Skip to main content

Custody Models

When building on the blockchain, one of the first architectural decisions you'll face is whether to create a custodial or non-custodial wallet. This decision affects how user accounts are managed, who holds the keys, how transactions are authorized, and the level of trust required from users.

Custodial Wallets

In a custodial wallet, the application or service controls the user's private keys and manages accounts on their behalf. This means the service can initiate transactions, manage assets, and even recover accounts for users. Services will many times use omnibus accounts to manage user accounts, using an internal identification to identify the user.

Characteristics

  • User accounts are often held in a central ledger (database or omnibus account model).
  • The backend signs transactions on behalf of users.
  • User identity is typically tied to the service's authentication system.
  • Suitable for services that want full control over user experience (e.g., exchanges).

Advantages

  • Simplified UX since the user doesn't need to manage keys or sign every transaction.
  • Easier account recovery and support.
  • Greater ability to enforce compliance or transaction logic.

Tradeoffs

  • Higher security and compliance responsibilities.
  • Central point of failure.
  • Regulatory obligations in many jurisdictions (KYC, custody licenses, etc.).

Non-Custodial Wallets

A non-custodial wallet allows the user to own and control their private keys. The wallet software facilitates key generation, signing, and submission of transactions, but never has access to the keys themselves.

Characteristics

  • Accounts are controlled by end users, the applications will not have access to the private keys.
  • The wallet app acts as an interface only.
  • Can use different recovery mechanisms as described in the Key Management section.

Advantages

  • No need to trust a third party to secure funds.
  • User retains full control over assets and transaction authorization.
  • Lower regulatory burden for the app provider in many jurisdictions.

Tradeoffs

  • Harder to support account recovery or fraud protection.
  • User education and key management UX become critical.
  • More difficult to abstract XLM requirements (possible using sponsorship).

Hybrid & Delegated Models

Some wallets use a hybrid model, where users control the keys but delegate signing rights to a secure enclave or a managed key provider (e.g., Privy, Turnkey, DFNS).

These setups:

  • Retain non-custodial benefits while improving UX.
  • Often integrate with social login or passkeys.
  • Can be used to support both Classic and Smart Wallets.

Learn more about delegated signing and SEP-30 recovery: Signatures & Multisig SEP-30: Account Recovery

note

This documentation mainly assumes the reader is building a non-custodial wallet.