docs / security

Security & key export

Your wallet is a Turnkey sub-organization. The bot is a delegate signer — it can submit Polymarket orders on your behalf, but it cannot move your funds elsewhere or recover your seed. You can export at any time.

Trust model

Every Mirrored user gets their own Turnkey sub-organization with a single EOA. There are three principals on that sub-org:

  • You (the root user). You control the sub-org via Turnkey's passkey / email auth and can revoke any other principal.
  • The bot, as a delegate signer with a narrow policy: it can sign Polymarket CLOB orders against your address. It cannot transfer funds, change auth, or sign arbitrary messages.
  • Turnkey itself as the secure-enclave operator. Turnkey holds the key shares; nobody — not Turnkey, not us — can extract your private key without an authenticated request from you.
Mirrored is non-custodial. We can't freeze your funds, sign transactions on your behalf, or recover lost access. The flip side: if you lose your email and don't have your seed exported, recovery has to go through Turnkey's standard email-recovery flow.

What the bot can sign

  • Polymarket CLOB order placements (buy and sell on supported tokens).
  • Polymarket API key generation against your master wallet.

What the bot cannot sign

  • Token transfers out of your wallet.
  • ERC-20 approvals to anything other than the Polymarket exchange.
  • Arbitrary EIP-191 / EIP-712 messages.
  • Any contract call outside the Polymarket exchange address set.

Exporting your Turnkey recovery phrase

Mirrored uses Turnkey's wallet export to surface your 12-word recovery phrase directly into your browser. Two short OTP steps gate the flow — one in Telegram to receive the export link, one on the export page to actually reveal the phrase. Neither the bot nor mirrored.trade ever sees what Turnkey sends.

Step 1 — Verify your email in Telegram

Tap 💼 Wallet → 🔑 Export Private Key. If you haven't saved an email on your account yet, the bot asks for one — this is the address every future export OTP will go to.

Bot prompt asking for the email address to use for private-key exports
One-time email setup — only on your first export

Step 2 — Enter the 6-character code in chat

Turnkey emails you a 6-character one-time code. Reply to the bot with the code (or/cancel to abort). You have 3 attempts. On success, the bot returns a one-time export link to mirrored.trade/export?token=… — valid for 15 minutes and usable exactly once.

Bot conversation showing OTP request, email verified confirmation, and one-time export link
Bot OTP → verified → one-time export link (15-minute window)

Step 3 — Open the export page and verify again

Tapping the link opens the export page on mirrored.trade. The page asks Turnkey to send a second 6-character verification code to the same email. Enter it on the page and Turnkey's iframe surfaces your recovery phrase directly into your browser — the page never sees it, and we never see it.

Mirrored export page with Turnkey branding, showing the wallet address and a Send code button
Export page — sends a second OTP to your email before revealing the phrase
Two OTPs aren't there to slow you down — the first proves you control the Telegram account, the second proves you still control the email when you reveal the seed. Anyone who intercepts only one of them can't complete the export.

Where the seed is generated

Inside Turnkey's secure enclave during sub-org provisioning. The private key never leaves the enclave — what gets exported to your browser is a recovery phrase derived under Turnkey's policy after both OTPs check out.

If you lose access

  • Lost Telegram account, still have email — re-onboard the bot from a new Telegram account, then run the export flow with the same email. We can re-link your wallet via Turnkey email recovery.
  • Lost email, still have Telegram — open the bot, set a new email, and the export OTP will go there. (You'll need to verify the new email before you can export.)
  • Lost both — Turnkey's standard recovery flow applies. Without one of your auth factors, neither we nor Turnkey can recover the wallet.

The right move is to export your seed once after onboarding and store it in a password manager. From that point on, you can always recover via any standard EVM wallet (Rabby, Metamask, Frame) — the address Mirrored uses is just a normal EOA.

Audits & open source

Turnkey's enclave architecture is publicly documented and audited. The Mirrored bot code and signing policy are not currently open-source — that's on the roadmap. Until then, you can verify everything that matters by exporting your seed and watching that the bot only ever submits Polymarket orders on-chain.