Arguments
| Argument | Description |
|---|---|
<name> | Identifier for this user. Letters, digits, -, and _ only. |
Flags
| Flag | Default | Description |
|---|---|---|
--backend <type> | — | Signer backend. One of: local, privy, turnkey, para |
--param <key=value> | [] | Backend parameter (repeat for multiple). See backend details below. |
--secret <KEY=value> | [] | Backend secret as ENV_KEY=value. Saved to the OS keychain. Omit to be prompted interactively. |
--activate | false | Set this user as the active user after adding. |
Backends
local — Local keypair file
Reads a Solana keypair from a JSON file on disk (same format as solana-keygen).
| Param | Required | Description |
|---|---|---|
keypair | No | Path to keypair JSON file. Default: ~/.config/solana/id.json |
privy — Privy managed wallet
Signs via the Privy server-side wallet API.
| Param | Required | Description |
|---|---|---|
appId | Yes | Privy application ID |
walletId | Yes | Privy wallet ID |
apiBaseUrl | No | Custom Privy API base URL (default: https://api.privy.io/v1) |
| Secret | Description |
|---|---|
PRIVY_APP_SECRET | Privy application secret |
turnkey — Turnkey managed wallet
Signs via the Turnkey API using a P256 API key pair.
| Param | Required | Description |
|---|---|---|
apiPublicKey | Yes | Turnkey API public key (hex-encoded) |
organizationId | Yes | Turnkey organization ID |
privateKeyId | Yes | Turnkey private key ID used for signing |
publicKey | Yes | Solana public key (base58) corresponding to the Turnkey private key |
apiBaseUrl | No | Custom Turnkey API base URL (default: https://api.turnkey.com) |
| Secret | Description |
|---|---|
TURNKEY_API_PRIVATE_KEY | Turnkey API private key (hex-encoded, P256) |
para — Para managed wallet
Signs via the Para server-side wallet API.
| Param | Required | Description |
|---|---|---|
walletId | Yes | Para wallet UUID |
apiBaseUrl | No | Custom Para API base URL (default: https://api.beta.getpara.com) |
| Secret | Description |
|---|---|
PARA_API_KEY | Para API key (server-side only) |
Secrets and the OS keychain
Secrets passed via--secret or entered interactively are saved to the OS keychain (macOS Keychain, GNOME Keyring, etc.) scoped to the user name. On subsequent runs, the CLI reads them back automatically — no environment variable needed.
If the keychain is unavailable (e.g. headless Linux without a keyring daemon), the CLI falls back to the current process environment and prints a warning: