LogoLogo
SupportGithubSign InGet Access
  • Introduction
  • GETTING STARTED
    • SDK Quick Start
    • API Quick Start
  • Guides
    • Web
      • Create a wallet
      • Send tokens
      • Sign a transaction
      • Simulate a transaction
      • Back up a wallet
      • Recover a wallet
      • Cross-device sessions
      • Manage wallet lifecycle states
      • Web authentication methods
      • Perform swaps
      • Add custom signature hooks
      • MPC progress callbacks
      • Portal API methods
      • Configure a custom subdomain
      • Eject a wallet
      • Using the EIP-1193 Provider
      • Legacy documentation
        • Back up a wallet
          • Backup Options
        • Recover a wallet
    • iOS
      • Create a wallet
      • Send tokens
      • Sign a transaction
      • Simulate a transaction
      • Back up a wallet
      • Recover a wallet
      • Cross-device sessions
      • Manage wallet lifecycle states
      • Connect with WalletConnect
      • Build a WebView
      • Perform swaps
      • Add custom signature hooks
      • MPC progress callbacks
      • Portal API methods
      • Manage ERC20 tokens
      • Eject a wallet
      • Legacy documentation
        • Back up a wallet
          • Backup Options
          • Passkey + Enclave Storage
        • Recover a wallet
      • Troubleshooting Tips
      • Feature Flags
    • Android
      • Create a wallet
      • Send tokens
      • Sign a transaction
      • Simulate a transaction
      • Back up a wallet
      • Recover a wallet
      • Cross-device sessions
      • Manage wallet lifecycle states
      • Connect with WalletConnect
      • Build a WebView
      • Perform swaps
      • Add custom signature hooks
      • MPC progress callbacks
      • Portal API methods
      • Eject a wallet
      • Legacy documentation
        • Back up a wallet
          • Backup Options
        • Recover a wallet
    • React Native
      • Create a wallet
      • Send tokens
      • Sign a transaction
      • Simulate a transaction
      • Back up a wallet
      • Recover a wallet
      • Cross-device sessions
      • Manage wallet lifecycle states
      • Connect with WalletConnect
      • Build a WebView
      • Perform swaps
      • Add custom signature hooks
      • MPC progress callbacks
      • Portal API methods
      • Eject a wallet
      • Legacy documentation
        • Back up a wallet
          • Backup Options
        • Recover a wallet
    • Enclave MPC API
      • Create a client
      • Create a wallet
      • Send tokens
      • Sign Ethereum transactions
      • Sign Solana transactions
      • Sign Tron transactions
      • Sign Stellar Transaction
      • Concurrent Transactions
      • Back up a wallet
      • Eject a wallet
  • Reference
    • iOS
      • createWallet
      • backupWallet
      • recoverWallet
      • ejectPrivateKeys
      • registerBackupMethod
      • setGDriveConfiguration
      • setPasskeyConfiguration
      • setPasskeyAuthenticationAnchor
      • setPassword
      • availableRecoveryMethods
      • doesWalletExist
      • isWalletBackedUp
      • isWalletOnDevice
      • isWalletRecoverable
      • getBalances
      • getAssets
      • getNftAssets
      • getTransactions
      • sendSol
      • evaluateTransaction
      • buildEip155Transaction
      • buildSolanaTransaction
      • getWalletCapabilities
    • Android
      • Reference Documentation
    • React Native
      • @portal-hq/core
      • Storage adapters
        • Cloud storage
          • @portal-hq/gdrive-storage
          • @portal-hq/icloud-storage
        • Mobile storage
          • @portal-hq/keychain
          • @portal-hq/mobile-key-values
    • Enclave MPC API
      • V1 endpoints
    • Client API
      • V3 endpoints
      • V1 endpoints
    • Custodian API
      • V3 endpoints
      • V1 endpoints
    • Swaps API
      • V3 endpoints
      • V1 endpoints
  • Resources
    • Flutter
      • iOS
      • Android
    • Error codes
      • Overview
      • MPC errors
      • Network errors
      • General errors
      • Encryption errors
      • Portal Connect errors
    • Portal's MPC architecture
    • Authentication and API Keys
    • Self-Managed Backups
    • Alert Webhooks
    • Wallet lifecycle
    • Backup options
      • Password/PIN
      • GDrive
      • iCloud
      • Passkey + Enclave
    • WalletConnect metadata
    • Advanced security scanning
    • Account abstraction
    • Security firewall
    • Eject
    • Security
    • Blockchain support
    • Chain ID formatting
    • Testnet faucets
    • Going to Production
    • Rate Limits
    • Multi-backup migration guide
    • Multi-wallet migration guides
      • Migrating from Android SDK v3.x.x to v4.x.x
      • Migrating from iOS SDK v3.0.x to v3.2.x
  • Support
    • Changelog
      • Android
      • iOS
      • React Native
      • Web
      • Past Releases
        • 2024 Releases
        • 2023 Releases
    • Celo Hackathon Hub
    • Glossary
Powered by GitBook
On this page
  • Ejecting Methods
  • Portal-managed backups
  • Self-Managed Backup (from your server)
  • Cryptographic Curves
  • Best Practices

