Custody determines who holds the cryptographic keys that control a wallet. In traditional finance, custody is binary — either the institution holds the assets or the customer does. In blockchain-based systems, custody is more nuanced because key management, transaction authorization, and asset storage can be separated across multiple parties.Crossmint’s signer architecture gives you fine-grained control over custody. The signers you choose — and who holds them — define your custody model.
Custody, in the context of digital assets, refers to who has the ability to authorize transactions on a wallet. It is not about where the wallet “lives” (it lives onchain) but about who holds the keys that can move assets.The question is straightforward: can your organization unilaterally sign a transaction on this wallet?
If yes — the wallet is custodial. Your organization is the custodian.
If no, only the end user can — the wallet is non-custodial (also called self-custodial)
If both parties must cooperate, or different operations require different parties — the wallet uses a hybrid model
Custody classification affects multiple dimensions of your product:
Dimension
Impact
Regulatory compliance
Many jurisdictions impose licensing requirements on custodial wallet providers. Non-custodial wallets generally face fewer regulatory obligations because the provider never controls user assets.
Liability
A custodian is responsible for safeguarding assets. If a custodial wallet is compromised, the custodian may bear liability. Non-custodial providers shift this responsibility to the end user.
User trust
Some users prefer self-custody for sovereignty and privacy. Others prefer custodial solutions for simplicity and recoverability. Your audience determines which model builds more trust.
Operational control
Custodial wallets let your organization enforce business rules — spending limits, approval workflows, compliance checks — at the signing layer. Non-custodial wallets delegate all authorization to the user.
Recovery
In custodial models, your organization can recover access to a wallet using its server keys. In non-custodial models, recovery depends entirely on the user’s recovery signer (email OTP, phone OTP, or external wallet).
Crossmint does not impose a single custody model. Instead, your signer configuration determines custody. The three models below represent the most common patterns.
In a non-custodial configuration, only the end user holds signing keys. Crossmint has no ability to authorize transactions or access the wallet’s assets.Typical signer configuration:
Role
Signer
Held by
Signer
Device signer
User’s device (secure enclave)
Recovery
Email or phone OTP
User (via their email/phone)
The device signer is generated inside the user’s hardware security module. The private key never leaves the device and is not extractable — not by your application, not by Crossmint, and not by the device operating system. The recovery signer (email or phone OTP) is similarly controlled by the user.When to use:
Consumer applications where users expect self-sovereignty over their assets
Products where regulatory classification as a non-custodial provider is important
Applications where minimizing your organization’s liability for user assets is a priority
In a custodial configuration, your organization holds all signing keys. You have full control over the wallet and can authorize transactions without user involvement.Typical signer configuration:
Role
Signer
Held by
Signer
Server signer or Cloud KMS
Your infrastructure
Recovery
Server signer or Cloud KMS (different key)
Your infrastructure
Both signers are server-side keys held in your backend. The primary key handles day-to-day signing. The recovery key (using a different secret or KMS key) provides key rotation and disaster recovery capability. Organizations with existing cloud KMS infrastructure can use Cloud KMS signers for stronger key isolation.When to use:
Treasury, escrow, and operational wallets owned by your organization
Products where you need programmatic control over transaction approval (spending limits, compliance checks, multi-step workflows)
AI agent wallets where the agent is platform-hosted and acts on behalf of your organization
Scenarios where your organization is already a licensed custodian or plans to become one
Hybrid models distribute signing authority across multiple parties. Neither your organization nor the user can act unilaterally — both must participate in some capacity.Example signer configuration:
Role
Signer
Held by
Signer
Device signer
User’s device
Additional signer
Server signer
Your infrastructure
Recovery
External wallet
User’s existing wallet
Hybrid configurations are useful when you need to enforce organizational policies (compliance, rate limiting, fraud detection) while preserving user sovereignty over their assets. The specific signer combination depends on which operations require user consent versus organizational approval.When to use:
Enterprise applications with compliance requirements that demand organizational oversight
Platforms that need to enforce transaction policies while giving users self-custody
Multi-signature workflows where different parties authorize different operations
The table below summarizes how common signer configurations map to custody models.
Signer
Recovery signer
Custody model
Who can sign transactions?
Device signer
Email/phone OTP
Non-custodial
User only
Device signer
Server signer
Hybrid
User signs; organization recovers
Server signer
Server signer
Custodial
Organization only
Cloud KMS
Cloud KMS (different key)
Custodial
Organization only
Passkey
Email/phone OTP
Non-custodial
User only
External wallet
Server signer
Hybrid
User signs; organization recovers
Server signer
Email/phone OTP
Hybrid
Organization signs; user recovers
Custody is not just about the signer. The recovery signer matters too — whoever controls recovery can add new signers to the wallet, which means they can eventually gain signing access. A wallet with a user-controlled signer but an organization-controlled recovery signer is a hybrid model, not non-custodial.
Custody classification varies by jurisdiction and is subject to evolving regulation. The following are general considerations — not legal advice.
Non-custodial providers generally face fewer licensing requirements, but some jurisdictions are introducing regulations that apply to non-custodial wallet providers as well (for example, requirements around transaction monitoring or user identity verification).
Custodial providers in most jurisdictions need some form of financial services license (money transmitter license in the US, MiCA authorization in the EU, etc.). The specific requirements depend on the jurisdiction, the types of assets held, and the services offered.
Hybrid models are the most complex from a regulatory perspective. Classification depends on the specific signer configuration and the degree of control each party has.
Crossmint’s architecture gives you the flexibility to adjust your custody model as regulatory requirements evolve — you can add, remove, or change signers without migrating wallets or changing wallet addresses.
