> For the complete documentation index, see [llms.txt](https://shinkalabs.gitbook.io/hub/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://shinkalabs.gitbook.io/hub/andromeda/concepts/custody-free.md). # Custody-free model Andromeda never persists a complete private key for your users, and for the Encrypt surface it never signs your transactions at all. Three patterns, in decreasing order of "Andromeda touches nothing": `prepare -> submit`, `challenge -> submit`, and (for MCP-created wallets) `passphrase-wrapped`. ## Pattern 1: `prepare -> submit` (unsigned transactions) Used across the Encrypt FHE surface and parts of the Ika surface. 1. You call a `.../prepare` endpoint with the parameters of the operation. 2. Andromeda builds the transaction and returns it as base64 (`unsignedTx`), without signing. 3. You sign it locally with the relevant key. 4. You submit the signed transaction (for FHE, `POST /v1/graph/submit`; for private transactions, `POST /v1/private-tx/submit`). 5. Andromeda broadcasts it and reports the result. The private key never leaves the client. Andromeda only ever sees an already-signed transaction. ## Pattern 2: `challenge -> submit` (32-byte challenges, gas sponsored) Used by recovery and other flows where the user should not need any chain-specific wallet or gas. See [Wallet-agnostic & challenge auth](/hub/andromeda/concepts/wallet-agnostic.md). 1. You call a `.../challenge` endpoint. Andromeda returns a 32-byte challenge plus the expected replay nonce. 2. The user signs the 32 bytes off-chain with whatever credential they control (a wallet, a passkey, an OAuth-linked identity). 3. You call `.../submit` with the signature and the nonce. 4. Andromeda assembles the Solana transaction, **pays the gas itself**, includes the signature so the on-chain program (and the Solana runtime precompile) can verify it, and broadcasts it. Andromeda never produces the user's signature. It can choose *when* to submit, but it cannot forge approval. See [Zero attestor](/hub/andromeda/concepts/zero-attestor.md). ## Pattern 3: passphrase-wrapped (MCP-created wallets) Used by `create_dwallet` / `sign_message` (the MCP tools), where the goal is zero client install — the user runs nothing, so the 2PC-MPC client side has to happen server-side. 1. You (or an agent) call `POST /v1/dwallet/create` with a **passphrase**. 2. Andromeda generates the dWallet's signer key, derives a wrapping key from the passphrase (Argon2id), encrypts the signer key with it (AES-256-GCM), and stores **only the ciphertext**. The passphrase and the plaintext key are never written to disk. 3. The plaintext key lives in server memory only for the DKG (and again, briefly, for each `sign_message`), then is discarded. This is **not permanent custody** — Andromeda cannot decrypt the key without the passphrase. The trade-off it does carry: a brief in-memory exposure of the plaintext key during create/sign (a compromised server in that window could capture it). It's the cost of "no client install"; acceptable for pre-alpha/devnet. A lost passphrase is not a lost wallet — the dWallet, once delegated to a [`rules-policy`](/hub/andromeda/guides/deploy-policy/rules-policy.md), is recoverable on-chain by its primary owner / quorum, independent of the passphrase. See [Create a dWallet](/hub/andromeda/getting-started/create-dwallet.md) for the full flow. ## What Andromeda does sign Andromeda holds one keypair used only as a **gas sponsor** for the flows it controls (recovery deploys, primary recovery, quorum sessions, policy admin actions). That keypair pays Solana fees and acts as the fee payer on transactions Andromeda assembles. It is never an authority over a dWallet and never a signer that the on-chain policies treat as the user. ## Why this matters for you * You can integrate from any language without shipping a key to Andromeda. * A compromise of Andromeda does not expose user keys and cannot move user funds outside of policy. * The destination chain is your responsibility for the FHE surface: you assemble and broadcast there. For Ika flows that Andromeda sponsors, it does the Solana side for you. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://shinkalabs.gitbook.io/hub/andromeda/concepts/custody-free.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.