Key Management

Keys that never existed. Wallets that never stop.

MPC-generated key shares, distributed across enclaved nodes, controlled by your governance, deployable in our cloud, your cloud, or your data center. Zero seed phrases. Zero key losses. Zero compromise across six years.

No single key, ever

Each key exists only as MPC shares distributed across independent enclaves. The complete key is never assembled, never stored, never exportable.

No seed phrase

No BIP-39 mnemonic. No HD derivation. No piece of paper to lose. Each key's shares are generated independently inside enclaves.

One key, every chain

A single key derives wallets on 100+ blockchains. Same address on every EVM chain. Rotate access at the key level — it propagates everywhere.

Your cloud, ours, or hybrid

Managed SaaS, hybrid with shares on your infrastructure, or fully on-prem. Same MPC. Same security. Your choice of deployment.

Generate

MPC from
the first byte

Every key is born distributed. A Threshold Signature Scheme generates independent shares across enclaved nodes. The complete key has never existed — and never will. No seed phrase to back up. No mnemonic to leak. No single point of failure to defend.

Threshold Signature Scheme

M-of-N shares required to sign. Compromise of any subset below threshold reveals nothing. Reconstruction is mathematically impossible, not just operationally restricted.

Independent share generation

Each share is produced inside its own enclave from independent entropy. No master seed, no derivation tree, no shared origin to attack.

Curve coverage

secp256k1, Ed25519, Stark, Schnorr/BIP-340. Every major signing curve supported. One key, every network that accepts the curve.

Distribute

Shares across enclaves,
geographies, and providers

Key shares live in independent Trusted Execution Environments across geographically distributed data centers. Cloud-region failures don't take signing offline. Operator compromise at any one site reveals nothing about the key.

Geographic distribution

Shares spread across multiple regions. Continent-level outages degrade availability gracefully, not catastrophically. SLA targets 99.95%+ signing uptime.

Enclave isolation

Each share is sealed inside a TEE. The host operator can't read it. The cloud provider can't read it. DFNS staff can't read it. Cryptographically, not contractually.

No single dependency

No single cloud provider, no single region, no single enclave. The signing quorum tolerates loss; the security model assumes some shares will be unreachable.

Govern

Keys, separated
from credentials

The keys that sign blockchain transactions are completely separate from the credentials that authenticate API calls. A compromised API key cannot forge a signature. A compromised passkey cannot extract a share. Two distinct security domains, two distinct attack surfaces, one unified governance model.

Authentication vs. authorization

Passkeys and API keys authenticate intent. MPC keys authorize blockchain action. Compromise of one doesn't grant the other — even by DFNS staff.

Policy-gated signing

Every signing operation runs through the policy engine. Quorums, velocity caps, allowlists, KYT. The key signs only when the policy permits.

Org-controlled or user-controlled

Hold the keys for your users. Or delegate signing authority to them. Same MPC infrastructure, different custody postures. Pick per wallet, not per platform.

Deploy

Your choice of
where the keys live

Managed cloud for speed. Hybrid for sovereignty. On-premises for regulation. Same MPC protocol, same security guarantees, same audited code — running where your risk appetite says it should.

Managed SaaS

All shares in DFNS-operated enclaves across multiple regions. Zero infrastructure to run. Highest deployment velocity. The default for most customers.

Hybrid cloud

Some shares in DFNS enclaves, others in your cloud account or HSM. You hold a piece of the threshold. DFNS can't sign without you; you can't sign without DFNS.

On-premises

Full MPC stack inside your data center or sovereign cloud. DFNS operates the software; you operate the infrastructure. For the strictest regulatory regimes.

Discover how Zodia Custody secures keys on DFNS.

“Thanks to their collaborative team and institutional-grade wallet platform, we've enhanced our operational capabilities and widened our business lines. Our security framework has also been reinforced by their state-of-the-art MPC cryptography.”

No single key, ever

Each key exists only as MPC shares distributed across independent enclaves. The complete key is never assembled, never stored, never exportable.

No seed phrase

No BIP-39 mnemonic. No HD derivation. No piece of paper to lose. Each key's shares are generated independently inside enclaves.

One key, every chain

A single key derives wallets on 100+ blockchains. Same address on every EVM chain. Rotate access at the key level — it propagates everywhere.

Your cloud, ours, or hybrid

Managed SaaS, hybrid with shares on your infrastructure, or fully on-prem. Same MPC. Same security. Your choice of deployment.

