zenvault
Platform

Custody, scoped to six nouns.

zenvault has a small surface on purpose. Every action in the API is a verb on one of six primitives. There is no platform tier hiding more — what's listed is what zenvault is.

Primitives

The vocabulary your API sees.

Six nouns. If a concept isn't here, it isn't in the API.

Workspaces

Tenancy boundary. One per product, per environment. Holds API keys, accounts, transfers, external wallets, webhook endpoints, audit.

Accounts

A vault account that owns asset activations. Tagged by purpose — hot, warm, cold, escrow, gas, generic — so your treasury logic can address them by role.

Addresses

Per-asset deposit addresses, allocated on demand. Stable inputs to your invoicing or merchant flow. Reuse is your call, not ours.

Transfers

Internal (vault to vault), external (to an allowlisted wallet or a one-time address), contract call, ERC-20 approve. All four use the same state machine.

External wallets

Asset-scoped destination allowlist. A transfer can only target an address that's allowlisted for that asset.

Webhook endpoints

Outbound delivery of state changes. HMAC-SHA256 over (timestamp.body). AES-GCM-encrypted secrets at rest. Roughly three-day retry window with jitter.

Architecture

Three planes. Each observable on its own.

The control plane mutates rarely. The data plane is what your product talks to with a workspace API key. The ops plane runs in the background, guarded by distributed locks so multi-pod deployments don't double-emit.

Control planeplane
workspaces · asset coverage · audit · admin
  • wks_a3c4zenpulse-staging · production
  • wks_b8c2zenotc-prod · production
  • audit_log2,481 events · 24h
Data planeplane
accounts · transfers · external wallets · balances
  • POST/v1/transfers/external
  • GET/v1/accounts/:id/balances
  • POST/v1/external-wallets
Ops planeplane
reconciler · event processor · webhook deliverer
  • transfer-reconcilerevery 30s
  • provider-eventsevery 30s
  • webhook-delivererevery 10s
Transfer lifecycle

Eight states. One direction.

Every transfer moves through the same state machine. Transitions are compare-and-swap; terminal states never walk back. Reconciliation polls non-terminal transfers every thirty seconds.