update readmes

Author: moeodeh3

Examples/swift-demo-wallet/README.md

@@ -1,39 +1,58 @@
-# Swift Demo Wallet 
+# Swift Demo Wallet
 
-The Swift Demo Wallet is a sample iOS/macOS application that demonstrates how to build a simple wallet experience using Turnkey infrastructure. It showcases session handling, wallet creation/import, and transaction signing in a native SwiftUI application.
+A minimal iOS/macOS application demonstrating how to build an embedded wallet experience using Turnkey infrastructure and Auth Proxy.
 
----
+## What this demo shows
 
-## Quick Start
+A high-level summary of the user experience and what you can see on screen:
 
-### 1. Clone the Repository
+- **Authentication**: Log in with passkeys, OTP (email/SMS), or OAuth (Google, Apple, Discord, X)
+- **Session Management**: Automatic session handling with secure key storage in Secure Enclave
+- **Wallet Operations**: Create, import, and export wallets with mnemonic phrases
+- **Message Signing**: Sign messages and raw payloads with wallet accounts
+- **User Management**: Update email/phone and view wallet details
 
-```
+## Getting started
+
+### 1/ Cloning the example
+
+Make sure you have Xcode 15+ installed.
+
+```bash
 git clone https://github.com/tkhq/swift-sdk
-cd Examples/swift-demo-wallet
+cd swift-sdk/Examples/swift-demo-wallet
 ```
 
-### 2. Open the Project
+### 2/ Setting up Turnkey
 
-Open the `Examples/swift-demo-wallet` folder and build the project in Xcode.
+1. Set up your Turnkey organization and account. You'll need your **parent organization ID**.
+2. Enable **Auth Proxy** from your Turnkey dashboard:
+   - Choose the user auth methods (Email OTP, SMS OTP, OAuth providers)
+   - Configure redirect URLs for OAuth (if using)
+   - Copy your **Auth Proxy Config ID** for the next step
+3. (Optional) For passkey authentication, set up your **RP ID** domain with associated domains
 
-### 3. Configure Constants
+### 3/ Configure Constants
 
-Edit `Helpers/Constants.swift` and fill in the required values:
+Edit `swift-demo-wallet/Helpers/Constants.swift` and add your values:
 
 ```swift
 enum Constants {
     enum App {
         static let appName = "Swift Demo Wallet App"
-        static let rpId = "<your_rp_id>"                     // e.g. passkeyapp.tkhqlabs.xyz
-        static let backendBaseUrl = "<your_backend_url>"     // e.g. http://localhost:3000
+        static let rpId = "<your_rp_id>"  // required for passkeys
     }
 
     enum Turnkey {
         static let organizationId = "<your_organization_id>"
-        static let sessionDuration = "900"                   // session duration in seconds
         static let apiUrl = "https://api.turnkey.com"
+        
+        // Auth Proxy Configuration
+        static let authProxyUrl = "https://auth.turnkey.com"
+        static let authProxyConfigId = "<your_auth_proxy_config_id>"
 
