Choosing a signer type
Signer types will define the custody and user experience of a wallet.| Signer type | Custody | User experience |
|---|---|---|
| Email, phone number, social login | Non-custodial | Users authenticate once per device the first time they are going to transact. Future transactions can happen without needing user interaction. |
| Passkey | Non-custodial | Transactions need to be signed every time with the device biometrics or password manager. |
| External Wallet | Non-custodial or custodial depending on who has access to the wallet. | Transactions need to be signed every time with the external wallet. |
| API Key | Custodial | All transactions can happen without needing user interaction. |
If you use a non-custodial signer and a custodial signer at the same time, the wallet will be considered custodial.
- You are licensed for custody
- You are building use cases that don’t require custody, such as collectibles or utility token management
- You want to handle asset management and transactions on behalf of users
- You need a simple, server-side solution without user interaction for blockchain operations
- You are building use cases that require license (e.g. holding stablecoins) and you don’t have it
- Self custody is important to your users
Signer types
Email, phone number, and social login
Email, phone number, and social login signers enable users to access their wallets and perform transactions seamlessly using their email address, phone number, or social account. Users just need to verify their email address, phone number, or social account once per device to access their wallet.How does it work?
How does it work?
This signer type uses a master secret generated inside a Trusted Execution Environment (TEE) that runs open-source, verifiable code.
This master secret is never stored or exposed outside the TEE and is protected by user-controlled credentials, such as email authentication.
Once created, the master secret is split into two parts using Shamir Secret Sharing: a device share (stored securely on the users device)
and an auth share (stored on Crossmint’s backend). Both shares are required to reconstruct the master secret, and this only happens locally
within a secure enclave on the user’s device.When a user wants to sign a transaction, the host application sends a request to a secure iframe. The device share and the auth share are
combined within this local secure environment to reconstruct the master secret, derive the necessary keypair,
and produce the signature. At no point do the host application or Crossmint have access to the full master secret or the private key;
the signing process and key management are isolated from both parties, ensuring that sensitive cryptographic material is never exposed.
Is this signer type non-custodial?
Is this signer type non-custodial?
Yes, this system is considered non-custodial because neither the host application nor Crossmint can unilaterally access or control the user’s keys.
The host application never sees the key shares or the master secret, and Crossmint only holds one share, which is useless on its own.
The code running in the TEE is publicly verifiable and tamper-proof, and all sensitive operations occur within secure, user-controlled environments.
This guarantees that only the user, through their device and authentication, can authorize transactions, maintaining true user custody over their cryptographic keys.