> ## Documentation Index > Fetch the complete documentation index at: https://docs.chipipay.com/llms.txt > Use this file to discover all available pages before exploring further. # Backend SDK Quickstart > Quick setup guide for the Chipi Backend SDK - server-side wallet management and transactions Since this is a server-side SDK, the wallets are not self-custodial. **PIN is weak — not recommended for production.** A user-typed PIN is a short, low-entropy string. Anyone who shoulder-surfs the PIN, observes a phishing form, or compromises the browser at typing time can decrypt the wallet's private key. PIN remains in the SDK only as a fallback recovery surface for users who lose access to their platform authenticator. **Production embedded-wallet apps should default to a platform passkey** (Touch ID, Face ID, Windows Hello, Android biometrics) via the `@chipi-stack/chipi-passkey` package. For SHHH V8.4 wallets, `signerKind: "WEBAUTHN_P256"` keeps the private key inside the platform authenticator — it never leaves the device, never reaches Chipi servers, and is never derived from a user-typed secret. Only prompt for a PIN as the encryption key when: * The user explicitly opted into a PIN-only flow (e.g. cold-storage / paper-backup recovery), or * The platform genuinely has no WebAuthn / biometric support available. If you are migrating an existing PIN-based wallet to a passkey, look up `useMigrateWalletToPasskey` in your framework's hook docs. ```bash npm theme={null} npm install @chipi-stack/backend ``` ```bash yarn theme={null} yarn add @chipi-stack/backend ``` ```bash pnpm theme={null} pnpm add @chipi-stack/backend ``` 1. Go to your [API Keys](https://dashboard.chipipay.com/configure/api-keys) in the Chipi Dashboard 2. Copy your **Public Key** (`pk_prod_xxxx`) and **Secret Key** (`sk_prod_xxxx`) Keep your Secret Key secure and never expose it in client-side code or version control. Create a new instance of the ChipiServerSDK with your API keys: ```typescript theme={null} import { ChipiServerSDK, Chain, ChainToken } from "@chipi-stack/backend"; const serverClient = new ChipiServerSDK({ apiPublicKey: "pk_prod_your_public_key", apiSecretKey: "sk_prod_your_secret_key", }); ``` Now you can create a wallet for your users: ```typescript theme={null} const newWallet = await serverClient.createWallet({ params: { encryptKey: "user-secure-pin", externalUserId: "your-user-id-123", chain: Chain.STARKNET, }, }); console.log('New wallet created:', newWallet); // Output: { publicKey: "0x...", encryptedPrivateKey: "...", walletType: "CHIPI", ... } ``` Transfer tokens between wallets: ```typescript theme={null} const transferResult = await serverClient.transfer({ params: { encryptKey: "user-secure-pin", wallet: { publicKey: newWallet.publicKey, encryptedPrivateKey: newWallet.encryptedPrivateKey, }, amount: "100", token: ChainToken.USDC, recipient: "0x1234567890abcdef...", }, }); console.log('Transfer completed:', transferResult); ``` For production applications, store your API keys as environment variables: ```bash theme={null} # .env CHIPI_PUBLIC_KEY=pk_prod_your_public_key CHIPI_SECRET_KEY=sk_prod_your_secret_key ``` Then initialize the SDK: ```typescript theme={null} const serverClient = new ChipiServerSDK({ apiPublicKey: process.env.CHIPI_PUBLIC_KEY!, apiSecretKey: process.env.CHIPI_SECRET_KEY!, }); ``` ## Next Steps Now that you have the basic setup working, explore more advanced features: * **[Session Keys](/sdk/backend/sessions-quickstart)** - Enable delegated transaction execution * **[API Reference](/sdk/api/introduction)** - Full API documentation ## Security Best Practices * Never expose your secret API key in client-side code * Use environment variables for API keys in production * Validate user inputs before making API calls * Implement proper error handling and logging Need help? Join our [Telegram Community](https://t.me/+e2qjHEOwImkyZDVh) for support and to connect with other developers.