+        // Default accounts to create when using the "Create Wallet" button
+        // Customize this array to create wallets with different curves, paths, or address formats
         static let defaultEthereumAccounts: [Components.Schemas.WalletAccountParams] = [
             Components.Schemas.WalletAccountParams(
                 curve: .CURVE_SECP256K1,
@@ -51,65 +70,16 @@ enum Constants {
 }
 ```
 
----
-
-## Backend Setup
-
-### Why Do We Need a Backend?
-
-Turnkey requires authentication requests (sign-up/login) to be validated (stamped) using your root user API key-pair. Since this key-pair must remain private, it cannot be used directly in the frontend. Instead, authentication requests must be processed and stamped through a backend server before being forwarded to Turnkey.
-
-### 1. Configure Environment Variables
-
-Create a `.env` file inside the `example-server` folder:
-
-```
-PORT="3000"
-
-TURNKEY_API_URL="https://api.turnkey.com"
-TURNKEY_ORGANIZATION_ID="<your_turnkey_organization_id>"
-
-TURNKEY_API_PUBLIC_KEY="<your_turnkey_api_public_key>"
-TURNKEY_API_PRIVATE_KEY="<your_turnkey_api_private_key>"
-```
-
-### 2. Start the Server
+### 4/ Running the demo
 
-```
-cd example-server
-npm install
-npm run start
-```
-
----
-
-## Passkey Setup
-
-To enable passkey authentication, you must configure your domain and app settings correctly:
-
-### Associated Domains
-
-1. In your app's `Signing & Capabilities` tab, add the `Associated Domains` capability.
-2. Add your domain:
-
-```
-webcredentials:<your_rpid_domain>
-```
-
-3. Host an `apple-app-site-association` file at `https://<your_rpid_domain>/.well-known/apple-app-site-association`
-
-4. Ensure your `rpId` in Constants.swift matches the domain:
-
-```swift
-static let rpId = "<your_rpid_domain>"
-```
+Open `swift-demo-wallet.xcodeproj` in Xcode and run the app on your device or simulator.
 
 ---
 
 ## Requirements
 
-- iOS 17+ / macOS 13.0+
-- Swift 5.7+
+- iOS 17+ / macOS 14.0+
+- Swift 5.9+
 - Xcode 15+
 
 ---

Examples/swift-demo-wallet/swift-demo-wallet/Helpers/Constants.swift

@@ -5,18 +5,17 @@ import TurnkeyTypes
 enum Constants {
 
   enum App {
-    static let appName = "Swift Demo Wallet App"
-    static let rpId = "passkeyapp.tkhqlabs.xyz"
+    static let rpId = "<your_rp_id>"
     static let scheme = "swift-demo-wallet"
-    static let backendBaseUrl = "http://localhost:3000"
   }
 
   enum Turnkey {
-    static let organizationId = "cd473579-efee-4cb1-8a23-734bd1b4be31" // "7533b2e3-01f2-4573-98c3-2c8bee816cb6"
-    static let sessionDuration = "900"
-    static let apiUrl = "https://api.turnkey.com" // "http://localhost:8081"
-    static let authProxyUrl = "https://authproxy.turnkey.com" // http://localhost:8090"
-    static let authProxyConfigId = "544e423d-f5c9-4dfb-947e-8cf726e3922e" // 5889b4b6-ec95-42ca-8551-660e9d50ed09"
+    static let organizationId = "<your_organization_id>"
+    static let apiUrl = "https://api.turnkey.com" 
+
+    static let authProxyUrl = "https://authproxy.turnkey.com"
+    static let authProxyConfigId = "<your_auth_proxy_config_id>"
+    
     static let defaultEthereumAccounts: [v1WalletAccountParams] = [
       v1WalletAccountParams(
         addressFormat: v1AddressFormat.address_format_ethereum,
@@ -33,18 +32,18 @@ enum Constants {
   }
 
   enum Google {
-    static let clientId = "776352896366-07enngvt22l7cnq1ctf5a9ddcm1pv1sc.apps.googleusercontent.com"
+    static let clientId = "<your_google_client_id>"
   }
 
   enum Apple {
-    static let clientId = "withreactnativewalletkit" // Fill with your Apple Services ID (client ID)
+    static let clientId = "<your_apple_client_id>"
   }
 
   enum X {
-    static let clientId = "d1dFWkNfVk1kdG12SlUxZ3k3NG86MTpjaQ"
+    static let clientId = "<your_x_client_id>"
   }
 
   enum Discord {
-    static let clientId = "1422294103890067536"
+    static let clientId = "<your_discord_client_id>"
   }
 }

Sources/TurnkeyStamper/README.md

@@ -1,43 +1,173 @@
 # TurnkeyStamper
 
-This Swift package provides a unified interface for signing payloads using either API keys or WebAuthn passkeys. It abstracts over the differences between raw keypair signing and passkey-based assertion, and provides a simple method to produce verifiable cryptographic stamps.
+This Swift package provides a unified interface for signing payloads using API keys, on-device keys (Secure Enclave or Keychain), or WebAuthn passkeys. It abstracts over the differences between various signing methods and provides a simple `stamp()` method to produce verifiable cryptographic stamps.
 
-It is designed to work seamlessly with Turnkey’s backend APIs that expect either `X-Stamp` or `X-Stamp-WebAuthn` headers.
+It is designed to work seamlessly with Turnkey's backend APIs that expect either `X-Stamp` or `X-Stamp-WebAuthn` headers.
 
 ## Features
 
-* Supports both API key-based and WebAuthn passkey-based stamping.
-* Unified `stamp()` method returns the correct header name and value.
-* Uses P-256 ECDSA signatures (DER for API keys, WebAuthn-compliant for passkeys).
+* **API Key Signing**: Sign with raw P-256 keypairs
+* **On-Device Key Signing**: Sign with keys stored in Secure Enclave or Keychain
+  * Automatic backend selection (prefers Secure Enclave when available)
+  * Manual backend selection for specific requirements
+* **Passkey Signing**: WebAuthn-compliant passkey authentication
+* **Unified Interface**: Single `stamp()` method returns the correct header name and value
+* **Key Management**: Create, list, and delete on-device key pairs
 
 ---
 
-## Requirements
+## Usage
 
-* iOS 16.0+ / macOS 13.0+
-* Swift 5.7+
+### 1. API Key Signing
 
----
+Sign with a raw P-256 key pair (both public and private key provided):
 
-## Usage
+```swift
+import TurnkeyStamper
+
+let stamper = Stamper(apiPublicKey: "<public-key-hex>", apiPrivateKey: "<private-key-hex>")
+let (headerName, headerValue) = try await stamper.stamp(payload: jsonPayload)
+// headerName: "X-Stamp"
+```
 
-### API Key Signing
+### 2. On-Device Key Signing
+
+Sign with a key stored in Secure Enclave or Keychain (only public key needed):
 
