BYOK custody
BYOK keeps Oris out of custody. You hold your provider relationship (Turnkey, Fireblocks, Circle, or self-hosted). Oris stores your provider API keys with envelope encryption and decrypts them only in ephemeral memory at request time.
Why BYOK matters
The custody boundary stays where it belongs: with the developer who already has a money-transmitter or VASP relationship with their MPC provider. Oris adds the cryptographic boundary around the credential. Funds never touch Oris.
Envelope encryption
provider_key │ ▼AES-256-GCM Data Encryption Key (DEK) ← per-developer, unique │ ▼HashiCorp Vault Transit (KEK) ← centralized rotation, in-memory only │ ▼ciphertext at rest (PostgreSQL)Three independent boundaries:
| Layer | Property |
|---|---|
| Vault Transit KEK | Key material never leaves Vault. Rotates inside Vault with zero application downtime. |
| Per-developer DEK | One developer’s compromise cannot expose another. Blast radius capped per tenant. |
| Ephemeral memory | After every call, plaintext key is overwritten at the C level (ctypes.memset). |
Plaintext persistence: zero milliseconds. The DEK lives in memory only for the duration of a single request.
Supported providers
| Provider | Type | State |
|---|---|---|
| Turnkey | Distributed MPC | LIVE |
| Fireblocks | Institutional MPC | LIVE |
| Circle | Programmable wallets | LIVE |
| Self-hosted EOA | Standard private key | LIVE |
SDK methods
# Register a provider key onceclient.provider_keys.save( provider="turnkey", credentials={"api_key": "tk_prod_...", "organization_id": "..."},)
# List registered keyskeys = client.provider_keys.list()for k in keys: print(k.provider, k.dek_version, k.status) # active / rotating
# Rotate a provider key (manual or automatic)client.provider_keys.rotate(provider="turnkey")await client.providerKeys.save({ provider: 'turnkey', credentials: { apiKey: 'tk_prod_...', organizationId: '...' },});
const keys = await client.providerKeys.list();for (const k of keys) { console.log(k.provider, k.dekVersion, k.status);}
await client.providerKeys.rotate({ provider: 'turnkey' });What Oris does not do
- Does not move funds.
- Does not hold custody.
- Does not require a money-transmitter license.
- Does not enter your provider’s compliance perimeter.
The provider relationship, the KYC, the AML monitoring, the licensing all stay with you and your provider. Oris adds the cryptographic boundary on top.
Where to go next
- BYOK setup guide for the end-to-end onboarding flow with Turnkey, Fireblocks, and Circle.
- Wallets feature for the canonical address that sits in front of your provider.
- Key rotation operations for the rotation playbook.