Was this helpful?

  1. Guides
  2. iOS

Eject a wallet

The eject feature allows a user to construct private keys that can be imported into another wallet manager, such as MetaMask.

Warning: Providing the custodian backup share to the client device puts both MPC shares on a single device, removing the multi-party security benefits of MPC. This operation should only be done for users who want to move off of MPC and into a single private key. Use portal.eject() at your own risk!

Ejecting Methods

You can eject wallets using either Portal-Managed Backups or Self-Managed Backups depending on your implementation.

Portal-managed backups

To eject the private keys for your users' wallets, their two matching backup shares need to be combined. Since both of these shares are stored on the Portal backend encrypted at rest, we first need to verify that the upcoming request to eject the wallet is not an attack. In order to do this, we make this a two-step process:

Implementation Requirements

  1. Make a Custodian-authed POST request using your Custodian API Key (the same API key you use to create new users) to the /api/v3/custodians/me/clients/\(clientId)/prepare-eject endpoint to allow for this client to perform an eject operation

  2. Call the portal.eject() or portal.ejectPrivateKeys() function from your client application with the appropriate backup method

Step 1: Prepare the Eject Operation

Make a custodian-authenticated POST request using your Custodian API Key to authorize the ejection:

guard let prepareEjectUrl = URL(string: "https://api.portalhq.io/api/v3/custodians/me/clients/\(clientId)/prepare-eject") else {
  throw URLError(.badURL)
}

// Prepare ETH wallet
let prepareEjectData = try await requests.post(
  prepareEjectUrl,
  withBearerToken: nil,
  andPayload: ["walletId": EthWalletId]
)

guard let prepareEthEjectResponse = String(data: prepareEjectData, encoding: .utf8) else {
  throw PortalExampleAppError.couldNotParseCustodianResponse("Unable to read prepare eject response.")
}

print("ETH Wallet ejectable until \(prepareEthEjectResponse)")

// Prepare Solana wallet
let prepareEjectData = try await requests.post(
  prepareEjectUrl,
  withBearerToken: nil,
  andPayload: ["walletId": SolanaWalletId]
)

guard let prepareEjectResponseEd25519 = String(data: prepareEjectData, encoding: .utf8) else {
  throw PortalExampleAppError.couldNotParseCustodianResponse("Unable to read prepare eject response.")
}

print("Solana Wallet ejectable until \(prepareEjectResponseEd25519)")
guard let prepareEjectUrl = URL(string: "https://api.portalhq.io/api/v3/custodians/me/clients/\(clientId)/prepare-eject") else {
  throw URLError(.badURL)
}

let prepareEjectData = try await requests.post(
  prepareEjectUrl,
  withBearerToken: nil,
  andPayload: ["walletId": walletId]
)

guard let prepareEjectResponse = String(data: prepareEjectData, encoding: .utf8) else {
  throw PortalExampleAppError.couldNotParseCustodianResponse("Unable to read prepare eject response.")
}

print("ETH Wallet ejectable until \(prepareEjectResponse)")

Note: The walletId can be found in the wallets property of the /api/custodians/me/clients/\(clientId) GET request.