 ```swift
 import TurnkeyStamper
 
-let stamper = Stamper(apiPublicKey: "<public-key>", apiPrivateKey: "<private-key>")
+// Create a new on-device key pair
+let publicKey = try Stamper.createOnDeviceKeyPair()
+
+// Sign with automatic backend selection (prefers Secure Enclave)
+let stamper = try Stamper(apiPublicKey: publicKey)
+let (headerName, headerValue) = try await stamper.stamp(payload: jsonPayload)
+// headerName: "X-Stamp"
 ```
 
-### Passkey Signing
+#### Manual Backend Selection
+
+You can explicitly choose which backend to use:
+
+```swift
+// Force Secure Enclave
+let stamper = try Stamper(apiPublicKey: publicKey, onDevicePreference: .secureEnclave)
+
+// Force Secure Storage (Keychain)
+let stamper = try Stamper(apiPublicKey: publicKey, onDevicePreference: .secureStorage)
+
+// Auto (default) - prefers Secure Enclave when available
+let stamper = try Stamper(apiPublicKey: publicKey, onDevicePreference: .auto)
+```
+
+#### Key Management
+
+```swift
+// Create a new key pair
+let publicKey = try Stamper.createOnDeviceKeyPair(preference: .auto)
+
+// List existing key pairs
+let keys = try Stamper.listOnDeviceKeyPairs(preference: .auto)
+
+// Delete a key pair
+try Stamper.deleteOnDeviceKeyPair(publicKeyHex: publicKey, preference: .auto)
+```
+
+#### Advanced: Secure Enclave with Biometric Protection
+
+For Secure Enclave, you can set an authentication policy at key creation time. The policy is embedded in the key and enforced by the hardware:
 
