Skip to content
Custody Docs Paribu Custody

User Setup

User Web Setup

Section titled “User Web Setup”

Workspaces are created by the operations team. Each workspace must have an owner. The operations team assigns a workspace owner to a workspace.

Once the workspace owner is created, the owner and the admin quorum (admin, associate) add all other users to the workspace.

After joining a workspace for the first time, users in all roles must go through the following setup stages.

  • Users added to a workspace receive an invitation email for that workspace.
  • The user accepts the workspace invitation by clicking the link in the invitation email.
  • The invitation link remains active for two days.
  • The user accepts the workspace invitation and proceeds to the password creation screen.
  • After successfully creating a password, the user must complete the 2FA setup via Google Authenticator.
  • After the 2FA setup, the user sets up a passkey.
  • Once the web setup is complete, the user must proceed with the mobile setup.

User Mobile Setup

Section titled “User Mobile Setup”

The Custody Mobile App is a mobile application used for key generation ceremonies, transfer approvals, transfer signing, and the approval of admin quorum requests.

Users with approval or signing authority must use the Custody Mobile App to perform required actions.

  • Roles with MPC key share ownership: Owner, admin, signer
  • Roles with signing authority: Owner, admin, signer
  • Roles with transfer approval authority: Owner, admin, associate, signer, approver
  • Roles authorized to approve admin quorum requests: Owner, admin, associate

Setup for Users with Signing Authority

Section titled “Setup for Users with Signing Authority”

Owner Mobile Setup

After completing the web setup, the owner logs into the mobile application using their email address and the password created during the web setup.

The owner completes the 2FA setup via Google Authenticator.

The owner logs in to the application using Passkey and FaceID.

The owner joins the “key generation ceremony” communicated by the operations team and remains in the ceremony until the MPC key generation is completed.

The owner may leave the app once the ceremony is completed successfully.

The owner, with a created key share, will now be able to sign off on transfers, take other approval actions, and actively use the platform.

Admin and Signer Mobile Application Setup

To obtain an MPC key share, users with admin and signer roles must have a new key derived from the owner’s key share.

A new key is created from the owner’s key share through the key derivation ceremony. The newly generated key is then shared with the users through the key resharing ceremony. The key derivation and key resharing ceremonies must occur consecutively, one after the other.

After completing the web setup, users with admin and signer roles log in to the mobile application using their email address and the password they created during the web setup.

They complete the 2FA setup via Google Authenticator.

They log in to the application using Passkey and FaceID.

The workspace owner receives a key derivation ceremony request for users logged in to the mobile application. The owner joins the key derivation ceremony from the mobile app. Once the ceremony is completed successfully, the key resharing ceremony is initiated and transferred to the user who will obtain the key share. The user then joins the key resharing ceremony. Once completed successfully, the user is ready to take active action.

If the key derivation ceremony fails, the key resharing ceremony will not take place. An issue during the key resharing stage will result in the process being restarted. The owner receives a new key derivation ceremony and repeats the process.

Setup for Users Without Signing Authority

Section titled “Setup for Users Without Signing Authority”

Users with associate and approver roles do not possess MPC key shares. Users with associate roles are authorized for admin quorum and transfer approvals. Users with approver roles are only authorized for transfer approvals.

After completing the web setup, users with associate and approver roles log in to the mobile application using their email address and the password they created during the web setup. Users who have successfully logged in are now ready to take active action on the platform.