Skip to main content
Version: 0.3.0

Self custodial card payments

Run a payment operator that debits a user's encrypted balance on their behalf, without taking custody and without leaking their spending history on-chain.

The pattern fits any pull payment flows like a card program, subscription billing, and prepaid systems.

The problem

Operators that move user money for them today pick one of two bad options:

  • Custodial. The operator holds user funds in pooled accounts. That brings money-transmitter licensing, and an attractive target for attackers. A breach is a breach of every user at once. Users have to trust the operator's solvency, its infra, and its policies.
  • Public on-chain pull payments. The operator pulls from an EOA or smart account, no custody. But every debit is public. Anyone can reconstruct a user's spending, and run detailed metrics on the operator's business.

The solution

The user keeps their own keys. The operator gets a narrow on-chain authority over the user's encrypted balance — narrow because it's bound, in the contract, to a single settlement destination the operator chose at setup. The operator can debit the account to settle a transaction.

The user can withdraw their balance at any time to a wallet they fully control. The exit is timelocked (a short notice window so the operator can finish in-flight settlements) but it cannot be blocked.

Privacy properties

The card protects from public view:

  • the account's balance
  • individual debit amounts
  • top-up amounts
  • metrics on operator's card program — volume, size of transactions, etc.

Public observers see only that the account exists and that debits happen against it — never the amounts, never the counterparties.

Only the user and the operator see the card account's balance, amounts of top-ups, and debits. The operator needs this visibility to prove on-chain that each debit is valid against the current balance.

The operator does not see the user's other accounts. The card account is a single dedicated account the user funds for card spending; the user's main balances and transaction history stay fully private.