 ```swift
 import TurnkeyStamper
 
-let stamper = Stamper(rpId: "your.site.com", presentationAnchor: anchor)
+// Create config with biometric requirement
+let config = SecureEnclaveStamper.SecureEnclaveConfig(authPolicy: .biometryAny)
+
+// Create key with biometric protection
+let publicKey = try SecureEnclaveStamper.createKeyPair(config: config)
+
+// All subsequent operations work normally - the biometric prompt happens automatically
+let stamp = try SecureEnclaveStamper.stamp(payload: jsonPayload, publicKeyHex: publicKey)
+// User is prompted for biometric authentication when signing
 ```
 
-The resulting header can be attached to any HTTP request for authenticated interaction with Turnkey services.
+**Note**: Unlike Secure Storage, Secure Enclave config is only used at key creation. Subsequent operations (list, stamp, delete) don't need the config because the auth policy is permanently embedded in the key by the hardware.
+
+#### Advanced: Secure Storage with Custom Configuration
+
+For Secure Storage (Keychain), you can customize storage attributes like access groups, iCloud sync, or biometric protection:
+
+```swift
+import TurnkeyStamper
+
+// Create custom configuration
+let config = SecureStorageStamper.SecureStorageConfig(
+    accessibility: .afterFirstUnlockThisDeviceOnly,
+    accessControlPolicy: .biometryAny,  // Require biometric authentication
+    authPrompt: "Authenticate to sign",
+    biometryReuseWindowSeconds: 30,
+    synchronizable: false,  // Don't sync to iCloud
+    accessGroup: "com.example.shared"  // Share keys between apps
+)
+
+// Create key with custom config
+let publicKey = try SecureStorageStamper.createKeyPair(config: config)
+
+// IMPORTANT: All subsequent operations MUST use the same config
+let keys = try SecureStorageStamper.listKeyPairs(config: config)
+let stamp = try SecureStorageStamper.stamp(payload: jsonPayload, publicKeyHex: publicKey, config: config)
+try SecureStorageStamper.deleteKeyPair(publicKeyHex: publicKey, config: config)
+```
+
+**Note**: Keychain queries must match how items were stored. If you create a key with custom config attributes (especially `accessGroup`, `synchronizable`, or `accessControlPolicy`), you must pass that same config to all subsequent operations (`listKeyPairs`, `stamp`, `deleteKeyPair`). If you use default settings, the no-config methods work fine.
+
+### 3. Passkey Signing
+
+Sign with WebAuthn passkeys:
+
+```swift
+import TurnkeyStamper
+
+let stamper = Stamper(rpId: "your.site.com", presentationAnchor: window)
+let (headerName, headerValue) = try await stamper.stamp(payload: jsonPayload)
+// headerName: "X-Stamp-WebAuthn"
+```
+
+---
+
+## Architecture
+
+### Secure Enclave Stamper
+
+The **Secure Enclave** is Apple's dedicated secure coprocessor:
+
+* Private keys are generated and stored inside the Secure Enclave
+* Keys never leave the secure enclave - signing happens inside
+* Available on iPhone 5s and later, iPad Air and later, Macs with Apple Silicon or T2 chip
+* Metadata stored in iCloud Keychain for persistence
+
+### Secure Storage Stamper
+
+The **Secure Storage** stamper uses the device's Keychain:
+
+* Private keys stored in local Keychain
+* Available after first device unlock (no biometric protection by default)
+* Used as fallback when Secure Enclave is unavailable
+* Works on all Apple devices
+
+### Automatic Selection
+
+When using `.auto` preference (default), the stamper:
+1. Checks if Secure Enclave is available
+2. Uses Secure Enclave if supported, otherwise falls back to Secure Storage
+
+---
+
+## Requirements
+
+* iOS 17.0+ / macOS 14.0+
+* Swift 5.9+
 
 ---
 

Sources/TurnkeySwift/README.md

@@ -248,7 +248,15 @@ Each session schedules a timer to automatically clear itself 5 seconds before JW
 
 ## Demo App
 
-A sample SwiftUI demo app is included in the repository to showcase usage.
+A complete SwiftUI demo wallet app is included in the repository at [`Examples/swift-demo-wallet`](../../Examples/swift-demo-wallet). It showcases:
+
+* Passkey and OTP authentication
+* Session management
+* Wallet creation and import
+* Transaction signing
+* User profile management
+
+See the [demo app README](../../Examples/swift-demo-wallet/README.md) for setup instructions.
 
 ---