cartridge-gg/controller-signers
skills/controller-signers/SKILL.md
Configure authentication methods for Cartridge Controller including passkeys, social login, and external wallets. Use when implementing user authentication, adding multiple signers for account recovery, customizing signup options, or integrating external wallets like MetaMask or Phantom. Covers WebAuthn passkeys, Google/Discord/Twitter OAuth, wallet connections, and dynamic authentication flows.
$ install --global
skillsauthnpx skillsauth add cartridge-gg/docs controller-signersInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 18, 2026, 8:21 AM7.4s1 file scanned
SKILL.md
- name:
- controller-signers
- description:
- Configure authentication methods for Cartridge Controller including passkeys, social login, and external wallets. Use when implementing user authentication, adding multiple signers for account recovery, customizing signup options, or integrating external wallets like MetaMask or Phantom. Covers WebAuthn passkeys, Google/Discord/Twitter OAuth, wallet connections, and dynamic authentication flows.
Controller Signers & Authentication
Controller supports multiple authentication methods (signers) for flexibility and security.
Supported Signer Types
| Type | Description | Best For |
|------|-------------|----------|
| webauthn | Passkey (biometric/hardware key) | Primary auth, most secure |
| google | Google OAuth | Easy onboarding |
| discord | Discord OAuth | Gaming communities |
| twitter | Twitter/X OAuth | Social integration |
| argent | Argent wallet (Starknet) | Starknet native users |
| braavos | Braavos wallet (Starknet) | Starknet native users |
| metamask | MetaMask (desktop only) | EVM users |
| phantom-evm | Phantom EVM mode (desktop only) | Multi-chain users |
| rabby | Rabby wallet (desktop only) | Security-focused users |
| walletconnect | WalletConnect (desktop only) | Cross-device |
| password | Email/password | Testing only |
Warning: Password authentication is non-recoverable. If users lose their password, they permanently lose account access. Do not use in production.
Configuring Auth Options
const controller = new Controller({
signupOptions: [
"webauthn", // Passkeys
"google", // Google OAuth
"discord", // Discord OAuth
"twitter", // Twitter/X OAuth
"argent", // Argent wallet
"braavos", // Braavos wallet
"metamask", // MetaMask (desktop)
"phantom-evm", // Phantom (desktop)
"rabby", // Rabby (desktop)
"walletconnect",// WalletConnect (desktop)
],
});
Order reflects UI order. With one option, branded buttons appear.
Dynamic Authentication
Override auth options per connection:
// Default options
const controller = new Controller({
signupOptions: ["webauthn", "google", "discord"],
});
// Branded Phantom flow
await controller.connect(["phantom-evm"]);
// Branded Google flow
await controller.connect(["google"]);
Branded Buttons
Single signer config shows branded styling:
// Shows "sign up with Phantom" button with Phantom branding
const controller = new Controller({
signupOptions: ["phantom-evm"],
});
Passkey Authentication
Platform support: iOS (Face ID/Touch ID), Android, Windows Hello, password managers (Bitwarden, 1Password).
Passkeys are backed up via:
- Apple: iCloud Keychain
- Android: Google account
- Windows: Windows account
Social Login
Uses Auth0 + Turnkey wallet infrastructure:
- Popup OAuth flow (fallback to redirect if blocked)
- OIDC token validation with nonce
- Turnkey wallet creation linked to social account
Native app limitation: OAuth may not work in webviews. Use passkeys for native apps.
External Wallets
Starknet Wallets
- Argent: Advanced security features, account management
- Braavos: Built-in security features
EVM Wallets (Desktop Only)
- MetaMask: Popular browser extension
- Rabby: Security-focused multi-chain
- Phantom: Multi-chain with EVM support
Cross-Platform
- WalletConnect: QR code or deep link connection
Note: EVM wallets are automatically hidden on mobile browsers.
Chain Switching
const success = await controller.externalSwitchChain(
"metamask", // wallet type
chainId // target chain (hex)
);
Braavos does not support chain switching.
Transaction Confirmation
const response = await controller.externalWaitForTransaction(
"metamask",
txHash,
30000 // timeout ms
);
if (response.success) {
console.log("Receipt:", response.result);
} else {
console.error("Error:", response.error);
}
Multi-Signer Management
Add backup signers via Settings > Signer(s) > Add Signer (Mainnet only).
To remove a signer:
- Navigate to Settings > Signer(s)
- Find the signer to remove
- Click Remove option
Best practices:
- Add 2-3 different signer types for recovery
- Test each auth method periodically
- Remove compromised signers promptly
Account Synchronization
Argent and Braavos wallets auto-sync when user switches accounts in wallet.
Controller registers accountsChanged listener and updates state automatically.
Note: Account synchronization is currently only available for Starknet wallets (Argent and Braavos). Other external wallets maintain existing connection behavior.
Platform-Specific Configuration
const isMobile = /iPhone|iPad|iPod|Android/i.test(navigator.userAgent);
const authOptions = isMobile
? ["webauthn", "google", "discord", "argent", "braavos"]
: ["webauthn", "google", "discord", "argent", "braavos", "metamask", "walletconnect"];
await controller.connect(authOptions);
Related Skills
cartridge-gg/controller-setup
data-ai
VerifiedTrustedCommunity
Integrate Cartridge Controller wallet into Starknet applications. Use when setting up Controller for the first time, installing packages, configuring chains/RPC endpoints, or troubleshooting basic integration issues. Covers installation, Controller instantiation, ControllerConnector vs SessionConnector choice, chain configuration, and package compatibility.
4SKILL.mdUpdated Apr 18, 2026
cartridge-gg/controller-sessions
testing
VerifiedTrustedCommunity
Configure session keys and policies for Cartridge Controller to enable gasless, pre-approved transactions. Use when defining contract interaction policies, setting spending limits, configuring signed message policies, or implementing error handling for session-based transactions. Covers SessionPolicies type, policy definitions, verified sessions, and error display modes.
4SKILL.mdUpdated Apr 18, 2026
cartridge-gg/controller-react
development
VerifiedTrustedCommunity
Integrate Cartridge Controller into React applications using starknet-react. Use when building React/Next.js web apps with Controller, setting up StarknetConfig provider, using hooks like useConnect/useAccount, or implementing wallet connection components. Covers ControllerConnector setup, provider configuration, and transaction execution patterns.
4SKILL.mdUpdated Apr 18, 2026
cartridge-gg/controller-native
development
VerifiedTrustedCommunity
Integrate Cartridge Controller into native mobile applications (iOS, Android, React Native) and web wrappers (Capacitor). Use when building mobile games or apps that need Controller wallet functionality with local keypair signing. Covers SessionConnector for native auth flows, Controller.c FFI bindings, passkey configuration with Apple App Site Association, and platform-specific setup.
4SKILL.mdUpdated Apr 18, 2026