If you are planning on ejecting multiple wallets for a user, you'll need to make multiple separate requests to "unlock" all requires wallets.

Step 2: Eject the Wallet

After preparation, call the eject() or ejectPrivateKeys() method with the appropriate backup method that was originally used to secure the wallet:

// For Password backup method
let privateKey = try await portal.ejectPrivateKeys(.Password)

// For Passkey backup method
let privateKey = try await portal.ejectPrivateKeys(.Passkey)

// For iCloud backup method
let privateKey = try await portal.ejectPrivateKeys(.iCloud)

// For Google Drive backup method
let privateKey = try await portal.ejectPrivateKeys(.GoogleDrive)
// For Password backup method
let privateKey = try await portal.eject(.Password)

// For Passkey backup method
let privateKey = try await portal.eject(.Passkey)

// For iCloud backup method
let privateKey = try await portal.eject(.iCloud)

// For Google Drive backup method
let privateKey = try await portal.eject(.GoogleDrive)

Those functions will:

  • Retrieve and combine shares from Portal's server

  • Perform the cryptographic operations to construct the private key/s

  • Return the private key/s as a string that can be imported into other wallet managers

Self-Managed Backup (from your server)

When using Self-Managed Backups, you store the backup shares in your own infrastructure. To eject a wallet, you'll need to provide both backup shares to the portal.eject() or portal.ejectPrivateKeys() function.

  • User Backup Share - Encrypted backup share received from portal.backup().

  • Custodian Backup Share - Raw backup share received from the POST /backup webhook.

Implementation Requirements

  1. Retrieve the encrypted user backup share from your storage

  2. Retrieve the raw custodian backup share/s from your storage

  3. Call the eject function with both shares

Example Implementation:

// Fetch the encrypted user backup share from your API.
let encryptedUserBackupShare = try await yourAPI.fetchEncryptedUserBackupShare(
    userId,
    backupMethod: .Password
)

// Fetch the user's custodian backup share for Ethereum (SECP256k1)
let custodianBackupShare = try await yourAPI.fetchCustodianBackupShare(
    userId,
    backupMethod: .Password
)

// Fetch the user's custodian backup share for Solana (ED25519)
let custodianSolanaBackupShare = try await yourAPI.fetchCustodianSolanaBackupShare(
  userId,
  backupMethod: .Password
)

let privateKeys = try await portal.ejectPrivateKeys(
  .Password,
  withCipherText: cipherText,
  andOrganizationBackupShare: custodianBackupShare,
  andOrganizationSolanaBackupShare: custodianSolanaBackupShare
)

// ✅ ETH & Solana private keys are now available for export
print("ETH & Solana private keys: \(privateKeys)")
// Fetch the encrypted user backup share from your API.
let encryptedUserBackupShare = try await yourAPI.fetchEncryptedUserBackupShare(
    userId,
    backupMethod: .Password
)

// Fetch the user's custodian backup share from your API.
let custodianBackupShare = try await yourAPI.fetchCustodianBackupShare(
    userId,
    backupMethod: .Password
)
   
let privateKey = try await portal.eject(
  .Password,
  withCipherText: cipherText,
  andOrganizationBackupShare: custodianBackupShare
)

// ✅ The ETH private key is now available for export
print("ETH private key: \(privateKey)")

Cryptographic Curves

Portal supports multiple blockchain networks that use different cryptographic curves:

  • SECP256K1: Used by Ethereum and most EVM-compatible blockchains

  • ED25519: Used by Solana and several other blockchains

When ejecting wallets, make sure to provide the appropriate backup shares for each curve your application supports.

Best Practices

  • Implement clear user confirmations before initiating the eject process

  • Securely transmit and display private keys to users

  • Educate users about the security implications of moving from MPC to single key wallets

  • Consider implementing a cooling-off period before allowing wallet ejection

And that's it! Now your users can obtain a private key to import their wallet into another wallet manager.

Related Documentation

PreviousManage ERC20 tokensNextLegacy documentation

Last updated 1 month ago

Was this helpful?

You can learn more about signing algorithms and curves .

here
Backup options
ejectPrivateKeys function reference