Reference architectures/Hybrid

MPC wallet operations for digital assets

Governed transaction signing for Fireblocks, Fordefi, and Utila with quorum approvals, spend caps, and an append only audit trail.

FireblocksFordefiUtilaQuorum approvalsSpend capsWallet signing
Treasury ops
Treasury agent
Any LLM
Identity · Okta
Humans and agents
GatekeeperDeny by default
Spend caps · velocityENFORCED
Quorum approval4 EYES
Wallet signing in enclaveSEALED
Exactly once executionATOMIC
FireblocksFordefiUtilaAny MPC walletDirect API integration
Signed transaction is the only outputLayered spend ceilingsAttestation logged per signature

Dataflow

01

Treasury operators and agents authenticate through Okta. Each identity carries its own policy scope within the org ceiling.

02

A transaction request is canonicalized and hashed. Spend caps, velocity limits, and size thresholds evaluate first, in deterministic policy.

03

Transactions above threshold require quorum approval. Each approver reviews the exact recipient, amount, and chain bound to the hash.

04

On approval, signing happens inside the enclave against the wallet platform. The signed transaction is the only output; keys never leave.

05

Exactly once execution prevents a retry storm from double signing. A consumed approval returns the cached result instead of re executing.

06

Every decision, approval, and signature lands in the append only audit log with its attestation document hash.

Components

Wallet connectors

Direct, secure API integrations with Fireblocks, Fordefi, and Utila, plus support for any institutional MPC wallet.

Quorum approval workflow

Four eyes or full quorum sign off on high value operations, bound to the exact transaction parameters.

Layered spend policy

Org admins set ceilings that user policies can only narrow. A user cannot raise a limit an admin set.

Enclave wallet signing

Private keys exist in unwrappable form only inside enclave memory. The strongest form of the guarantee.

Append only audit log

Hash chained record of every decision and signature, aligned to 13 month retention by default.

Security considerations

The signed transaction is the only output. Private keys exist in unwrappable form only inside enclave memory.

Approvals bind to subject, issuer, tenant, and payload hash. An approval issued to one operator cannot be replayed by another.

Lower policy layers can only narrow. A user cannot raise the spend ceiling an org admin set.

Every decryption records its attestation document hash, so an incident review can reconstruct the exact decision path.

Deploy this architecture

Walk through the trust model, policy design, and rollout with our security and solutions team.

Learn moreAll architectures