Split KMS

Split KMS

⁠This feature requires an enterprise agreement

Contact Sales


Magic offers non-custodial Wallet-as-a-Service, allowing web or mobile application developers to seamlessly integrate web3 wallets into their apps with a familiar web2 user experience. The cornerstone of Magic’s offering is its patented Delegated Key Management System (DKMS).

With Split KMS, we can offer our customers increased flexibility and tailored solutions. Recognizing diverse preferences, especially across regions, we are expanding our key management system with options designed to meet specific customer needs. This offering builds on Magic’s DKMS to further decentralize wallet management by splitting private keys into multiple shares using the tested and proven Shamir's Secret Sharing algorithm.

#How it Works

Upon first user login, a wallet is generated in a secure environment (iframe in browser), where its private key is then split into separate shares. One key share is encrypted and stored via Magic's patented DKMS technology; the other is on the user's device. If the user wishes to access their wallet on a new device, a device hydration share is encrypted by a customer-hosted encryption service and then securely stored with Magic. Magic provides open-source Infrastructure-as-Code that customers can run on their own cloud vendor accounts to scalably encrypt and decrypt the device hydration share upon successful user authentication.

Split KMS retains the same degree of security as the patented DKMS. Neither Magic nor its customers can decrypt and access the key shares without the user authenticating. Furthermore, the keys are only ever decrypted and/or constructed in a secure, client-side environment, accessible only to the user.


  1. Opt-in for Split KMS when opening your developer account with Magic. Note that this feature is currently in invite-only mode; therefore, please contact sales to enable this functionality.
  2. Customers using Magic’s Split KMS need to encrypt device hydration private key shares. Magic provides an open-source repository that you can use, make any modifications (if necessary), and deploy it to your AWS account. The encryption API tech stack is optimized for AWS Serverless Architecture, ensuring easy scalability.
  3. Register the API endpoints with Magic to receive callbacks for encryption and decryption at runtime when users create a wallet and perform signing transactions.