<!--
{
  "availability" : [
    "iOS: 13.0.0 -",
    "iPadOS: 13.0.0 -",
    "macCatalyst: 13.0.0 -",
    "macOS: 10.10.0 -",
    "tvOS: 13.0.0 -",
    "visionOS: 1.0.0 -",
    "watchOS: 8.0.0 -"
  ],
  "documentType" : "symbol",
  "framework" : "CryptoTokenKit",
  "identifier" : "/documentation/CryptoTokenKit",
  "metadataVersion" : "0.1.0",
  "role" : "Framework",
  "symbol" : {
    "kind" : "Framework",
    "modules" : [
      "CryptoTokenKit"
    ],
    "preciseIdentifier" : "CryptoTokenKit"
  },
  "title" : "CryptoTokenKit"
}
-->

# CryptoTokenKit

Access security tokens and the cryptographic assets they store.

## Overview

You use the CryptoTokenKit framework to easily access cryptographic tokens. Tokens are physical devices built in to the system, located on attached hardware (like a smart card), or accessible through a network connection. Tokens store cryptographic objects like keys and certificates. They also may perform operations—for example, encryption or digital signature verification—using these objects. You use the framework to work with a token’s assets as if they were part of your system, even though they remain secured by the token.

You can also use the framework to enable a token for two-factor authentication in macOS. Authentication services manage associations between users and identities stored on a token, granting users access when the appropriate token is present and unlocked. You supply a token driver in the form of an app extension that bridges the gap between authentication services and the underlying token hardware.

Starting in macOS 10.15.4, the CryptoTokenKit framework includes support for always-available tokens, referred to as persistent tokens. Persistent token support provides access to tokens from Hardware Security Modules (HSMs). The app hosting the token extension allows the system to address and use available tokens, address and use identities available by accessing tokens, and to access additional configuration information about tokens. Persistent tokens aren’t suitable for validating a user login because they’re available on a per-user basis, and therefore aren’t accessible until after the user logs in.

> Note:
> When you want to manage the associations between users and tokens on a given computer, use the `sc_auth` command line utility. See the `sc_auth(8)` man page for details.

## Topics

### Smart Cards

[Using Cryptographic Assets Stored on a Smart Card](/documentation/CryptoTokenKit/using-cryptographic-assets-stored-on-a-smart-card)

Access certificates, keys, and identities stored on a smart card as if they were part of the keychain.

[`TKSmartCardSlotManager`](/documentation/CryptoTokenKit/TKSmartCardSlotManager)

An interface to all available smart card reader slots.

[`TKSmartCardSlot`](/documentation/CryptoTokenKit/TKSmartCardSlot)

A single smart card reader slot in the system.

[`TKSmartCard`](/documentation/CryptoTokenKit/TKSmartCard)

A representation of a smart card.

### Smart Card App Extensions

[Authenticating Users with a Cryptographic Token](/documentation/CryptoTokenKit/authenticating-users-with-a-cryptographic-token)

Grant access to user accounts and the keychain by creating a smart card app extension.

[Configuring Smart Card Authentication](/documentation/CryptoTokenKit/configuring-smart-card-authentication)

Set preferences for smart card authentication operations, including those on managed devices.

[`TKSmartCardTokenDriver`](/documentation/CryptoTokenKit/TKSmartCardTokenDriver)

The driver that acts as an entry point for smart card app extensions.

[`TKSmartCardToken`](/documentation/CryptoTokenKit/TKSmartCardToken)

A representation of a smart card based cryptographic token.

[`TKSmartCardTokenSession`](/documentation/CryptoTokenKit/TKSmartCardTokenSession)

A token session that is based on a smart card token.

### Tokens

[`TKTokenWatcher`](/documentation/CryptoTokenKit/TKTokenWatcher)

An object that tracks the tokens available in the system.

[`TKTokenDriver`](/documentation/CryptoTokenKit/TKTokenDriver)

A base class for building token drivers.

[`TKToken`](/documentation/CryptoTokenKit/TKToken)

A representation of a hardware-based cryptographic token.

[`TKTokenSession`](/documentation/CryptoTokenKit/TKTokenSession)

A token session that manages the authentication state of a token.

### Errors

[`TKError`](/documentation/CryptoTokenKit/TKError)

An error specific to the CryptoTokenKit framework.

[`TKErrorDomain`](/documentation/CryptoTokenKit/TKErrorDomain)

The domain for all CryptoTokenKit framework errors.

[`TKError.Code`](/documentation/CryptoTokenKit/TKError/Code)

Error codes from CryptoTokenKit.


---

Copyright &copy; 2026 Apple Inc. All rights reserved. | [Terms of Use](https://www.apple.com/legal/internet-services/terms/site.html) | [Privacy Policy](https://www.apple.com/privacy/privacy-policy)