> ## Documentation Index
> Fetch the complete documentation index at: https://docs.crossmint.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Common Signer Configurations
> Recommended operational and recovery signer setups for common wallet architectures.
**You are viewing docs for the previous version of the Wallets SDK.** We recommend upgrading to V1.
See the [updated version of this page](/wallets/concepts/signers) or the [V1 migration guide](/wallets/guides/migrate-to-v1).
This guide provides practical, opinionated signer configurations for common wallet architectures. Use it as a starting point, then adapt based on your threat model, regulatory constraints, and product requirements.
## Non-custodial user wallets
This is the most common configuration. Users are the custodians of their wallets, and your company is not.
| Slot | Recommended signers |
| ------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Operational signers | [Device key](/wallets/v0/concepts/wallet-signers#device-key)
[Passkey](/wallets/v0/concepts/wallet-signers#passkey) |
| Recovery signers | [Email OTP](/wallets/v0/concepts/wallet-signers#email-otp)
[SMS OTP](/wallets/v0/concepts/wallet-signers#sms-otp) (optional)
[Managed support center](/wallets/v0/concepts/wallet-signers#managed-support-center) (optional) |
## Custodial user wallets
If you want to take custody over user wallets, two common approaches are: (1) you act as custodian, or (2) a licensed third-party custodian acts as custodian.
### You are the custodian
You hold the operational signer in your infrastructure and sign operations on behalf of users.
| Slot | Recommended signers |
| ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Operational signers | [Server signer](/wallets/v0/concepts/wallet-signers#server-signer) (lower risk / early stage)
[Cloud KMS](/wallets/v0/concepts/wallet-signers#cloud-kms) (recommended for production) |
| Recovery signers | [Cloud KMS (recovery)](/wallets/v0/concepts/wallet-signers#cloud-kms-recovery) (separate account/region recommended)
[Externally custodied key](/wallets/v0/concepts/wallet-signers#externally-custodied-key) (optional)
[Managed support center](/wallets/v0/concepts/wallet-signers#managed-support-center) (optional) |
### Licensed third-party custodian
A licensed custodian holds the keys and operates the wallet. This can provide custodial features without your company taking custody directly.
Each custodian has specific integration requirements and signer configurations that depend on their infrastructure and compliance model.
Crossmint can help you set up a third-party custodian integration. Contact our team to get started.
## Treasury wallets
Treasury wallets typically prioritize strong controls, auditability, and operational safety.
| Slot | Recommended signers |
| ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Operational signers | [Cloud KMS](/wallets/v0/concepts/wallet-signers#cloud-kms) |
| Recovery signers | [Cloud KMS (recovery)](/wallets/v0/concepts/wallet-signers#cloud-kms-recovery) (separate account/region recommended)
[Externally custodied key](/wallets/v0/concepts/wallet-signers#externally-custodied-key) (optional)
[Managed support center](/wallets/v0/concepts/wallet-signers#managed-support-center) (optional) |
## Agent wallets
Custody for AI agents depends on where the agent runs and who can access its runtime environment.
### User-hosted agents
When an agent runs in a user-controlled environment (for example, self-hosted), the user should remain the custodian.
| Slot | Recommended signers |
| ------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Operational signers | [Server signer](/wallets/v0/concepts/wallet-signers#server-signer) (user-managed)
[Cloud KMS](/wallets/v0/concepts/wallet-signers#cloud-kms) (user-managed) |
| Recovery signers | [Email OTP](/wallets/v0/concepts/wallet-signers#email-otp) (optional)
[Externally custodied key](/wallets/v0/concepts/wallet-signers#externally-custodied-key) |
### Platform-hosted agents
When you host agents on behalf of users, the key principle is to avoid a configuration where the platform host can unilaterally control agent wallets.
A common pattern is to use narrowly-scoped operational signers and require explicit user authorization for higher-risk actions.
| Slot | Recommended signers |
| ------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Operational signers | [Passkey](/wallets/v0/concepts/wallet-signers#passkey) (user confirmation for sensitive actions)
[Server signer](/wallets/v0/concepts/wallet-signers#server-signer) (customer-managed, scoped permissions) |
| Recovery signers | [Email OTP](/wallets/v0/concepts/wallet-signers#email-otp)
[Managed support center](/wallets/v0/concepts/wallet-signers#managed-support-center) (optional) |
## Scoped custody
Some products need a self-custodial user wallet *plus* a limited, revocable company signer (for example, for repayments, subscriptions, or card settlement).
| Slot | Recommended signers |
| ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Operational signers | User: [Device key](/wallets/v0/concepts/wallet-signers#device-key) or [Passkey](/wallets/v0/concepts/wallet-signers#passkey)
Company (scoped, revocable): [Server signer](/wallets/v0/concepts/wallet-signers#server-signer) or [Cloud KMS](/wallets/v0/concepts/wallet-signers#cloud-kms) |
| Recovery signers | User recovery: [Email OTP](/wallets/v0/concepts/wallet-signers#email-otp) (recommended)
Optional hard fallback: [Externally custodied key](/wallets/v0/concepts/wallet-signers#externally-custodied-key) |
Whether a scoped company signer makes your company a custodian depends on whether you can unilaterally execute or block transactions and whether the user can revoke your access. See [Custody modalities](/wallets/v0/concepts/custody-modalities) for the definition.