You keep the keys.
We sign the proof.
Keep your Turnkey, Fireblocks, or Circle relationship. The funds stay with your provider. The regulator stays with you. Oris signs the proof that every payment was authorized, screened, and clean.
Three providers. One API.
Turnkey, Fireblocks, Circle. The provider still holds your funds under their license. The Oris call surface stays the same, whichever one you pick.
Provider keeps the keys
The signing keys are held by the provider under their existing MPC or HSM infrastructure. Oris stores only the encrypted API credential that authorizes the provider to sign on your behalf. The signing material never crosses into Oris infrastructure in plaintext.
Identical SDK surface
A single SDK call dispatches to any of the three providers. The application code does not change when you migrate from Turnkey to Fireblocks. The provider selection lives in your configuration, not in your business logic.
Compliance posture preserved
Your existing KYC, KYB, and money transmitter relationship with the provider stays in place. Oris does not interpose its own license between you and the provider. The regulatory paperwork remains where it already lives.
Encrypted twice over.
Your credentials are sealed with a per-developer key. That key is sealed again inside a hardware boundary. Only the ciphertext ever touches disk.
Each developer organization gets its own data encryption key. A breach of one tenant ciphertext never exposes another tenant secret. The isolation is enforced by separate key material, not by application logic that could be bypassed by an SQL injection or a misrouted query.
Vault Transit performs the wrap and unwrap operations server-side. The key encryption key remains inside the HSM. Oris services receive only the data encryption key in process memory at the moment of use, then discard it. There is no plaintext on disk and no plaintext in any backup.
Read the BYOK deep dive →Your license. Your regulator.
Oris is the protocol. The license, the customer, and the funds stay with you and your provider. No new vendor on your legal map.
You hold the license
Oris operates under a software services agreement. The money transmitter license, the e-money license, and any equivalent local authorization continue to be held by you or your custody provider. Oris does not introduce a new licensed entity into your transaction flow.
You hold the customer relationship
Customer onboarding, KYC verification, and KYB diligence stay with your provider. Oris consumes the resulting attestation through the Veris Engine bridge but never re-collects the underlying personal data. Your privacy notice and data residency posture do not change.
You hold the funds
Customer balances remain inside the provider account at all times. Oris never takes custody, never pools funds across tenants, and never operates an omnibus account. A regulator inquiry about fund flow points squarely at your provider relationship, not at a new intermediary.
One step. No migration.
Already on Turnkey, Fireblocks, or Circle? Connect Oris in one configuration step. No fund movement. No new infrastructure.
Connect the provider through the developer dashboard or directly from the SDK. Oris accepts your existing API credentials, encrypts them under your tenant data encryption key, and tags the provider as the signing backend for new agent wallets. Existing wallets remain unaffected.
Onboarding is a single dashboard flow. Select the provider, paste the API credential, confirm the organization identifier, and the provider becomes the signing backend for any agent you create afterward. No keys move and no funds move.
oris.providers.connect( provider="turnkey", api_key=os.environ["TURNKEY_API_KEY"], organization_id="...", )
Pay safer. Keep your custody.
We add the safety layer and the audit trail. Your custody stays exactly where it is.