> For the complete documentation index, see [llms.txt](https://docs.useshadowpay.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.useshadowpay.com/privacy-and-confidential-transfers/key-management.md).

# Key Management & Custody

ShadowPay is non-custodial. Your keys are generated and stored on your device. ShadowPay's servers never hold them and never see them in the clear.

***

## Two kinds of keys

Every ShadowPay account has two distinct keypairs:

| Key                | Purpose                                                                                                       |
| ------------------ | ------------------------------------------------------------------------------------------------------------- |
| **Signing key**    | A standard Solana keypair used to sign transactions, the same mechanism any Solana wallet uses                |
| **Decryption key** | Used to decrypt your Confidential Balances account, letting you read your own balance and transaction amounts |

Both are derived from the same underlying secret, generated on your device during onboarding, and never transmitted to ShadowPay in unencrypted form.

***

## Passkey-derived keys

Onboarding uses your device's passkey (WebAuthn) rather than a manually written seed phrase.

1. You create an account with email and a device passkey (Face ID, Touch ID, Windows Hello, or a hardware key).
2. Your device derives your ShadowPay keypair from the passkey using a key derivation function. This happens locally.
3. The private key material is encrypted and stored in your device's secure enclave or equivalent.
4. ShadowPay's servers see your public key and signed transactions. They never see the private key.

This removes the single biggest cause of self-custody failure: losing a written-down seed phrase. It doesn't remove your ability to export it.

***

## Exporting your key

Advanced users can export their private key at any time from **Settings → Security → Export Key**. Once exported, the key can be imported into any standard Solana wallet (Phantom, Backpack, Solflare) since ShadowPay accounts are ordinary Solana accounts underneath.

Exporting your key is your responsibility to do securely. Anyone with your exported key has full control of your account.

***

## Recovery

If you lose access to your passkey-bound device:

* **Multi-device passkeys:** if you registered a passkey on more than one device, or through a passkey provider that syncs across devices (iCloud Keychain, Google Password Manager), recovery is immediate on any synced device.
* **Social recovery (post-beta):** designate trusted contacts who can jointly approve a recovery request. See [Roadmap](/resources/roadmap.md).
* **Exported key backup:** if you exported your key ahead of time and stored it securely, you can restore access on any device.

There is no account recovery path that bypasses your key material. ShadowPay cannot reset your password or restore access on your behalf, because it never held the key to begin with.

***

## Why this matters for privacy

Your decryption key is also what makes selective disclosure and audit export possible without trusting a third party. Because only you hold it, only you can decrypt your history or prove a transaction's contents to someone else. See [Selective Disclosure & Audit Export](/privacy-and-confidential-transfers/selective-disclosure.md).


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.useshadowpay.com/privacy-and-confidential-transfers/key-management.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
