Runtimes
Mobile Key Vaults
Native key storage boundaries for mobile runtimes.
Mobile key vaults protect MeshKit identity material in mobile runtimes. They are part of the identity storage story, not a complete security guarantee by themselves.
The current mobile runtime pattern can protect exported identity records at rest when a native bridge is available. Do not claim non-exportable ECDH/signing, biometric enforcement, or durable recovery unless your installed bridge and product flow actually provide those guarantees.
What A Key Vault Protects
| Material | Expected handling |
|---|---|
| Exported identity records | Store through native secure storage when available |
| Recovery envelopes | Store or back up only through an app-approved recovery flow |
| Private keys | Avoid logs, analytics, crash reports, and plaintext exports |
| Capability token secrets | Treat as sensitive credentials |
What It Does Not Automatically Solve
- Lost-device recovery
- Compromised-device response
- Non-exportable hardware-backed ECDH/signing
- Biometric or passcode policy enforcement
- User account binding
- Contact verification
- Provider token safety
Those are application and bridge responsibilities.
React Native Example
import { createMeshkitReactNative, createReactNativeKeyVault } from "@meshkit/react-native";
const keyVault = createReactNativeKeyVault(undefined, {
accessControl: "device-passcode",
});
const mesh = await createMeshkitReactNative({
identity: "mobile-owner",
keyVault,
});
await mesh.identity.create("mobile-owner");Production Checklist
Before shipping mobile identity storage:
- Confirm the native key-vault bridge is installed in the production build.
- Confirm identity records survive app restart when expected.
- Confirm deletion/reinstall behavior matches product policy.
- Confirm backup and recovery behavior for lost devices.
- Confirm private keys and exported records are redacted from logs and support bundles.
- Document whether keys are exportable or non-exportable.
- Test sharing, revocation, and recovery on real devices.
Failure Modes
| Symptom | Likely cause | Action |
|---|---|---|
| Identity disappears after restart | Fallback storage or bridge not configured | Verify native bridge and persistence settings |
| Build works in dev but not production | Native module missing from production build | Check platform build configuration |
| Security review rejects claims | Docs imply non-exportable keys without bridge evidence | Narrow claims or implement the stronger bridge |
| User loses access after device loss | No recovery envelope or account recovery flow | Design and document recovery before launch |