Hello Quinn, Sorry, I switched to another project in the meantime. Back to this one. Yes indeed, the FileVault is enabled. But I did not get any error during the pairing step. Are the CTKs loaded at boot time / session login ? Regards, ++dom

Thank you very much BornP, I will check next week.

To partly answer my question, we are able to restrict the search to a particular TokenID using SecItemCopyMatching and the query: // pExtBundleIdentifier = Bundle identifier of the pExt let tokenDriverConfiguration = TKTokenDriver.Configuration.driverConfigurations[pExtBundleIdentifier] ... // tokenID = a String let tokenConfig = tokenDriverConfiguration?.addTokenConfiguration(for: tokenID) ... var query: [String: Any] ... query[kSecAttrTokenID as String] = pExtBundleIdentifier + ":" + tokenID ... SecItemCopyMatching(query as CFDictionary, &result) ... So in the end, we can list all elements related to a particular persistent extension by listing all keychains items, looking for the ones with kSecAttrTokenID attribute and filter against this attribute. If you have a more straightforward solution, don't hesitate to post it :-) Regards, ++dom