Warning: Providing the custodian backup share to the client device puts both MPC shares on a single device, removing the multi-party security benefits of MPC. This operation should only be done for users who want to move off of MPC and into a single private key. Use
portal.eject()
at your own risk!Ejecting Methods
You can eject wallets using either Portal-Managed Backups or Self-Managed Backups depending on your implementation.Portal-managed backups
To eject the private keys for your users’ wallets, their two matching backup shares need to be combined. Since both of these shares are stored on the Portal backend encrypted at rest, we first need to verify that the upcoming request to eject the wallet is not an attack. In order to do this, we make this a two-step process: Implementation Requirements- Make a Custodian-authed
POST
request using your Custodian API Key (the same API key you use to create new users) to the/api/v3/custodians/me/clients/\(clientId)/prepare-eject
endpoint to allow for this client to perform aneject
operation - Call the
portal.eject()
orportal.ejectPrivateKeys()
function from your client application with the appropriate backup method
Step 1: Prepare the Eject Operation
Make a custodian-authenticatedPOST
request using your Custodian API Key to authorize the ejection:
The
walletId
can be found in the wallets
property of the /api/custodians/me/clients/\(clientId)
GET
request.If you are planning on ejecting multiple wallets for a user, you’ll need to make multiple separate requests to “unlock” all requires wallets.
Step 2: Eject the Wallet
After preparation, call theeject()
or ejectPrivateKeys()
method with the appropriate backup method that was originally used to secure the wallet:
- Retrieve and combine shares from Portal’s server
- Perform the cryptographic operations to construct the private key/s
- Return the private key/s as a string that can be imported into other wallet managers
Self-Managed Backup (from your server)
When using Self-Managed Backups, you store the backup shares in your own infrastructure. To eject a wallet, you’ll need to provide both backup shares to theportal.eject()
or portal.ejectPrivateKeys()
function.
- User Backup Share - Encrypted backup share received from
portal.backup()
. - Custodian Backup Share - Raw backup share received from the
POST /backup
webhook.
- Retrieve the encrypted user backup share from your storage
- Retrieve the raw custodian backup share/s from your storage
- Call the eject function with both shares
Cryptographic Curves
Portal supports multiple blockchain networks that use different cryptographic curves:
- SECP256K1: Used by Ethereum and most EVM-compatible blockchains
- ED25519: Used by Solana and several other blockchains
Best Practices
- Implement clear user confirmations before initiating the eject process
- Securely transmit and display private keys to users
- Educate users about the security implications of moving from MPC to single key wallets
- Consider implementing a cooling-off period before allowing wallet ejection