Overview

Planbok Customer Custody Wallets are MPC-powered wallets designed for end-users, enabling businesses to provide secure, non-custodial digital asset experiences for their customers.

Key Features

• Self-Custody (Customer Managed): The customer holds full control over their keys, secured by a personal PIN. Planbok never has access to the user's PIN or the resulting key share.
• 2-of-2 MPC Security: Private keys are split into two shares using Multi-Party Computation. One share stays with Planbok, and the other is protected by the user's PIN.
• PIN-Protected Operations: Critical actions like signing transactions or exporting keys require verification of the user's PIN, which is hashed and salted using industry-standard Argon2id.
• Wallet Export & Portability: Customers can export their private keys to use in external wallets such as MetaMask, Phantom, Trust Wallet, UniSat, MyNearWallet, and more. This is possible because the full private key can be deterministiclly reconstructed using the user's PIN-protected share.
• Self-Service Recovery: Built-in recovery flows using encrypted secrets tied to user-defined "Security Questions" or "Email Recovery" methods.
• Cross-Chain Identity: A single user identity can manage multiple wallets across all supported blockchains (Ethereum, Bitcoin, Solana, etc.) using hierarchical deterministic (HD) derivation.

Security Model

Planbok Customer Custody Wallets use a 2-of-2 MPC (Multi-Party Computation) model where the private key is never reconstructed in a single location. The security is enhanced by a client-side blinding mechanism:

1. Planbok share (Node 2): Managed by Planbok's secure infrastructure.
2. User-blinds share (Node 1): This share is "blinded" by the user's PIN. Planbok stores the blinded version (wrappedSecret) but lacks the key to unwrap it.

Zero-Knowledge Architecture

• No PIN Storage: Planbok only stores a cryptographic hash (Argon2id) of the PIN for verification. The actual PIN is never sent to or stored on the server.
• Client-Side Unwrapping: Signing operations only proceed when the client provides the encrypted_secret (derived from the user's PIN) in the request.
• Full Key Reconstruction for Export: When a user exports their wallet, Node 1's share is combined with Node 2's share and the user's PIN to reconstruct the original private key, ensuring true parity with traditional non-custodial wallets.
• Cryptographic Isolation: Even if Planbok infrastructure were fully compromised, an attacker would still need the user's individual PIN to access or use the second share held by Node 1.

Use Cases

Retail Wallets & Apps

Integrate secure, white-label wallets into your consumer application for payments, loyalty points, or digital collectibles.

Gaming & Metaverses

Provide players with in-game wallets that they truly own, with easy onboarding and self-service recovery.

Neo-Banking & FinTech

Enable your customers to buy, hold, and send digital assets alongside traditional financial services with institutional security.

Getting Started

To implement customer wallets:

1. Initialize Customer: Create a customer profile and associate it with your organization.
2. Setup PIN: Guide the user through the PIN setup and recovery method configuration.
3. Perform DKG: Use the API to trigger the Distributed Key Generation process for the user.
4. Derive Wallets: Generate addresses for specific blockchains on-demand.