Core Concept

Wallet Derivation

Buff derives a deterministic wallet from the user's signature via the server API. Same wallet every time, no client-side key management.

How It Works

  • User signs an auth message provided by buff.getAuthMessage()
  • The signature is sent to the Buff API via buff.deriveWallet(signature)
  • The server deterministically derives a Solana wallet from the signature
  • Same main wallet + same signature = same Buff wallet, every time
  • No private keys are handled client-side — derivation is fully server-side
derivation.ts
typescript
1import { Buff } from "buff-protocol-sdk"
2
3const buff = new Buff({ apiKey: "your-api-key" })
4
5// 1. Get the auth message from the server
6const authMsg = await buff.getAuthMessage()
7
8// 2. User signs the message with their wallet
9const signature = await wallet.signMessage(authMsg)
10
11// 3. Derive the Buff wallet via the API (server-side)
12const buffWalletAddress = await buff.deriveWallet(signature)
13// Same signature = same wallet, always
14
15// 4. Optionally set wallet auth for subsequent requests
16buff.setWalletAuth(wallet.publicKey.toBase58(), signature)

Agent Authentication

For backend agents and automated systems, use API key authentication instead of wallet signatures. Register your agent with the Buff API.

agent.ts
typescript
1// Agents use API key auth — no wallet signing needed
2const buff = new Buff({ apiKey: "agent-api-key" })
3
4// Register an agent with the API
5await buff.registerAgent(agentPubkey, "my-agent-id")
6
7// All subsequent calls are authenticated via the API key
8const portfolio = await buff.getPortfolio(buffWalletAddress)
Note
Wallet derivation happens entirely server-side. The client never handles private keys — it only sends the user's signature to the API. The server derives the same deterministic wallet every time.

Security

  • No private keys handled client-side — all derivation is server-side
  • Auth via API key or wallet signature headers
  • The derivation message is versioned to prevent collisions
  • Treasury address never exposed to the client
  • All fee calculations happen server-side