Architecture & Trust Model
This page explains where Embedded Wallet components live, what each part can access, and the trust assumptions you should design around.
High-level components
- User device (client): runs factor capture + key derivation and signs user-authorized actions.
- Smart account (on-chain): holds funds and enforces spending policies and recovery rules.
- App backend (optional): coordination, notifications, policy evaluation, storage of recovery artifacts (never plaintext keys).
- Passkeys: a separate user-confirmation system (WebAuthn) for sensitive actions.
- Policy Engine: the rules layer that defines allowed actions and recovery configuration.
Data placement: what lives where
| Data / Capability | On-device | Off-chain backend | On-chain |
|---|---|---|---|
| Raw biometrics / visual input | ✅ | ❌ | ❌ |
| Derived controlling key (plaintext) | ✅ (ephemeral) | ❌ | ❌ |
| Smart account code + state | ❌ | ❌ | ✅ |
| Recovery configuration (timelocks, thresholds) | ✅ (as UI/config) | ✅ (as config) | ✅ (as enforced rules) |
| Passkeys (WebAuthn credentials) | ✅ (authenticator) | ❌ | ❌ |
| Timelocked fallback tx (if enabled) | ❌ | ✅ (stored) | ✅ (executed) |
| Guardian approvals (if enabled) | ❌ | optional | ✅ |