Use this decision tree to identify the right signer configuration for your use case. If you are not yet familiar with the different signer types, start with Wallet Signers first.Documentation Index
Fetch the complete documentation index at: https://docs.crossmint.com/llms.txt
Use this file to discover all available pages before exploring further.
Step 1: Who is the wallet for?
| Controller | Go to |
|---|---|
| End users (consumers, retail) | Step 2a (below) |
| Your company (treasury, operations, disbursements) | Step 2b (below) |
| AI agents | Step 2c (below) |
Step 2a: User wallets — does the user need self-custody?
| Answer | Operational signer | Recovery signer | Configuration |
|---|---|---|---|
| Yes — user must be sole custodian | Device key or Passkey | Email OTP + optional SMS OTP | Non-custodial user wallet |
| No — your company manages wallets on behalf of users | Cloud KMS or Server signer | Cloud KMS (recovery) | Custodial user wallet |
| Hybrid — user custody with limited company access | User: Device key / Passkey + Company: Server signer (scoped) | Email OTP | Scoped custody |
Choosing between device key and passkey
Choosing between device key and passkey
| Criterion | Device key | Passkey |
|---|---|---|
| Silent signing (no user prompt per tx) | ✓ (default) | ✗ (always requires biometric) |
| Cross-device sync | ✗ (single device) | ✓ (via iCloud, Google, 1Password) |
| Best for | High-frequency actions, invisible UX | Explicit user confirmation, multi-device |
Step 2b: Company wallets — what level of key security do you need?
| Scenario | Operational signer | Recovery signer | Configuration |
|---|---|---|---|
| Production treasury or high-value operations | Cloud KMS | Cloud KMS (recovery) in a separate account/region | Treasury wallet |
| Development, staging, or low-risk operations | Server signer | Cloud KMS (recovery) or Externally custodied key | Treasury wallet |
Step 2c: Agent wallets — who hosts the agent?
| Host | Operational signer | Recovery signer | Configuration |
|---|---|---|---|
| User-hosted (self-managed infrastructure) | Server signer or Cloud KMS | Externally custodied key | User-hosted agent |
| Platform-hosted (you run agents on behalf of users) | User: Passkey + Agent: Server signer (scoped) | Email OTP | Platform-hosted agent |
Step 3: Do you need account recovery?
Almost always yes. The only exception is server-side wallets where you control all key material and have your own backup procedures.| Wallet type | Minimum recommended recovery | Enhanced recovery |
|---|---|---|
| User wallets | Email OTP | Email OTP + SMS OTP + Managed support center |
| Company wallets | Cloud KMS (recovery) | Cloud KMS + Externally custodied key |
| Agent wallets | Email OTP or Externally custodied key | Depends on hosting model |
For enterprise clients, the Crossmint team is happy to provide architectural guidance and review your setup before you go to production. Get in touch to schedule a session with the solutions team.
Next Steps
Registering a Signer
Learn how to add operational signers to a wallet.
Common Signer Configurations
Blueprints for common configurations we see amongst our clients.