Architecture

Crossmint wallets are designed to provide:

1. Flexibility: A single wallet primitive that supports many use cases — end-user wallets, treasury management, disbursements, and more.
2. High throughput and availability: Wallets scale to the maximum throughput available per chain, at the fastest speeds possible.
3. True ownership: You and your users fully own every wallet. Even if Crossmint were to disappear, wallets continue to function — no vendor lock-in, no dependency on Crossmint infrastructure.

All while abstracting out all blockchain complexity — operate with them via simple REST APIs and SDKs.

​

Dual Layer Architecture

Crossmint achieves this by separating two concerns: the wallet itself and the signers that control it.

​

The Core: Smart Contract Wallets

On EVM chains, Crossmint wallets are smart contract wallets implementing ERC-4337 with ERC-7579 modular extensions. Because the wallet is a smart contract, it lives natively on the blockchain — not in a private third-party server that you cannot audit or control. On Solana, wallets use program-derived addresses (PDAs) with equivalent programmatic control. On Stellar, wallets use Soroban smart contracts, with equivalent functionality and additional cost and developer experience improvements around the use of trustlines. This smart contract foundation enables:

• Seamless provider migration: If you wish to migrate, you can update the wallet’s recovery signers without changing the wallet address. Your users keep their address, balances, and transaction history regardless of infrastructure changes.
• Programmable authorization logic: Add multiple signers and recovery signers, with optional scoped permissions, with logic fully auditable onchain.
• Flexible gas sponsorship: Wallets can pay gas in USDC, native token, or billed to your Crossmint account.
• Easier post-quantum migration: Unlike wallets that couple wallet address with the underlying signer, Crossmint wallets will continue to operate with the same address once keys are upgraded to post-quantum cryptography.

All permissions are enforced onchain and fully auditable, removing the need to trust opaque infrastructure or Crossmint’s backend. The wallet logic stays visible, enforceable, and portable.

​

The Control Layer: Signers

A signer is a cryptographic identity — such as a device key, passkey, server key, or external wallet — authorized to approve actions on the wallet’s behalf. Every Crossmint wallet organizes its signers into two distinct roles:

• Signers handle day-to-day operations: authorizing transactions, signing messages, and interacting with protocols. By default, Crossmint wallets use a device signer — a P256 key generated inside the user’s device secure enclave (iOS Secure Enclave, Android Keystore, or a browser-based credential store). Signing adds zero latency and requires no network round-trip to Crossmint or any third-party server.
• Recovery signers are higher-friction signers used primarily for wallet recovery — for example, when a user switches to a new device and needs to enroll a new device key. Recovery signers use mechanisms like email OTP, SMS OTP, or server-held keys. They can also sign transactions as a fallback when no signer is available.

By decoupling signers from the wallet, Crossmint obtains higher performance signing with equivalent security, while reducing cost and lock-in significantly compared with cloud-TEE based systems. For end-user wallets, Crossmint uses the native key enclaves already present on your users’ devices: the Secure Enclave on iOS and the Keystore on Android. Signatures happen directly on user hardware with no network round-trip to Crossmint or any third-party server. This means signing adds zero latency compared to a direct blockchain transaction — unlike MPC-based architectures that require key reconstruction across distributed infrastructure before every signature, or cloud TEEs which require a network round trip. For server-side and AI agent wallets, Crossmint supports server key signers — a secret held in your own infrastructure that derives chain-specific keypairs deterministically. Signing happens entirely in-process with no external calls. For company and treasury wallets, Crossmint integrates with your existing cloud infrastructure — AWS KMS, Azure Key Vault, or GCP Cloud HSM. These Cloud KMS signers keep private keys non-extractable inside the provider’s hardware security module, supporting up to 1,000 cryptographic signing operations per second per key. For recovery, Crossmint provides additional signers based on email or phone number OTP. These recovery signers are added to the wallet’s onchain signer set, meaning recovery is enforced by the smart contract itself — not by Crossmint’s backend. See Signers for the full signer type reference and Recovery for how the recovery flow works.

​

What This Means in Practice

For end-user wallets, this architecture enables completely invisible, self-custodial wallets. Users sign transactions on their own device hardware without knowing a blockchain is involved. Gas is fully sponsored. There is no dependency on a third-party server to sign in or transact. And because the wallet is a smart contract, you have a clear migration path away from any provider — update the recovery signer and move on, keeping the same wallet address and all its assets. For server-side and AI agent wallets, you get low-latency, deterministic signing from your own infrastructure. A server key signer costs nothing per signing operation and supports throughput limited only by your backend. Separate recovery and signing secrets give you key rotation without wallet migration.