User permission levels
The platform has three user permission levels: Administrator, Operator, and Viewer. Users can hold multiple roles, and each vault can have its own user access configurations.Administrator
Full access to perform administrative tasks, including the ability to create and modify policies.
Operator
Access to perform operations in a vault policy, including initiating withdrawals or staking operations.
Viewer
View permissions to vaults and the ability to download statements or reports.
Administrator scoping isn’t fully granular yet. A user scoped to a specific administrator rule can still initiate—though not approve—other administrator operations. More granular administrator separation is on the roadmap.
User actions across devices
User actions are determined by the device used.Biometric approval is always required on iOS, even when quorum is not. Tapping approve isn’t the security step — your biometrics unlock the signing key held in the device’s secure hardware, which is what actually authorizes the operation.
How iOS and API authorization work differently
Both interfaces prove the same thing — that an authorized party approved the operation — but they prove it differently:- On iOS, the approver is a person, in the moment. Biometrics bind the approval to a specific human on a specific enrolled device, and unlock the key in the device’s secure hardware to sign.
- Over the API, the approver is a system — but a human quorum can still stand behind it. There’s no person in the loop to scan each request, so authorization comes from a cryptographic signature: sensitive requests are signed with your Ed25519 key, and each key is scoped by permission groups. For certain permission groups, key creation and/or permission changes require quorum approval and Anchorage Digital review. That human approval is front-loaded (when required), then reused for each signed request rather than collected again per transaction.
Quorums and policies
All sensitive operations—such as withdrawing assets or changing account settings—require approval from multiple members of your Anchorage organization. Each vault operates under a vault policy, which defines the user access configuration for that vault. A vault policy may be assigned to multiple vaults, ensuring that the same permission level and rules for operation approval are consistently applied across all of them.Vault members
Each vault must have a minimum of 3 members.
Quorum approvers
Each vault must have a minimum quorum of 2 approvers.
Viewer
View permissions to vaults and the ability to download statements or reports.
- Configure dedicated approval quorums and sub-quorums for withdrawal, staking, and governance operations
- Customize the quorum and sub-quorums for user management, trusted destination management, and vault and API management operations
- Add or remove users from vault and account sub-policies