<!--
Sitemap:
- [Welcome to Kakushi 隠し](/index): Kakushi is a private execution layer for institutions building on stablecoin rails.
- [What is Kakushi](/introduction/what-is-kakushi): Money is private.
- [Using Kakushi with AI](/introduction/using-kakushi-with-ai): Every page in these docs is available as plain markdown for use with language models.
- [Quickstart](/quickstart): This is the ten minute path.
- [Zones and the trust model](/concepts/zones-and-trust): A zone is a private blockchain only you can see inside, with a public chain's proofs underneath.
- [The portal](/concepts/the-portal): Money walks in as public USDC and becomes private the moment it crosses.
- [Accounts and custody](/concepts/accounts-and-custody): Your existing wallet address is already a Kakushi account. Nothing to deploy, nothing to enroll.
- [Bring your own address](/concepts/bring-your-own-address): A zone account is just an address, the one an auth key recovers to, with nothing deployed.
- [Virtual addresses](/concepts/virtual-addresses): Hand every customer their own address, the way a bank hands out virtual account numbers.
- [Private transfers](/concepts/private-transfers): Pay fifty thousand people and publish zero salaries.
- [Settlement and composability](/concepts/settlement-and-composability): Two institutions settle in real time without sharing a ledger or seeing each other's books.
- [Private deposits and withdrawals](/concepts/private-deposits-and-withdrawals): Soon, even the edges go dark.
- [Proofs and the verifier](/concepts/proofs-and-the-verifier): You cannot fake a balance, and you can prove you are solvent without showing a single customer.
- [Fees and gas](/concepts/fees-and-gas): Your users never hold ETH and never see gas. They pay in the dollars they are already sending.
- [Privacy and disclosure](/concepts/privacy-and-disclosure): The public sees nothing, you see everything, the regulator sees what the law entitles them to.
- [Zone policies](/concepts/zone-policies): Compliance is built into the zone. You configure your program; the substrate enforces it on every transfer.
- [Onboard a customer](/guides/onboard-a-customer): Two calls and a webhook, and your customer has a private on-chain account.
- [Accept deposits](/guides/accept-deposits): Anyone with funds on the host chain can pay into your zone, and it lands as a private balance for your user.
- [Make private transfers](/guides/private-transfers): One call moves money privately. One call pays a whole payroll.
- [Process withdrawals](/guides/withdrawals): Burn inside, release canonical USDC outside, in one call.
- [Settle between zones](/guides/settle-between-zones): Send money to another institution's zone like it is a withdrawal. It is interbank settlement.
- [Handle webhooks](/guides/webhooks): React to money moving. Do not poll for it.
- [Reconcile](/guides/reconcile): Two numbers that must always match. Assert it on a schedule.
- [Non-custodial integration](/guides/non-custodial-integration): The user signs on their device. You never hold the key, and you still cannot move their money.
- [Compliance and disclosure](/guides/compliance): You hold the whole record. Disclosure is an export, not a negotiation with the protocol.
- [SDK reference](/sdk-reference): The look-it-up layer.
- [Connect and EVM reference](/connect-and-evm-reference): The chain-level integration detail.
- [Run a zone](/run-a-zone): Most operators never run any infrastructure.
- [Protocol spec](/protocol-spec): The deep technical layer, for auditors and engineers integrating below the SDK.
- [Resources](/resources): See Key concepts for the working vocabulary, expanded throughout Core concepts.
-->

# Non-custodial integration

When the user holds their own key, you orchestrate everything around the money movement but never touch the key. The user signs on their device, and the node itself enforces that no one but the key holder can move that account's funds. That is the guarantee, and it is enforced by the protocol, not by your good intentions.

![Backend prepares an unsigned transaction, the user signs on their device, the signed transaction is submitted](/images/guides/non-custodial-integration.svg)

```ts
import { toViemAccount } from "@privy-io/react-auth";

// the account comes from the user's embedded wallet; the key stays on their device
const account = await toViemAccount(embeddedWallet);

// 1. prepare the unsigned zone transaction (nonce, gas, chainId set here)
//    no signer is present at build time, so `from` is passed explicitly as an address
const { unsignedTx } = await kakushi.transfers.prepare({
  from: account.address, to: "0xRecipientZoneAddress", amount: "40.00", token: "USDC",
});

// 2. the user signs locally, in their wallet, nothing is broadcast
const signedTx = await account.signTransaction(unsignedTx);

// 3. submit over the authenticated RPC; the user's auth token in the header
//    matches the transaction's signer, which is what the node requires
await kakushi.transfers.submit(signedTx);
```

The node's rule is absolute: a transaction only lands when its recovered `from` equals the address of the auth token in the request header. So even you, the operator, cannot move a user's funds without the user's signature.

:::warning
This V1 path targets embedded and programmatic wallets, like Privy, where the client can sign locally with a real key. Injected wallets like MetaMask do not expose the raw signing the auth token needs, so they become first-class in V2 through smart accounts and a paymaster. See the Privy examples for React (key on the user's device) and Node (server-held key).
:::