Architecture
Understand how Cubewire Wallet-as-a-Service processes transactions, manages security, and integrates with your systems.
Cubewire Wallet-as-a-Service is designed with security and reliability at its core. Every transaction flows through multiple layers of protection—from authentication and policy enforcement to compliance screening and HSM-based signing—before reaching the blockchain.
This page covers:
- Transaction lifecycle — What happens when you submit a transaction
- Vaults — How keys and addresses are organized
- Security model — How we protect your keys and assets
- Compliance integration — Built-in regulatory checks
- Integration patterns — Common ways to connect your systems
Vaults
A vault is a secure container for blockchain keys and addresses. Each vault is isolated with its own cryptographic material stored in hardware security modules (HSM).
| Vault Type | Description | Use Case |
|---|---|---|
| Mainnet | Production vaults for real assets | Live operations, treasury |
| Testnet | Development vaults on test networks | Integration testing, development |
Vault Capabilities
- Multi-chain addresses — Each vault can hold assets across supported EVM networks
- Isolated keys — Private keys are unique per vault and never shared
- Configurable policies — Attach spending limits, allowlists, and approval rules
- Full audit trail — Every operation is logged for compliance and reporting
Organization Scope
Vaults belong to your organization. Team members access vaults based on their assigned roles and permissions.
How It Works
Here's what happens when you send a transaction through Cubewire:
The entire flow—from request to blockchain confirmation—typically completes in seconds. For transactions requiring approval, you control the workflow through our approvals API.
Security Model
Cubewire employs multiple layers of security to protect your assets:
| Layer | Protection |
|---|---|
| Authentication | OAuth 2.0 client credentials with short-lived access tokens |
| Authorization | Role-based permissions control what each credential can access |
| Policy Enforcement | Transactions must pass your configured rules before signing |
| Compliance | Automated screening against sanctions lists and risk databases |
| Key Security | Private keys never leave FIPS 140-2 Level 3 certified HSMs |
Key Protection
Your private keys are:
- Generated inside HSMs — Keys are created within certified hardware, not imported
- Never exported — Signing happens inside the HSM; raw keys are never exposed
- Geographically distributed — Infrastructure spans multiple regions for resilience
- Backed up securely — Encrypted backups ensure business continuity
API Authentication
All API requests use OAuth 2.0 client credentials flow:
| Component | Description |
|---|---|
| Client ID | Public identifier for your API credential |
| Client Secret | Secret key (store securely, never expose in client-side code) |
| Access Token | Short-lived JWT for API requests (expires in 1 hour) |
Security Best Practice
Never embed client secrets in frontend applications or mobile apps. Use server-side authentication only.
Built-in Compliance
Cubewire integrates with leading compliance providers to automate regulatory requirements. Configure these checks at the organization level—they run automatically on every transaction.
Compliance Checks
| Check | What It Does | When It Runs |
|---|---|---|
| KYB/KYC | Verifies organization and user identity | Organization onboarding, user registration |
| AML/KYT | Screens transactions for money laundering risk | Every outbound transaction |
| Sanctions | Checks addresses against OFAC, UN, EU sanctions lists | Every transaction (sender & recipient) |
| Travel Rule | Exchanges originator/beneficiary data per FATF guidelines | Transfers above threshold (varies by jurisdiction) |
Configuration
Compliance settings are configured per organization. Contact your account manager to enable or customize compliance checks for your use case.
Integration Patterns
Choose the pattern that fits your use case:
Server-to-Server
Best for backend services that need programmatic access to wallets.
Your server authenticates with Cubewire using API credentials and performs operations on behalf of your users. Transaction events flow back via webhooks.
Use cases: Automated payouts, treasury operations, trading bots
Approval Workflows
Best for high-value transactions requiring human approval.
Define approval thresholds in your policies. When a transaction triggers approval, designated approvers receive notifications and vote through your interface.
Use cases: Treasury management, large transfers, compliance-sensitive operations
Event-Driven
Best for systems that react to blockchain activity in real-time.
Subscribe to webhook events and process them asynchronously. We handle retries and provide HMAC signatures for verification.
Use cases: Real-time dashboards, notifications, accounting systems, audit logging
Webhook Events
Cubewire sends real-time webhook notifications for transaction lifecycle events—from submission through confirmation or failure. All payloads include HMAC signatures for verification.
See Webhooks for event types, payload formats, and security best practices.
Supported Networks
Cubewire supports EVM-compatible blockchains:
| Network | Chain ID | Type |
|---|---|---|
| Ethereum | 1 | Mainnet |
| Polygon | 137 | Mainnet |
| Arbitrum One | 42161 | Mainnet |
| Base | 8453 | Mainnet |
| Ethereum Sepolia | 11155111 | Testnet |
| Polygon Amoy | 80002 | Testnet |
| Cubewire Testnet | 62831 | Testnet |
Development
Start with Cubewire Testnet for development—it's fast, free, and purpose-built for testing. Use the Cubewire Faucet to get test tokens.
Audit & Activity Logs
Every action in Cubewire is recorded for compliance and operational visibility:
| Log Type | What's Captured |
|---|---|
| Transaction logs | All transaction attempts, approvals, and outcomes |
| Access logs | API authentication events and credential usage |
| Policy logs | Policy evaluations and rule matches |
| User activity | Dashboard actions and configuration changes |
Logs are retained according to your organization's compliance requirements and are accessible via API for integration with your SIEM or reporting systems.
