> ## Documentation Index
> Fetch the complete documentation index at: https://docs.crossmint.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Signer Decision Tree
> A step-by-step guide to picking the right operational and recovery signers for your wallet architecture.
**You are viewing docs for the previous version of the Wallets SDK.** We recommend upgrading to V1.
See the [updated version of this page](/wallets/concepts/custody-models) or the [V1 migration guide](/wallets/guides/migrate-to-v1).
Use this decision tree to identify the right signer configuration for your use case. If you are not yet familiar with the different signer types, start with [Wallet Signers](/wallets/v0/concepts/wallet-signers) first.
## Step 1: Who is the wallet for?
| Controller | Go to |
| -------------------------------------------------- | --------------- |
| End users (consumers, retail) | Step 2a (below) |
| Your company (treasury, operations, disbursements) | Step 2b (below) |
| AI agents | Step 2c (below) |
## Step 2a: User wallets — does the user need self-custody?
| Answer | Operational signer | Recovery signer | Configuration |
| ---------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------- |
| Yes — user must be sole custodian | [Device key](/wallets/v0/concepts/wallet-signers#device-key) or [Passkey](/wallets/v0/concepts/wallet-signers#passkey) | [Email OTP](/wallets/v0/concepts/wallet-signers#email-otp) + optional [SMS OTP](/wallets/v0/concepts/wallet-signers#sms-otp) | [Non-custodial user wallet](/wallets/v0/concepts/common-signer-configurations#non-custodial-user-wallets) |
| No — your company manages wallets on behalf of users | [Cloud KMS](/wallets/v0/concepts/wallet-signers#cloud-kms) or [Server signer](/wallets/v0/concepts/wallet-signers#server-signer) | [Cloud KMS (recovery)](/wallets/v0/concepts/wallet-signers#cloud-kms-recovery) | [Custodial user wallet](/wallets/v0/concepts/common-signer-configurations#custodial-user-wallets) |
| Hybrid — user custody with limited company access | User: [Device key](/wallets/v0/concepts/wallet-signers#device-key) / [Passkey](/wallets/v0/concepts/wallet-signers#passkey) + Company: [Server signer](/wallets/v0/concepts/wallet-signers#server-signer) (scoped) | [Email OTP](/wallets/v0/concepts/wallet-signers#email-otp) | [Scoped custody](/wallets/v0/concepts/common-signer-configurations#scoped-custody) |
| Criterion | Device key | Passkey |
| -------------------------------------- | ------------------------------------ | ---------------------------------------- |
| Silent signing (no user prompt per tx) | ✓ (default) | ✗ (always requires biometric) |
| Cross-device sync | ✗ (single device) | ✓ (via iCloud, Google, 1Password) |
| Best for | High-frequency actions, invisible UX | Explicit user confirmation, multi-device |
## Step 2b: Company wallets — what level of key security do you need?
| Scenario | Operational signer | Recovery signer | Configuration |
| -------------------------------------------- | ------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------- |
| Production treasury or high-value operations | [Cloud KMS](/wallets/v0/concepts/wallet-signers#cloud-kms) | [Cloud KMS (recovery)](/wallets/v0/concepts/wallet-signers#cloud-kms-recovery) in a separate account/region | [Treasury wallet](/wallets/v0/concepts/common-signer-configurations#treasury-wallets) |
| Development, staging, or low-risk operations | [Server signer](/wallets/v0/concepts/wallet-signers#server-signer) | [Cloud KMS (recovery)](/wallets/v0/concepts/wallet-signers#cloud-kms-recovery) or [Externally custodied key](/wallets/v0/concepts/wallet-signers#externally-custodied-key) | [Treasury wallet](/wallets/v0/concepts/common-signer-configurations#treasury-wallets) |
## Step 2c: Agent wallets — who hosts the agent?
| Host | Operational signer | Recovery signer | Configuration |
| --------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------- |
| User-hosted (self-managed infrastructure) | [Server signer](/wallets/v0/concepts/wallet-signers#server-signer) or [Cloud KMS](/wallets/v0/concepts/wallet-signers#cloud-kms) | [Externally custodied key](/wallets/v0/concepts/wallet-signers#externally-custodied-key) | [User-hosted agent](/wallets/v0/concepts/common-signer-configurations#user-hosted-agents) |
| Platform-hosted (you run agents on behalf of users) | User: [Passkey](/wallets/v0/concepts/wallet-signers#passkey) + Agent: [Server signer](/wallets/v0/concepts/wallet-signers#server-signer) (scoped) | [Email OTP](/wallets/v0/concepts/wallet-signers#email-otp) | [Platform-hosted agent](/wallets/v0/concepts/common-signer-configurations#platform-hosted-agents) |
## Step 3: Do you need account recovery?
Almost always **yes**. The only exception is server-side wallets where you control all key material and have your own backup procedures.
| Wallet type | Minimum recommended recovery | Enhanced recovery |
| --------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------- |
| User wallets | [Email OTP](/wallets/v0/concepts/wallet-signers#email-otp) | Email OTP + [SMS OTP](/wallets/v0/concepts/wallet-signers#sms-otp) + [Managed support center](/wallets/v0/concepts/wallet-signers#managed-support-center) |
| Company wallets | [Cloud KMS (recovery)](/wallets/v0/concepts/wallet-signers#cloud-kms-recovery) | Cloud KMS + [Externally custodied key](/wallets/v0/concepts/wallet-signers#externally-custodied-key) |
| Agent wallets | [Email OTP](/wallets/v0/concepts/wallet-signers#email-otp) or [Externally custodied key](/wallets/v0/concepts/wallet-signers#externally-custodied-key) | Depends on hosting model |
For enterprise clients, the Crossmint team is happy to provide architectural guidance and review your setup before you go to production. Get in touch to schedule a session with the solutions team.
## Next Steps
Learn how to add operational signers to a wallet.
Blueprints for common configurations we see amongst our clients.