End-user wallets

Edit online

Implement user managed wallets with delegated signing and end user onboarding.

End user wallets allow your application's users to own and control their digital assets while you provide the wallet infrastructure. This topic explains delegated wallet architecture, user onboarding, and wallet delegation.

What you need

  • Understanding of /advanced/delegated-wallets
  • A service account for backend operations
  • A WebAuthn implementation for collecting passkeys

Components to configure

End user registration
Register end users with IBM Digital Asset Haven by using delegated registration flows. Users authenticate through your application and create a passkey during the process.
Wallet creation
Create wallets that will be owned by end users. Your service account creates the wallet and then delegates control to the user.
Wallet delegation
Delegate signing authority to the end user. After delegation:
  • Only the end user can authorize transactions with their passkey.
  • Your organization cannot move funds from the wallet.
  • Your organization cannot apply policies or controls to the wallet.
Policies do not apply to delegated wallets. Delegated wallets bypass the policy engine so the end user has full control without organizational approval requirements
User recovery
End users may need to recover access if they lose their device. Implement recovery flows that allow users to register a new passkey.

Architecture overview

The delegated wallet model involves three components:

  1. Your backend: Authenticates users and proxies requests to IBM Digital Asset Haven.
  2. Your frontend: Collects passkey signatures from users.
  3. IBM Digital Asset Haven: Manages the distributed key infrastructure.
Transaction flow
When a user initiates a transaction with their delegated wallet:
Wallet model comparison
Aspect Org managed Delegated (user managed)
Signing authority Your organization End user with passkey
Policy enforcement Yes No, user has full control
Recovery Organization assisted User dependent
User experience Simpler Requires passkey

Security considerations

Your responsibilities
Even with delegated wallets, your organization remains responsible for:
  • Protecting service account credentials
  • Securing backend infrastructure
  • Verifying user identity before allowing wallet operations
User responsibilities
Users are responsible for:
  • Protecting their passkeys
  • Reviewing transaction details
  • Understanding that they control their wallet
Passkey backup
Help users understand how to protect and back up their passkeys:
  • iCloud Keychain on Apple devices
  • Google Password Manager on Android and Chrome
  • Hardware security keys as a backup option