Guides
  1. Sandbox

Test Wallets & Faucets

Test Wallets & Faucets

You'll need a funded keypair to sign anything on devnet. This is short.

Generate a devnet keypair

The Solana CLI is the path of least resistance:

solana-keygen new --no-bip39-passphrase --outfile ~/.config/solana/devnet.json
Wrote new keypair to ~/.config/solana/devnet.json
=========================================================================
pubkey: 7xKXt...
=========================================================================
Save this seed phrase to recover your new keypair:
...
=========================================================================

Point your CLI at devnet and verify:

solana config set --url devnet --keypair ~/.config/solana/devnet.json
solana address

This keypair is your "user" wallet for any mode=unsigned flow.

Fund it

The fastest path is the CLI:

solana airdrop 2
Requesting airdrop of 2 SOL
Signature: 5pT...
2 SOL

The public devnet faucet is rate-limited. If solana airdrop returns 429 or airdrop limit reached, switch to the web faucet at faucet.solana.com — paste the pubkey, solve the captcha, and you'll get a fresh top-up.

Confirm the balance:

solana balance
2 SOL

Hand the secret key to the SDK

The SDK accepts the raw secret-key bytes in several formats:

import fs from "node:fs";

const secretKey = new Uint8Array(JSON.parse(
  fs.readFileSync(`${process.env.HOME}/.config/solana/devnet.json`, "utf-8")
));

const sdk = new PirateSDK({
  apiKey: process.env.PIRATE_API_KEY!,
  secretKey,
  network: "devnet",
  rpcUrl: process.env.DEVNET_RPC,
});

Or pass a base58 string, a hex string, or a Keypair instance — secretKey accepts all four.

The Privy platform-wallet caveat

mode=signed is gated behind scopes like fees:claim and routes the transaction to the Privy platform wallet for server-side signing. There is exactly one platform wallet, and it lives on mainnet. There is no devnet platform wallet.

Practical consequences:

  • You cannot fully test mode=signed paths in isolation on devnet. The endpoint will still return an unsigned tx if you flip to mode=unsigned, but you can't exercise the Privy signing branch without touching mainnet.
  • The recommended sandbox path is always mode=unsigned, signed by a throwaway devnet keypair like the one above.
  • When you graduate to mainnet, audit the diff: the only thing that should change is network, rpcUrl, and (if applicable) flipping a few flows to mode=signed. Everything else should be unchanged.

If you absolutely must rehearse a mode=signed flow before production, do it with the smallest possible amount on mainnet, send an Idempotency-Key, and treat it as a controlled rollout.

Throwaway keypairs in CI

If you're running integration tests in CI, generate a new keypair per run and air-drop into it. Don't reuse a shared CI wallet — devnet rate limits are per-pubkey, so a long-lived CI wallet will get throttled. The pattern:

KEYFILE=$(mktemp --suffix=.json)
solana-keygen new --no-bip39-passphrase --silent --outfile "$KEYFILE"
solana airdrop 2 --keypair "$KEYFILE" --url devnet
# ... run tests with SECRET_KEY=$(cat "$KEYFILE") ...
rm "$KEYFILE"

Fresh wallet, fresh budget, no contamination between runs.

See Devnet Walkthrough for what to do once your wallet is funded.