Vaults
Vaults are secure wallet containers that hold blockchain addresses and signing keys. They are the foundation of asset custody in Cubewire.
What is a Vault?
A vault represents a secure wallet with:
- Blockchain Address — Unique address on supported networks
- Signing Capability — Ability to sign transactions and messages
- Security Model — MPC or HSM key protection
- Organizational Ownership — Belongs to your organization
Vault Types
Cubewire currently supports HSM vault security with MPC vaults coming soon. You must specify the vault type when creating a vault to ensure compatibility as additional vault types become available.
HSM (Hardware Security Module)
Currently Available — HSM vaults store keys in certified tamper-resistant hardware, providing enterprise-grade security for digital asset custody.
| Property | Description |
|---|---|
| Key Storage | FIPS 140-2 Level 3 certified hardware |
| Key Export | Impossible — keys never leave HSM |
| Signing | Hardware-accelerated cryptographic operations |
| Best For | Regulatory compliance, traditional finance |
Key Security Features:
- Tamper-resistant hardware — Physical security protections against unauthorized access
- Certified compliance — FIPS 140-2 Level 3 certification for regulatory requirements
- Key isolation — Private keys never leave the secure hardware boundary
- Audit logging — All key operations are logged for compliance and forensics
When to Use HSM:
- Organizations requiring FIPS 140-2 compliance
- Traditional financial institutions
- High-value asset custody
- Regulatory reporting requirements
MPC (Multi-Party Computation)
Coming Soon — MPC vaults will distribute the private key across multiple parties, eliminating single points of failure.
| Property | Description |
|---|---|
| Key Distribution | Split across multiple computation parties |
| Reconstruction | Key never reconstructed in single location |
| Signing | Threshold signature scheme (e.g., 2-of-3) |
| Best For | High-security institutional custody |
Planned Security Features:
- No single point of failure — No single party has the complete key
- Distributed security — Private key is never reconstructed in one location
- Threshold signing — Requires multiple parties to collaborate
Vault Properties
| Field | Type | Description |
|---|---|---|
id | UUID | Unique vault identifier (auto-generated) |
name | string | Human-readable name (unique within organization, max 255 char) |
type | enum | Vault type - HSM (currently supported) or MPC (coming soon) |
status | enum | Vault status - active or inactive |
keyStatus | enum | Key generation status - ready, pending, or failed |
keyError | string | Error message if key generation failed (nullable) |
userId | UUID | ID of user who created the vault |
organizationId | UUID | Organization ID that owns the vault |
address | string | Blockchain address (0x..., null until key generation complete) |
bsb | string | Bank State Branch code (Australian banking integration, nullable) |
accountNumber | string | Bank account number (for traditional banking integration, nullable) |
groupName | string | Organizational grouping (e.g., 'Finance Department', nullable) |
tags | string[] | Metadata tags for categorization and filtering |
createdAt | datetime | Creation timestamp (ISO 8601, UTC) |
updatedAt | datetime | Last modification timestamp (ISO 8601, UTC) |
assets | array | Array of asset balances associated with this vault |
user | object | Nested user object containing user id |
Vault Capabilities
Transaction Signing
Vaults can sign and submit blockchain transactions:
- Native currency transfers (ETH, MATIC, etc.)
- ERC-20 token transfers
- Smart contract interactions
- Contract deployments
EIP-712 Typed Data Signing
Vaults support signing EIP-712 structured data for:
- DeFi permits (Uniswap, Aave)
- NFT marketplace orders (OpenSea Seaport)
- Gasless transactions (meta-transactions)
- Custom typed data
Gas Estimation
Before submitting transactions, vaults can estimate gas fees to help you:
- Calculate transaction costs
- Set appropriate gas limits
- Optimize transaction timing
Common Use Cases
Treasury Management
Long-term storage of organizational funds with maximum security.
- Use HSM for regulatory compliance
- Apply strict approval policies
- Limit authorized signers
Operational Payments
Day-to-day transactions like payroll, vendor payments.
- Use MPC for flexibility
- Set transaction limits
- Enable automated approvals for routine payments
Client Settlements
Processing customer transactions and settlements.
- Dedicated vaults per client or pool
- Automated reconciliation
- Audit trail per vault
Best Practices
Security Recommendations
| Recommendation | Description |
|---|---|
| Deactivate unused vaults | Reduce attack surface |
| Regular audits | Review vault inventory periodically |
| Separate hot/cold | Use different vaults for different risk profiles |
Related Topics
- Transactions — Initiating transactions from vaults
- Networks — Supported blockchain networks
API Reference
For complete API documentation including endpoints, request/response examples, and code samples:
- List all vaults —
GET /api/v1/vaults
- Get vault by ID —
GET /api/v1/vaults/{id}
- Get vault by blockchain address —
GET /api/v1/vaults/address/{address}
Vaults
Vaults are secure wallet containers that hold blockchain addresses and signing keys. They are the foundation of asset custody in Cubewire.
