Wallet signing infrastructure
Keys that never leave the enclave.
Non-custodial signing on AMD SEV-SNP. Private keys are generated, sealed, and used inside hardware-isolated memory. We never have access. Nobody does.
import { Sigcore } from '@sigcore/sdk'
const sigcore = new Sigcore({ apiKey: 'sk_...' })
// Key generated inside AMD SEV-SNP enclave
// Never persisted in plaintext — sealed in memory
const wallet = await sigcore.wallets.create({
name: 'Treasury',
algorithm: 'secp256k1',
})
// Policy-evaluated, TEE-signed
const sig = await sigcore.sign({
walletId: wallet.id,
payload: txHash,
})
Architecture
Zero-access by design. Verifiable by default.
Trusted Execution Environments
AMD SEV-SNP confidential computing.
All signing operations execute inside AMD SEV-SNP Secure Encrypted Virtualization enclaves. Memory is hardware-encrypted with a per-VM key that the hypervisor, host OS, and cloud provider cannot access. The firmware enforces isolation at the silicon level — no software escape is possible.
Key isolation
Sealed in encrypted memory.
Private keys are generated via CSPRNG inside the enclave, encrypted at rest with a Shamir-split master secret, and exist in plaintext only within hardware-encrypted VM memory during signing. After each operation, key material is explicitly zeroed.
Non-custodial
We can't access your keys. By design.
Sigcore operators, infrastructure providers, and the cloud host are all excluded from the trust boundary. The signing primitive is a USE operation — the signature is returned, never the key. There is no export path.
Remote attestation
Verify before you trust.
Every enclave generates a cryptographic attestation report signed by the AMD VCEK. The report binds the hardware measurement to the exact software binary running inside. Clients can verify enclave identity before submitting any transaction.
// Verify enclave before trusting
const report = await sigcore.attest()
// AMD SEV-SNP measurement
report.measurement // sha384 of enclave image
report.platform // hardware identity
report.policy // guest policy flags
Enclave-to-enclave
Encrypted service mesh inside the TEE cluster.
Internal services communicate over a custom protocol with X25519 key exchange, Ed25519 identity verification, and AES-256-GCM AEAD encryption with forward secrecy. Every connection is mutually attested — both sides verify each other's enclave measurement before any data is exchanged.
Data flow
Every request traced. Every boundary enforced.
The client sends a signing request to Sigcore with a DPoP-bound access token. Sigcore forwards the token to the Auth enclave for verification. The Auth enclave validates the JWT signature, verifies the DPoP proof (binding the token to the client's key and the specific HTTP request), checks session validity, and returns the verified claims — user ID, org ID, org path, and TEE measurement metadata.
Security invariants
Five guarantees we enforce at every layer.
Private keys exist in plaintext only inside hardware-encrypted VM memory.
AMD SEV-SNP encrypts guest memory with a per-VM AES-256 key managed by the AMD Secure Processor. The hypervisor, host OS, and DMA devices are excluded.
At rest, keys are wrapped with AES-256-GCM using a Shamir-split master secret.
The master key is reconstructed only inside the enclave during unseal. Individual shards are held by geographically distributed operators with Ed25519 identity verification.
Key material never transits a network. Signing is a USE-only operation.
The vault exposes a gRPC UseSecret(SIGN) primitive. It accepts a payload, returns a signature. There is no ExportSecret path for signing keys. The key stays in the enclave.
After each signing operation, key material is explicitly zeroed from memory.
Using mlock to prevent swapping, MADV_DONTDUMP to exclude from core dumps, and OPENSSL_cleanse for deterministic zeroing that cannot be optimized away by the compiler.
Sigcore operators cannot access keys. The platform is outside the trust boundary.
Remote attestation proves the enclave is running the expected binary. Operators authenticate via challenge-response with Ed25519 but never gain access to secret material.
Policy engine
Signing rules enforced at the hardware level.
Spending & destination controls
Per-wallet limits enforced in the TEE.
Daily spending caps, transaction count limits, destination whitelists/blacklists, and chain restrictions. Evaluated inside the enclave before the vault is contacted. Denied transactions never reach the signing layer.
{
"daily_limit": { "amount_usd": 10000, "tx_count": 50 },
"destinations": {
"mode": "WHITELIST",
"addresses": ["0x742d35Cc...", "0xA0b86991..."]
},
"allowed_chains": ["ethereum", "polygon"]
}
Multi-signature & approval flows
M-of-N quorum with threshold triggers.
Transactions above a USD threshold require approval from M of N eligible signers. Approvals are collected by the policy enclave and submitted atomically. Timeout and escalation rules are configurable per wallet.
{
"multi_sig": {
"threshold": 2,
"total": 3,
"amount_threshold_usd": 5000,
"approval_timeout_seconds": 3600,
"approvers": ["user_01HX...", "user_01HY...", "user_01HZ..."]
}
}
Time locks & signing windows
Delay-based controls for high-value operations.
Enforce business-hours-only signing windows. Add mandatory time locks with cancellation periods for transactions above a threshold. All time enforcement runs inside the enclave with monotonic clock guarantees.
{
"time_restrictions": {
"start": "09:00", "end": "17:00",
"allowed_days": ["Mon", "Tue", "Wed", "Thu", "Fri"]
},
"time_lock": {
"threshold_usd": 50000,
"duration_seconds": 3600,
"cancelable": true
}
}
Why Sigcore
Industry standard
- MPC key shards distributed across cloud VMs
- Custodial HSMs with operator-accessible key material
- Policy logic running outside the signing boundary
- No remote attestation — trust the vendor, not the hardware
- Authentication and signing in separate, unlinked systems
Sigcore
- Full keys sealed inside AMD SEV-SNP encrypted memory
- Zero-access architecture — operators excluded from trust boundary
- Policy evaluation inside the enclave, before any key is touched
- Cryptographic attestation via AMD VCEK on every enclave
- Unified auth, policy, and signing across three attested enclaves
Use cases
Signing infrastructure for every use case.
Whether you're building embedded wallets, automating DeFi, or managing treasury — Sigcore provides the secure signing layer.
Embedded wallets
Give every user a non-custodial wallet without the UX burden of key management.
DeFi & trading
Automate trading with policy-controlled signing. Per-trade limits, allowed DEXes, time windows.
Treasury management
Secure organizational funds with multi-sig, approval workflows, and hardware-isolated signing.
NFT & gaming
Mint and transfer at scale with sub-millisecond signing. Millions of wallets per organization.
Pricing
Start building for free.
Developer
Prototype and develop
- Unlimited wallets
- 1,000 signatures/month
- All security features
- Community support
Growth
Production applications
- Unlimited wallets
- Unlimited signatures
- Policy engine
- Multi-sig & approvals
- Priority support
Enterprise
Organizations at scale
- Everything in Growth
- Dedicated TEE cluster
- 99.99% SLA
- SSO / SAML
- Dedicated engineer
Start signing in minutes.
Get your API key, create your first wallet, and sign your first transaction.