Next
- Core Concepts — Key domain concepts for building on Cubewire
Architecture
Understand how Cubewire Wallet-as-a-Service processes transactions, manages security, and integrates with your systems.
Cubewire Wallet-as-a-Service is designed with security and reliability at its core. Every transaction flows through multiple layers of protection—from authentication and policy enforcement to compliance screening and HSM-based signing—before reaching the blockchain.
This page covers:
- Transaction lifecycle — What happens when you submit a transaction
- Vaults — How keys and addresses are organized
- Security model — How we protect your keys and assets
- Compliance integration — Built-in regulatory checks
- Integration patterns — Common ways to connect your systems
Vaults
A vault is a secure container for blockchain keys and addresses. Each vault is isolated with its own cryptographic material stored in hardware security modules (HSM).
| Vault Type | Description | Use Case |
|---|---|---|
| Mainnet | Production vaults for real assets | Live operations, treasury |
| Testnet | Development vaults on test networks | Integration testing, development |
Vault Capabilities
- Multi-chain addresses — Each vault can hold assets across supported EVM networks
- Isolated keys — Private keys are unique per vault and never shared
- Configurable policies — Attach spending limits, allowlists, and approval rules
- Full audit trail — Every operation is logged for compliance and reporting
Organization Scope
Vaults belong to your organization. Team members access vaults based on their assigned roles and permissions.
How It Works
Here's what happens when you send a transaction through Cubewire:
The entire flow—from request to blockchain confirmation—typically completes in seconds. For transactions requiring approval, you control the workflow through our approvals API.
Security Model
Cubewire employs multiple layers of security to protect your assets:
| Layer | Protection |
|---|---|
| Authentication | OAuth 2.0 client credentials with short-lived access tokens |
| Authorization | Role-based permissions control what each credential can access |
| Policy Enforcement | Transactions must pass your configured rules before signing |
| Compliance | Automated screening against sanctions lists and risk databases |
| Key Security | Private keys never leave FIPS 140-2 Level 3 certified HSMs |
Key Protection
Your private keys are:
- Generated inside HSMs — Keys are created within certified hardware, not imported
- Never exported — Signing happens inside the HSM; raw keys are never exposed
- Geographically distributed — Infrastructure spans multiple regions for resilience
- Backed up securely — Encrypted backups ensure business continuity
API Authentication
All API requests use OAuth 2.0 client credentials flow:
| Component | Description |
|---|---|
| Client ID | Public identifier for your API credential |
| Client Secret | Secret key (store securely, never expose in client-side code) |
| Access Token | Short-lived JWT for API requests (expires in 1 hour) |
Security Best Practice
Never embed client secrets in frontend applications or mobile apps. Use server-side authentication only.
Built-in Compliance
Cubewire integrates with leading compliance providers to automate regulatory requirements. Configure these checks at the organization level—they run automatically on every transaction.
Compliance Checks
| Check | What It Does | When It Runs |
|---|---|---|
| KYB/KYC | Verifies organization and user identity | Organization onboarding, user registration |
| AML/KYT | Screens transactions for money laundering risk | Every outbound transaction |
| Sanctions | Checks addresses against OFAC, UN, EU sanctions lists | Every transaction (sender & recipient) |
| Travel Rule | Exchanges originator/beneficiary data per FATF guidelines | Transfers above threshold (varies by jurisdiction) |
Configuration
Compliance settings are configured per organization. Contact your account manager to enable or customize compliance checks for your use case.
Integration Patterns
Choose the pattern that fits your use case:
Server-to-Server
Best for backend services that need programmatic access to wallets.
Your server authenticates with Cubewire using API credentials and performs operations on behalf of your users. Transaction events flow back via webhooks.
Use cases: Automated payouts, treasury operations, trading bots
Approval Workflows
Best for high-value transactions requiring human approval.
Define approval thresholds in your policies. When a transaction triggers approval, designated approvers receive notifications and vote through your interface.
Use cases: Treasury management, large transfers, compliance-sensitive operations
Event-Driven
Best for systems that react to blockchain activity in real-time.
Subscribe to webhook events and process them asynchronously. We handle retries and provide HMAC signatures for verification.
Use cases: Real-time dashboards, notifications, accounting systems, audit logging
Webhook Events
Cubewire sends real-time webhook notifications for transaction lifecycle events—from submission through confirmation or failure. All payloads include HMAC signatures for verification.
See Webhooks for event types, payload formats, and security best practices.
Supported Networks
Cubewire supports EVM-compatible blockchains:
| Network | Chain ID | Type |
|---|---|---|
| Ethereum | 1 | Mainnet |
| Polygon | 137 | Mainnet |
| Arbitrum One | 42161 | Mainnet |
| Base | 8453 | Mainnet |
| Ethereum Sepolia | 11155111 | Testnet |
| Polygon Amoy | 80002 | Testnet |
| Cubewire Testnet | 62831 | Testnet |
Development
Start with Cubewire Testnet for development—it's fast, free, and purpose-built for testing. Use the Cubewire Faucet to get test tokens.
Audit & Activity Logs
Every action in Cubewire is recorded for compliance and operational visibility:
| Log Type | What's Captured |
|---|---|
| Transaction logs | All transaction attempts, approvals, and outcomes |
| Access logs | API authentication events and credential usage |
| Policy logs | Policy evaluations and rule matches |
| User activity | Dashboard actions and configuration changes |
Logs are retained according to your organization's compliance requirements and are accessible via API for integration with your SIEM or reporting systems.
Next
- Core Concepts — Key domain concepts for building on Cubewire