What is a Vault?
A vault represents a secure wallet with:
- Blockchain Address — Unique address on supported networks
- Signing Capability — Ability to sign transactions and messages
- Security Model — MPC or HSM key protection
- Organizational Ownership — Belongs to your organization
Vault Types
Cubewire currently supports HSM vault security with MPC vaults coming soon. You must specify the vault type when creating a vault to ensure compatibility as additional vault types become available.
HSM (Hardware Security Module)
Currently Available — HSM vaults store keys in certified tamper-resistant hardware, providing enterprise-grade security for digital asset custody.
| Property | Description |
|---|---|
| Key Storage | FIPS 140-2 Level 3 certified hardware |
| Key Export | Impossible — keys never leave HSM |
| Signing | Hardware-accelerated cryptographic operations |
| Best For | Regulatory compliance, traditional finance |
Key Security Features:
- Tamper-resistant hardware — Physical security protections against unauthorized access
- Certified compliance — FIPS 140-2 Level 3 certification for regulatory requirements
- Key isolation — Private keys never leave the secure hardware boundary
- Audit logging — All key operations are logged for compliance and forensics
When to Use HSM:
- Organizations requiring FIPS 140-2 compliance
- Traditional financial institutions
- High-value asset custody
- Regulatory reporting requirements
MPC (Multi-Party Computation)
Coming Soon — MPC vaults will distribute the private key across multiple parties, eliminating single points of failure.
| Property | Description |
|---|---|
| Key Distribution | Split across multiple computation parties |
| Reconstruction | Key never reconstructed in single location |
| Signing | Threshold signature scheme (e.g., 2-of-3) |
| Best For | High-security institutional custody |
Planned Security Features:
- No single point of failure — No single party has the complete key
- Distributed security — Private key is never reconstructed in one location
- Threshold signing — Requires multiple parties to collaborate
Vault Properties
| Field | Type | Description |
|---|---|---|
id | UUID | Unique vault identifier (auto-generated) |
name | string | Human-readable name (unique within organization, max 255 char) |
type | enum | Vault type - HSM (currently supported) or MPC (coming soon) |
status | enum | Vault status - active or inactive |
keyStatus | enum | Key generation status - ready, pending, or failed |
keyError | string | Error message if key generation failed (nullable) |
userId | UUID | ID of user who created the vault |
organizationId | UUID | Organization ID that owns the vault |
address | string | Blockchain address (0x..., null until key generation complete) |
bsb | string | Bank State Branch code (Australian banking integration, nullable) |
accountNumber | string | Bank account number (for traditional banking integration, nullable) |
groupName | string | Organizational grouping (e.g., 'Finance Department', nullable) |
tags | string[] | Metadata tags for categorization and filtering |
createdAt | datetime | Creation timestamp (ISO 8601, UTC) |
updatedAt | datetime | Last modification timestamp (ISO 8601, UTC) |
assets | array | Array of asset balances associated with this vault |
user | object | Nested user object containing user id |
Vault Capabilities
Transaction Signing
Vaults can sign and submit blockchain transactions:
- Native currency transfers (ETH, MATIC, etc.)
- ERC-20 token transfers
- Smart contract interactions
- Contract deployments
EIP-712 Typed Data Signing
Vaults support signing EIP-712 structured data for:
- DeFi permits (Uniswap, Aave)
- NFT marketplace orders (OpenSea Seaport)
- Gasless transactions (meta-transactions)
- Custom typed data
Gas Estimation
Before submitting transactions, vaults can estimate gas fees to help you:
- Calculate transaction costs
- Set appropriate gas limits
- Optimize transaction timing
Common Use Cases
Treasury Management
Long-term storage of organizational funds with maximum security.
- Use HSM for regulatory compliance
- Apply strict approval policies
- Limit authorized signers
Operational Payments
Day-to-day transactions like payroll, vendor payments.
- Use MPC for flexibility
- Set transaction limits
- Enable automated approvals for routine payments
Client Settlements
Processing customer transactions and settlements.
- Dedicated vaults per client or pool
- Automated reconciliation
- Audit trail per vault
Best Practices
Security Recommendations
| Recommendation | Description |
|---|---|
| Deactivate unused vaults | Reduce attack surface |
| Regular audits | Review vault inventory periodically |
| Separate hot/cold | Use different vaults for different risk profiles |
Related Topics
- Transactions — Initiating transactions from vaults
- Networks — Supported blockchain networks
API Reference
For complete API documentation including endpoints, request/response examples, and code samples:
- List all vaults —
GET /api/v1/vaults
- Get vault by ID —
GET /api/v1/vaults/{id}
- Get vault by blockchain address —
GET /api/v1/vaults/address/{address}