Vault FAQs
thirdweb vault is entirely non-custodial.
This means that if you lose your keys and your recovery code, you have no means of recovering any of your EOAs, any funds stored in them, or any smart accounts or other contracts your EOAs might own.
thirdweb cannot help you in such a scenario.
While storing all keys with yourself is the most secure way to use thirdweb vault, the lack of recovery options might be inconvenient or scary. As a compromise, when used with Engine Cloud, thirdweb allows you to store a backup of your rotation code with us. This way if you ever lose your admin key, we can let you rotate it as long as you can access the project this vault was initialised for.
is this still non-custodial?
yes.
thirdweb cannot access any of your wallets or created entities with your rotation code alone.
a “rotation-code” only allows the “service account rotate” operation, which will invalidate your admin key and all existing access tokens.
There is no way for thirdweb to “silently” access your vault without your knowledge with only the recovery code.
Rotating your engine’s vault account through a thirdweb-stored rotation code requires a signature from your wallet. You will also be able to see rotation history, the thirdweb account which initiated this rotation, and their wallet signature.
You need either:
- The admin key (which can perform any action, including creating Vault EOAs, aka server wallets).
- Or an access token that has explicit permissions to create Vault EOAs.
For Engine Cloud by default, we generate an access token for you during onboarding. This token can create Vault EOAs.
However, if you want to restrict access to creating Vault EOAs, you can create a custom access token with the required scopes.
The admin key is temporarily stored in dashboard when performing actions that require it, such as creating or managing server wallets:
- It is only stored locally in memory for the duration of your session.
- It is only sent over the network when end-to-end encrypted communication with Vault is happening.
- It is not persisted or stored after your session ends.
Please note, you should never share your admin key with third parties.