorCode":"SIGNATURE_INVALID"}])
   at TurnkeyClient.request (C:\Users\khush\OneDrive\Desktop\ZYNK_ANOM\anomaly\node_modules@turnkey\http\dist_generated_\services\coordinator\public\v1\public_api.client.js:2513:19)
   at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
   at async Object.createSubOrganization (C:\Users\khush\OneDrive\Desktop\ZYNK_ANOM\anomaly\services\turnkey\embedded.js:98:23)
   at async testOnboardAPI (C:\Users\khush\OneDrive\Desktop\ZYNK_ANOM\anomaly\scripts\test_onboard_api.js:48:40) {
   details: [
   {
   '@type': 'type.googleapis.com/errors.v1.TurnkeyErrorDetail',
   turnkeyErrorCode: 'SIGNATURE_INVALID'
   }
   ],
   code: 16
   }
   ❌ Error: Failed to create sub-organization: Turnkey error 16: could not verify api key signature organizationId=e336c77b-d34b-4bf2-87bd-0ffb2b9d84e2: invalid signature (Details: [{"@type":"type.googleapis.com/errors.v1.TurnkeyErrorDetail","turnkeyErrorCode":"SIGNATURE_INVALID"}])
   Error details: Error: Failed to create sub-organization: Turnkey error 16: could not verify api key signature organizationId=e336c77b-d34b-4bf2-87bd-0ffb2b9d84e2: invalid signature (Details: [{"@type":"type.googleapis.com/errors.v1.TurnkeyErrorDetail","turnkeyErrorCode":"SIGNATURE_INVALID"}])
   at Object.createSubOrganization (C:\Users\khush\OneDrive\Desktop\ZYNK_ANOM\anomaly\services\turnkey\embedded.js:136:11)
   at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
   at async testOnboardAPI (C:\Users\khush\OneDrive\Desktop\ZYNK_ANOM\anomaly\scripts\test_onboard_api.js:48:40)

[khushzynk09]

hi can u check github once again , i have posted there

…

On Mon, 1 Sept 2025 at 14:25, t-vila ***@***.***> wrote: *t-vila* left a comment (tkhq/sdk#882) <#882 (comment)> If you have no other restrictions try to use the latest packages, take a look at these examples: https://github.com/tkhq/sdk/blob/main/examples/kitchen-sink/src/http/createSubOrganization.ts https://github.com/tkhq/sdk/blob/main/examples/kitchen-sink/src/sdk-server/createSubOrganization.ts — Reply to this email directly, view it on GitHub <#882 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BTFNF5FAPGLUXMVB5I67INL3QQCXLAVCNFSM6AAAAACFJLM342VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTENBRGQ4DQNBSGM> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[khushzynk09]

on github #882 (comment) On Tue, 2 Sept 2025 at 15:53, Khushwant Nimore ***@***.***> wrote:

…

hi can u check github once again , i have posted there On Mon, 1 Sept 2025 at 14:25, t-vila ***@***.***> wrote: > *t-vila* left a comment (tkhq/sdk#882) > <#882 (comment)> > > If you have no other restrictions try to use the latest packages, take a > look at these examples: > > > https://github.com/tkhq/sdk/blob/main/examples/kitchen-sink/src/http/createSubOrganization.ts > > https://github.com/tkhq/sdk/blob/main/examples/kitchen-sink/src/sdk-server/createSubOrganization.ts > > — > Reply to this email directly, view it on GitHub > <#882 (comment)>, or > unsubscribe > <https://github.com/notifications/unsubscribe-auth/BTFNF5FAPGLUXMVB5I67INL3QQCXLAVCNFSM6AAAAACFJLM342VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTENBRGQ4DQNBSGM> > . > You are receiving this because you authored the thread.Message ID: > ***@***.***> >

[t-vila]

Error: Failed to create sub-organization: Turnkey error 3: user missing valid credential: 681ff2ec-f30e-4507-9345-eafd355f8759

You're trying to create a suborg with just a username, it needs to have a valid auth method, for instance email or api key, see https://docs.turnkey.com/api-reference/activities/create-sub-organization

[BuckyMaler]

I created my API key pair via the CLI and am getting the same error.

Edit: Please disregard. My mistake — env vars weren't loaded. 🤦

Code:

import { Turnkey } from "@turnkey/sdk-server";

const turnkey = new Turnkey({
  defaultOrganizationId: process.env.ORGANIZATION_ID!,
  apiBaseUrl: process.env.BASE_URL!,
  apiPrivateKey: process.env.API_PRIVATE_KEY!,
  apiPublicKey: process.env.API_PUBLIC_KEY!,
});

const apiClient = turnkey.apiClient();

const response = await apiClient.createUsers({
  users: [
    {
      userName: "John Doe",
      apiKeys: [
        {
          apiKeyName: "non-root-user-key",
          publicKey:
            "02c502c19cb10f31a882ef1537e5a0efaf6de143fde414c714b2a1c5f26ef5679b",
          curveType: "API_KEY_CURVE_P256",
        },
      ],
      authenticators: [], // A list of Authenticator parameters. This field, if not needed, should be an empty array in your request body.
      oauthProviders: [], // A list of Oauth providers. This field, if not needed, should be an empty array in your request body.
      userTags: [], // A list of User Tag IDs. This field, if not needed, should be an empty array in your request body.
    },
  ],
});

console.log("Response:", response);

Output: