MPC 2-of-2
| Property | Detail |
|---|---|
| Scheme | DKLS23 threshold ECDSA |
| Quorum | 2-of-2 - both shares required to produce a signature |
| Share custody | WalletSuite holds one share; customer holds the other |
| Full-key assembly | Never - no party ever holds a complete private key |
Share Storage
| Layer | Detail |
|---|---|
| WalletSuite-side share | HSM-backed; KMS envelope encryption at rest |
| Internal access | M-of-N quorum gated; audit-logged on every co-signing event |
| Share rotation | Periodic; transparent to the customer (no key-material reissue) |
| Customer-side share | Stored on customer infrastructure, encrypted at rest with the WALLETSUITE_PASSPHRASE secret |
Signing Flow
When a surface (MCP, SDK, or REST API) requests a signature:- The surface prepares the unsigned transaction with no key access.
- The signing layer evaluates policy before any signature is produced.
- The customer share signs.
- The WalletSuite-side share signs only after policy approval, and never sees the customer share.
- The combined threshold signature is returned to the surface.
What WalletSuite Never Sees
Applies to all surfaces (MCP, SDK, REST API):| Secret | Where It Lives | WalletSuite Access |
|---|---|---|
| Full private keys | Never assembled | Never |
| Customer-side MPC share | Customer infrastructure, encrypted at rest (WALLETSUITE_PASSPHRASE) | Never reaches WalletSuite infrastructure |
Related
- Self-Hosting over HTTP - running the MCP server on your own infrastructure
- Policy Gates - constraining what agent keys can do
- Security Overview - the full trust model
- Audit Trail - logging every signing operation