Skip to main content
1

Get your API key and DID

If you haven’t already, get your DID, download your API key, and request test tokens from the claim page.
2

Install Rust + WASM toolchain

TEE contracts are compiled to WebAssembly (WASM) binaries. We suggest using the Rust toolchain to build them:
rustup target add wasm32-wasip2          # WASI Preview 2 build target
cargo install wasm-tools                 # optional — inspect/verify the component
3

Install the SDK

npm install @terminal3/t3n-sdk
Node >=18 is required
4

Set up the SDK

Set up a T3nClient from @terminal3/t3n-sdk — it handles the encrypted session, SIWE auth, and the low-level execute transport. You build it once here and reuse it through the rest of the walkthrough.
import {
  T3nClient,
  TenantClient,
  setEnvironment,
  loadWasmComponent,
  eth_get_address,
  metamask_sign,
  createEthAuthInput,
  getNodeUrl,
} from "@terminal3/t3n-sdk";

setEnvironment("testnet");   // "testnet" | "production" — the SDK resolves the node URL for every client

const T3N_API_KEY = process.env.T3N_API_KEY!;   // your developer key from the claim page

const wasmComponent = await loadWasmComponent();   // all crypto runs inside the WASM component
const address = eth_get_address(T3N_API_KEY);

const t3n = new T3nClient({
  wasmComponent,   // no baseUrl — resolved from the active environment
  // EthSign is the only handler you provide — it signs the login challenge with
  // your key. The client adds the MlKemPublicKey and Random handlers itself.
  handlers: {
    EthSign: metamask_sign(address, undefined, T3N_API_KEY),
  },
});
5

Authenticate to T3N testnet

This step is different from agent authentication. Here you authenticate to manage your own deployment, so the DID you authenticate as must equal the DID that was admitted as a tenant in idx:_tenants. The golden rule: read your tenant DID back from the authenticated session — never hard-code or derive it.
Your tenant DID is an opaque, random did:t3n:<40 hex>, minted when you first signed in (Step 1). It is not derived from your wallet or any key material — your sign-in credential (and any key you later link) is just an authenticator on that DID. Authenticate, then read your DID straight off the session:
await t3n.handshake();
const did = await t3n.authenticate(createEthAuthInput(address));
const tenantDid = did.value; // did:t3n:<your-random-hex> — your onboarding DID
Build the TenantClient around that DID — never construct it yourself:
const tenant = new TenantClient({
  t3n,
  baseUrl: getNodeUrl(),   // the active node from setEnvironment(); Call `setEnvironment("testnet")` (or `"production"`) — the SDK resolves the cluster URL for every client, so you never hardcode a node URL.
  tenantDid,
});