Skip to main content
Check out working demo: Live Demo
Repo: openfort-machines-cards-example
Deploy with Vercel
This guide is for partners already using Openfort embedded wallets. Scope:
  • Partner API integration (/partner/v1) only.
  • Openfort for auth + embedded wallet UX.
  • Your backend holds partner credentials and calls Machines.
  • Simple EVM-first flow for create card, deposits, and withdrawals.

Architecture

  • Frontend uses Openfort for sign-in and embedded wallet creation.
  • Frontend calls your backend only.
  • Your backend calls Machines Partner API.
  • Your backend executes withdrawal transactions with the signer path you control.

Prerequisites

  • Openfort project with:
    • publishable key for frontend
    • secret key for backend routes that call Openfort server APIs
    • embedded wallet (Shield) key configured
    • policy id configured for sponsored transactions
  • Machines partner API key
  • A backend service that can securely store:
    • X-Partner-Key
    • Openfort server credentials

Openfort Embedded Wallet Checklist

Before sending traffic:
  1. Wallet creation
    • New users get an embedded EVM wallet at login.
    • You can read the wallet address after auth.
  2. Stable mapping
    • You persist partner userId + Openfort user id + wallet address.
    • You always send the same mapped user identity to Machines.
  3. Session bootstrap server-side
    • POST /partner/v1/users/resolve and POST /partner/v1/sessions happen on your backend.
    • X-Partner-Key is never exposed to browser code.
  4. Browser request path
    • Browser calls your backend routes, not Machines directly.
    • This avoids CORS failures and secret leakage.
  5. Gas sponsorship
    • Openfort policy id is configured and attached for EVM sends.
    • Use sponsored send options for wallet execution paths where required.
Per user:
  • machinesUserId
  • openfortUserId
  • embeddedWalletAddress
  • linkedAt / lastUsedAt
Per session:
  • sessionId
  • scopes
  • expiresAt
Per withdrawal execution:
  • idempotency key
  • execution path (controller_v1 or coordinator_v2)
  • submitted tx hash
  • confirmed tx hash

End-to-End Partner Flow

1) Set up Openfort providers (frontend)

2) Resolve user + create partner session (backend)

3) Call Machines through your backend proxy

Use the partner session token from step 2. At minimum, support these routes:
  • GET /partner/v1/kyc/values
  • POST /partner/v1/kyc/applications
  • GET /partner/v1/kyc/status
  • GET /partner/v1/agreements
  • POST /partner/v1/agreements
  • GET /partner/v1/cards
  • POST /partner/v1/cards
  • GET /partner/v1/deposits/assets
  • POST /partner/v1/deposits/range
  • POST /partner/v1/deposits/estimate
  • POST /partner/v1/deposits
  • GET /partner/v1/transactions

4) Create withdrawals

Call sequence:
  1. GET /partner/v1/withdrawals/assets
  2. POST /partner/v1/withdrawals/range
  3. POST /partner/v1/withdrawals/estimate
  4. POST /partner/v1/withdrawals
Create request example:

5) Execute withdrawal transaction

Use response fields:
  • execution.callTarget
  • execution.callPath
  • parameters
Rules:
  • send tx to execution.callTarget
  • sender must match adminAddress used in create request
  • if status is pending, retry create with the same idempotency key

Execution Model and Contract Call Paths

Machines withdrawal create response includes:
  • execution.callTarget
  • execution.callPath (controller_v1 or coordinator_v2)
  • parameters (7-arg withdrawal payload)
Send to execution.callTarget using the signer you control.
  • controller_v1:
    • call withdrawAsset(address,address,uint256,address,uint256,bytes32,bytes)
  • coordinator_v2:
    • build admin typed-data signature
    • call 10-arg withdrawAsset(...) with admin signature arrays

Environment Variables

Frontend:
  • NEXT_PUBLIC_OPENFORT_PUBLISHABLE_KEY
  • NEXT_PUBLIC_OPENFORT_SHIELD_PUBLISHABLE_KEY
  • NEXT_PUBLIC_OPENFORT_POLICY_ID
  • NEXT_PUBLIC_OPENFORT_DEFAULT_CHAIN
Backend:
  • MACHINES_PARTNER_BASE_URL
  • MACHINES_PARTNER_API_KEY
  • MACHINES_PARTNER_DEFAULT_SCOPES
  • MACHINES_PARTNER_EXTERNAL_USER_PREFIX
  • Openfort server credentials for your execution routes

API Routes Used

User/session:
  • POST /partner/v1/users/resolve
  • POST /partner/v1/sessions
KYC:
  • GET /partner/v1/kyc/values
  • POST /partner/v1/kyc/applications
  • GET /partner/v1/kyc/status
Agreements:
  • GET /partner/v1/agreements
  • POST /partner/v1/agreements
Cards:
  • GET /partner/v1/cards
  • POST /partner/v1/cards
  • POST /partner/v1/cards/secrets/session
  • POST /partner/v1/cards/{cardId}/secrets
Deposits:
  • GET /partner/v1/deposits/assets
  • POST /partner/v1/deposits/range
  • POST /partner/v1/deposits/estimate
  • POST /partner/v1/deposits
Withdrawals:
  • GET /partner/v1/withdrawals/assets
  • POST /partner/v1/withdrawals/range
  • POST /partner/v1/withdrawals/estimate
  • POST /partner/v1/withdrawals
Transactions:
  • GET /partner/v1/transactions
  • GET /partner/v1/transactions/{transactionId}

Notes

  • Keep all partner calls server-side.
  • Keep idempotency keys stable on retries.
  • Keep one wallet mapping per user to avoid identity drift.