Thierry Janaudy CTO, Zodia Custody

Four steps from key to signature

Generate the key. Derive wallets. Govern access. Sign safely. The same primitive whether you have one wallet or ten million.

Create a key the cryptographic way.

One API call. The MPC network generates independent shares across enclaves. No seed phrase produced. No master secret stored. The key is referenced by keyId and never exists in complete form.

// Generate an MPC key — distributed across enclaved signers from the start
const key = await dfnsApi.keys.createKey({
  body: {
    scheme: "ECDSA",          // or "EdDSA", "Schnorr"
    curve: "secp256k1",        // or "ed25519", "stark"
    name: "Treasury Master Key — EU Region"
  }
});

// key.id, key.publicKey, key.scheme, key.curve
// The private key is split, sealed, and distributed.
// It has never existed as a complete value, and never will.

Generate, don't import. Keys created natively by DFNS have never existed in complete form — that's the strongest security guarantee MPC offers. Import only when a contract address or non-transferable asset forces it.

Create a key Curves and schemes

One key, every chain you operate on.

Reference the same keyId to derive wallets on any compatible network. Same address on every EVM chain. Different address on Bitcoin or Solana, same underlying key. Rotate access once, propagate everywhere.

// Same key — wallets on Ethereum, Polygon, Base, Arbitrum, etc.
const ethereum = await dfnsApi.wallets.createWallet({
  body: { network: "Ethereum", signingKey: { id: key.id }, name: "Treasury — ETH" }
});
const polygon  = await dfnsApi.wallets.createWallet({
  body: { network: "Polygon",  signingKey: { id: key.id }, name: "Treasury — MATIC" }
});

// ethereum.address === polygon.address — same key, same EVM address
// On Bitcoin or Solana, different address derivation, same underlying key

Use one key for an entire wallet class — operating, treasury, custody, issuance. Manage permissions at the key level; they apply to every derived wallet. Use distinct keys for distinct trust domains, not distinct chains.

Wallets and keys Supported networks

Separate authentication from signing.

Passkeys and API credentials authenticate the request. MPC shares authorize the signature. Compromise of one doesn't compromise the other. Layer policies on top — quorums, limits, allowlists.

// Authenticate the request with a passkey-signed user action
const userActionSignature = await dfnsApi.auth.signUserAction({
  challenge,
  credential: await navigator.credentials.get({ publicKey: { challenge } })
});

// Sign a payload — the policy engine evaluates BEFORE the MPC network signs
const signature = await dfnsApi.keys.generateSignature({
  keyId: key.id,
  body: {
    kind: "Hash",
    hash: "0xabc...def"            // 32-byte hash to sign
  },
  userActionSignature
});

// Authentication credential ≠ signing key. Two domains, two attack surfaces.
// Compromise of either alone signs nothing.

Treat authentication credentials and signing keys as distinct primitives. Rotate passkeys on schedule. Rotate API keys often. The MPC key never needs rotation — its security model doesn't depend on key freshness.

Authentication model Signing policies

Pick where the shares live.

Managed SaaS for speed. Hybrid cloud when sovereignty matters. On-premises when regulation requires it. Same MPC protocol, same audited code, your choice of where the enclaves run.

// Managed SaaS — the default. All shares in Dfns enclaves.
const dfnsApi = new DfnsApiClient({
  baseUrl: "https://api.dfns.io",
  // ...
});

// Hybrid — you hold one or more shares in your own infrastructure
// Configured during onboarding; the signing flow is otherwise identical
// Dfns cannot sign without your share; you cannot sign without Dfns

// On-premises — entire MPC stack inside your data center
// Same SDK, different base URL, full operational control
const onPremApi = new DfnsApiClient({
  baseUrl: "https://dfns.your-bank.internal",
  // ...
});

Pick by regulatory regime, not by preference. Managed SaaS for fintechs. Hybrid for systemically important institutions. On-premises for central banks and sovereign deployments. Migration paths exist between models.

Deployment models On-premises guide

Keys → New Key → Scheme + Curve + Name → Generate

Keys → Key → Derived Wallets → New Wallet (Network)

Keys → Key → Permissions + Policies → Approval Matrix

Org → Deployment → Active Configuration → Share Locations

Ready to see DFNS in action?

The new core for every fintech and institution going onchain.

Documentation

APIs, SDKs, and guides for builders.

Pricing

Per-transaction pricing, no hidden fees.