Platform service · Early access
A spectrum,
not a compromise.
Agent operating funds belong in self-custody — keys on the device, signing local. Org treasuries belong behind a quorum. Mints Custody gives every account the model it deserves, with one identical audit trail across both.
Self-custody by mandate · m-of-n quorum treasury · guardian recovery
The custody spectrum
Agent accounts
Keys on device
Org treasury
m-of-n quorum
Identical immutable audit trail
Every event append-only across both modes
You choose per account
Custody model set at account creation, not globally
Both fail closed cross-lineage
Cross-lineage requests blocked regardless of custody mode
The spectrum in detail
Choose per account. Both sides audited identically.
Mints Custody is not a toggle between two separate products. It is one platform that lets you pick the custody model suited to each account's risk profile — and audits both with the same append-only event chain.
Mints self-custody
Keys on device — you sign, you control
Mints guarded custody
m-of-n quorum — threshold approval
The right custody model depends on what the funds are for — not on which platform you chose.
Guarded custody
Your treasury behind a quorum it deserves.
When a single key is not enough, Mints Custody enforces multi-signature approval, formal guardian recovery, and pre-flight risk scanning — before a single satoshi moves.
No single key — human or agent — moves guarded funds alone.
Multi-signature wallets
Treasury operations require a quorum you define. No single key — human or agent — moves guarded funds alone.
Guardian recovery
Lost keys don't mean lost funds. Recovery is a formal ceremony among guardians you appointed, with every step audited.
Risk scanning
Outbound transactions are evaluated against risk policy before signing, not explained after settlement.
Hash-chained audit
Every custody event appends to a tamper-evident chain — provable to auditors and to yourselves.
Guardian recovery
Lost keys don't mean lost funds.
Recovery is a formal ceremony — not a support ticket. Guardians you appointed hold cryptographic shares. A threshold of them must respond independently before any key material can be reconstructed, and every step is appended to the audit chain.
Initiate ceremony
Owner (or an appointed trustee) opens a recovery request. The platform records the initiation event immutably.
Guardian notification
Each designated guardian receives a verifiable ceremony ID. They are never shown each other's identity.
Threshold response
Guardians independently submit their recovery shares. A configurable quorum (e.g. 3-of-5) must respond.
Share reconstruction
Once threshold is met, shares are combined on the owner's new device. Mints servers never hold a complete key.
New key enrolled
The reconstructed key is rotated and the new material enrolled. Prior key is invalidated and the event is appended to the audit chain.
Initiate ceremony
Owner (or an appointed trustee) opens a recovery request. The platform records the initiation event immutably.
Guardian notification
Each designated guardian receives a verifiable ceremony ID. They are never shown each other's identity.
Threshold response
Guardians independently submit their recovery shares. A configurable quorum (e.g. 3-of-5) must respond.
Share reconstruction
Once threshold is met, shares are combined on the owner's new device. Mints servers never hold a complete key.
New key enrolled
The reconstructed key is rotated and the new material enrolled. Prior key is invalidated and the event is appended to the audit chain.
Threshold required
A configurable m-of-n quorum must respond before reconstruction. No single guardian can recover unilaterally.
Server never holds full key
Share reconstruction happens on the owner's new device. Mints infrastructure never assembles a complete key.
Fully audited
Every step of the ceremony — initiation, guardian responses, reconstruction, enrollment — is an immutable event.
Risk scanning
Scanned before signing. Never explained after.
Outbound transactions from guarded accounts are evaluated against your risk policy before any guardian is asked to sign. If a transaction fails the scan, it never reaches the signing quorum.
- Counterparty risk evaluation before signature request
- Velocity checks against configurable per-account limits
- Policy outcome appended to the audit event — deny reasons are recorded
- No override path without a quorum-signed exception
atlas-research requests a 1,500.00 USDC transfer to vendor-ops for inference compute.
Illustrative — the approval surface your treasury team sees
Hash-chained audit
Every event, forever verifiable.
Custody events are appended to a hash-chained ledger — tamper-evident by construction. Auditors can verify the full chain independently, without relying on Mints to provide a correct history.
Append-only
No event is ever modified. State is always derived from an ordered sequence of immutable events.
Hash-chained
Each event commits to a hash of the prior event. Any gap or alteration breaks the chain and is immediately detectable.
Independently replayable
Any authorized party can replay the event sequence to reconstruct any historical account state.
Lineage isolation
Cross-org requests fail closed.
Mints Custody does not require you to configure access control lists between organizations. Cross-lineage requests — any attempt by one organization's principals to view, fund, or control another's — are rejected at the protocol layer regardless of custody mode.
Within lineage
Agents and humans within the same organization can transact, view balances, and request approvals according to their policies.
Cross-lineage
Requests from outside the lineage are rejected before any custody logic runs. There is no ACL to misconfigure.
Isolation applies identically in both self-custody and guarded custody modes
Related
Mints Identity
The DID and key management layer that underpins every custody account — who signs, who approves, and who recovers.
Related
Security commitments
The six architectural commitments that define Mints — of which the custody spectrum is commitment six.
Related
Solutions for treasury teams
How Mints Custody fits into a full treasury practice — policy, approvals, reconciliation, and compliance.
Put your treasury behind the right custody model.
Mints Custody is in early access. Tell us what your org treasury needs — and we'll show you how the spectrum works in practice.