Step 1: Who is the wallet for?
| Controller | Go to |
|---|---|
| End users (consumers, retail) | Step 2a (below) |
| Your company (treasury, operations, disbursements) | Step 2b (below) |
| AI agents | Step 2c (below) |
Step 2a: User wallets — does the user need self-custody?
| Answer | Operational signer | Recovery signer | Configuration |
|---|---|---|---|
| Yes — user must be sole custodian | Device key or Passkey | Email OTP + optional SMS OTP | Non-custodial user wallet |
| No — your company manages wallets on behalf of users | Cloud KMS or Server key | Cloud KMS (recovery) | Custodial user wallet |
| Hybrid — user custody with limited company access | User: Device key / Passkey + Company: Server key (scoped) | Email OTP | Scoped custody |
Choosing between device key and passkey
Choosing between device key and passkey
| Criterion | Device key | Passkey |
|---|---|---|
| Silent signing (no user prompt per tx) | ✓ (default) | ✗ (always requires biometric) |
| Cross-device sync | ✗ (single device) | ✓ (via iCloud, Google, 1Password) |
| Best for | High-frequency actions, invisible UX | Explicit user confirmation, multi-device |
Step 2b: Company wallets — what level of key security do you need?
| Scenario | Operational signer | Recovery signer | Configuration |
|---|---|---|---|
| Production treasury or high-value operations | Cloud KMS | Cloud KMS (recovery) in a separate account/region | Treasury wallet |
| Development, staging, or low-risk operations | Server key | Cloud KMS (recovery) or Externally custodied key | Treasury wallet |
Step 2c: Agent wallets — who hosts the agent?
| Host | Operational signer | Recovery signer | Configuration |
|---|---|---|---|
| User-hosted (self-managed infrastructure) | Server key or Cloud KMS | Externally custodied key | User-hosted agent |
| Platform-hosted (you run agents on behalf of users) | User: Passkey + Agent: Server key (scoped) | Email OTP | Platform-hosted agent |
Step 3: Do you need account recovery?
Almost always yes. The only exception is server-side wallets where you control all key material and have your own backup procedures.| Wallet type | Minimum recommended recovery | Enhanced recovery |
|---|---|---|
| User wallets | Email OTP | Email OTP + SMS OTP + Managed support center |
| Company wallets | Cloud KMS (recovery) | Cloud KMS + Externally custodied key |
| Agent wallets | Email OTP or Externally custodied key | Depends on hosting model |
For enterprise clients, the Crossmint team is happy to provide architectural guidance and review your setup before you go to production. Get in touch to schedule a session with the solutions team.