The Modular Wallet Stack

First-generation wallet technology products have built full-stack monolithic solutions, combining secure key generation & signing, transaction policy engines, transaction building and broadcasting, and often client consoles & extensions.

As the number of blockchains & use-case complexity has increased, next-generation web3 products need to combine best-of-breed modular parts to build the right stack for their solution.

Decoupling access management from key storage provides a number of benefits, including:

  • Unified access controls for wallet & non-wallet actions

  • Reduce vendor lock-in at the key management layer

  • Create a common interface for wallet access across custodial & non-custodial wallets

Web2 access control is not sufficient for web3

  • Wallets require trust models & signing schemes removing trust from even trusted operators.

  • Transactions need web3-aware policy rules around transfer details & contract calls.

  • Non-wallet actions still require strong auth and permissions

  • Integrations with the blockchain ecosystem requires interfacing with decentralized systems and less-traditional signing curves.

Most "wallet" needs are actually access management needs

What's the Armory Stack?

The Armory Stack is an open-source access management system tailored for uses-case that need strong authentication and fine-grained authorization. It is designed to secure the usage of private keys, wallets, and web3 applications.

It's a web3-native policy engine combined with a highly customizable next-gen auth system, able to be deployed in a variety of secure configurations.

Armory Auth

The core of the Armory system is the auth service and policy engine.

It takes authorization requests from the Client, enforces policy rules, and grants access tokens that are used to protect downstream resources (such as a wallet).

The types of permissions that can be modeled are wide-ranging, from granular transaction policies with quorum approval rules, to broad role-based user scopes.

Access Tokens are client-bound. Unlike a Bearer token (such as in OAuth 2.0), the token alone is not sufficient to access protected resources; http request signatures ensure only the intended client is able to use the token.

Armory Vault

Any application, wallet provider, or other resource server can be protected by Armory Auth. However, for many common scenarios, the Armory Vault can be used in order to avoid custom integration work.

It has two core capabilities

  • Act as a Key Vault for secure key generation, import, and storage

  • Securely sign blockchain transactions using stored keys

Last updated