Platform Overview
Stratos Vault is enterprise-grade multi-chain wallet infrastructure designed for institutions, financial services, and blockchain-native companies.
What is Stratos Vault?
Stratos Vault provides a complete wallet infrastructure solution that enables organizations to:
- Manage digital assets across multiple blockchain networks from a unified platform
- Deploy white-label instances with custom branding for clients or internal use
- Build integrated applications using a comprehensive SDK
- Leverage Canton Network for regulated, compliant smart contract operations
Unlike consumer wallets, Stratos Vault is built for organizations that need control, compliance, and scalability.
Core Capabilities
Multi-Chain Asset Management
Unified support for major blockchain ecosystems:
| Network | Capabilities |
|---|---|
| Ethereum & EVM | ETH, ERC-20 tokens, smart contracts, EIP-1559 transactions |
| Solana | SOL, SPL tokens, versioned transactions |
| Bitcoin | Native SegWit, UTXO management |
| TRON | TRX, TRC-20 tokens, smart contracts |
| TON | TON, Jettons, TON Connect compatible |
| Canton Network | Daml smart contracts, regulated tokenization |
WebAuthn Security Model
Enterprise authentication without the enterprise complexity:
- Passkey-based login - No passwords, no seed phrases
- Hardware-bound keys - Private keys never leave the device
- Phishing-resistant - Cryptographic origin binding
- Cross-platform - Works on any device with biometric or security key support
Edge-Native Architecture
Built on Cloudflare's global infrastructure:
- 300+ edge locations worldwide
- Sub-50ms latency for most users globally
- 99.99% uptime SLA-backed reliability
- Zero infrastructure management - No servers to maintain
Deployment Model
Each Stratos Vault deployment is an independent instance with:
┌────────────────────────────────────────────┐
│ Your Organization │
│ ┌──────────────────────────────────────┐ │
│ │ Stratos Vault Instance │ │
│ │ ┌────────────┐ ┌────────────────┐ │ │
│ │ │ Custom UI │ │ Your Branding │ │ │
│ │ │ & Apps │ │ & Domain │ │ │
│ │ └────────────┘ └────────────────┘ │ │
│ │ ┌────────────────────────────────┐ │ │
│ │ │ Isolated D1 Database │ │ │
│ │ │ (Users, Sessions, Config) │ │ │
│ │ └────────────────────────────────┘ │ │
│ └──────────────────────────────────────┘ │
└────────────────────────────────────────────┘Key characteristics:
- Complete data isolation - Each instance has its own database
- Independent user management - Separate user registries per instance
- Custom configuration - RPC endpoints, assets, branding per deployment
- Canton Network integration - Optional connection to your Canton participant
Instance Administration
Each instance includes an administrative interface for:
| Function | Description |
|---|---|
| User Management | Create, modify, and remove user accounts |
| Role Assignment | Assign admin or user roles |
| Canton Party Allocation | Connect users to Canton identities |
| Asset Configuration | Define supported tokens and chains |
| RPC Endpoints | Configure blockchain node connections |
| Dock Apps | Manage integrated applications |
| Daml Packages | Deploy custom smart contract packages |
App Access Control
Stratos Vault supports granular access control for Dock Apps, allowing administrators to restrict which users can see and use specific applications.
Access Model
Apps follow an open-by-default access model:
| Scenario | Visibility |
|---|---|
| No access entries | App visible to all users |
| Access entries exist | App visible only to assigned users |
This allows organizations to:
- Keep general-purpose apps available to everyone
- Restrict sensitive apps (trading, treasury) to authorized users
- Provide different app experiences for different user groups
Managing App Access
Via Admin Interface
- Navigate to Apps in the admin panel
- Click the Users badge on an app to manage access
- Check/uncheck users to grant or revoke access
- Apps with no checked users become open to everyone
Alternatively, from User Management:
- Navigate to Users in the admin panel
- Click App Access on a user row
- Check/uncheck apps to control that user's app visibility
Via API
List all app-user assignments:
GET /api/superadmin/app-access
Authorization: Bearer <session_token>Grant user access to an app:
POST /api/superadmin/app-access
Authorization: Bearer <session_token>
Content-Type: application/json
{
"user_id": "user-uuid",
"app_id": "app-uuid"
}Revoke user access from an app:
DELETE /api/superadmin/app-access?user_id=<user-uuid>&app_id=<app-uuid>
Authorization: Bearer <session_token>Database Schema
Access control uses a junction table:
CREATE TABLE user_app_access (
id TEXT PRIMARY KEY,
user_id TEXT NOT NULL,
app_id TEXT NOT NULL,
granted_by TEXT,
created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE,
FOREIGN KEY (app_id) REFERENCES apps(id) ON DELETE CASCADE,
UNIQUE(user_id, app_id)
);When a user is deleted, their app access entries are automatically removed. When an app is deleted, all access entries for that app are removed.
App Ecosystem
Stratos Vault supports "Dock Apps" - applications that run within the wallet interface with access to:
- User authentication state
- Asset balances across all chains
- Transaction signing capabilities
- Canton contract operations
Organizations can build custom applications for:
- DeFi operations (swaps, lending, staking)
- Payment processing
- Asset tokenization
- Internal treasury management
- Client-facing investment interfaces
Learn more about building apps →
Canton Network Integration
Stratos Vault provides native integration with Canton Network, enabling:
Regulated DeFi
- Privacy-preserving transactions - Data shared only with authorized parties
- Compliant smart contracts - Daml language for auditable, deterministic logic
- Enterprise interoperability - Connect with other Canton participants
Smart Contract Operations
- Query contracts by template
- Create contract instances
- Exercise choices on existing contracts
- Transfer tokens via offer/accept workflow
Daml Package Distribution
Apps can distribute their Daml packages through a standardized endpoint, enabling automatic installation across wallet instances.
Learn more about Canton integration →
Security Architecture
Defense in Depth
┌─────────────────────────────────────────────────────────────┐
│ Layer 1: Transport Security │
│ HTTPS only, HSTS headers, TLS 1.3 │
├─────────────────────────────────────────────────────────────┤
│ Layer 2: Authentication │
│ WebAuthn passkeys, JWT sessions, httpOnly cookies │
├─────────────────────────────────────────────────────────────┤
│ Layer 3: Authorization │
│ Role-based access, Canton party authorization │
├─────────────────────────────────────────────────────────────┤
│ Layer 4: Key Protection │
│ PRF-derived keys, MPC threshold signing, nonce zeroing │
└─────────────────────────────────────────────────────────────┘Key Management
Stratos Vault supports two key management modes:
Local Mode (PRF-only):
- User authenticates with passkey (biometric/security key)
- WebAuthn PRF extension derives chain-specific keys
- Signing happens locally, keys cleared after use
MPC Mode (Threshold Signing):
- Private keys split into client and server shares during registration
- Client share encrypted with PRF, server share in Durable Object
- Multi-round cryptographic protocol produces signatures without reconstructing the full key
- Supports Lindell 2PC-ECDSA (secp256k1) and FROST 2-of-2 (ed25519)
Result: No seed phrases, no single point of compromise, phishing-resistant authentication.
Learn more about MPC signing →
Next Steps
- Security Deep Dive - Detailed security architecture
- MPC Signing - Multi-party computation threshold signing
- Canton Integration - Enterprise smart contracts
- Dock Apps - Pre-built applications (Vault, Swap, RWA, PrivaMargin)
- For Developers - Build on Stratos Vault