Access security tokens and the cryptographic assets they store.


You use the CryptoTokenKit framework to easily access cryptographic tokens. Tokens are physical devices that can be built in to the system, located on attached hardware (like a smart card), or accessible through a network connection. Tokens store cryptographic objects like keys and certificates. They also may perform operations—for example, encryption or digital signature verification—using these objects. You use the framework to work with a token’s assets as if they were part of your system, even though they remain secured by the token.

You can also use the framework to enable a token for two-factor authentication in macOS. Authentication services manage associations between users and identities stored on a token, granting users access when the appropriate token is present and unlocked. You supply a token driver in the form of an app extension that bridges the gap between authentication services and the underlying token hardware.


First Steps

Using Cryptographic Assets Stored on a Smart Card

Access certificates, keys, and identities stored on a smart card as if they were part of the keychain.


An object that tracks the tokens available in the system.

Two-Factor Authentication

Authenticating Users with a Cryptographic Token

Grant access to user accounts and the keychain by creating a token driver app extension.


The abstract base class for building token drivers.


A representation of a hardware-based cryptographic token.


A token session that manages the authentication state of a token.

Smart Card App Extensions

Configuring Smart Card Authentication

Set preferences for smart card authentication operations, including those on managed devices.


The driver that acts as an entry point for smart card app extensions.


A representation of a smart card based cryptographic token.


A token session that is based on a smart card token.

Smart Cards


A representation of a smart card.


A single smart card reader slot in the system.


An interface to all available smart card reader slots.



The domain for all CryptoTokenKit framework errors.


Error codes that may be returned when calling CryptoTokenKit methods.