Vaults

A vault is a secure container for blockchain wallets, protected by MPC key shares distributed across vault members. Vaults are the core building block of Tholos — they hold your assets and enforce your governance rules.

Vault types

Tholos offers two vault types with different security and operational trade-offs:

Standard vaults

Standard vaults require all signers to participate in every transaction signing ceremony. Each signer holds a key share on their device, and the MPC protocol combines these shares to produce a valid signature without ever reconstructing the full private key.

• All signers must be online to sign
• Highest security — no single point of compromise
• Best for high-value treasury operations

Flex vaults

Flex vaults use a threshold signing model. A configurable number of approvals (the threshold) is required to authorize a transaction, after which signing happens automatically using server-held key shares.

• Only the threshold number of approvers need to participate
• Faster operations — signers approve, server signs
• Supports policies for automated transaction rules
• Best for operational wallets and day-to-day transactions

Note

Flex vaults store an encrypted key share on Tholos servers. This share alone cannot sign anything — it requires the threshold number of approvals before it is used. The key is never reconstructed.

Wallets

Each vault automatically generates wallets for supported blockchains. A single vault can hold wallets across multiple chains:

• EVM wallets — shared address across Ethereum, Polygon, Arbitrum, Optimism, Base, Avalanche, BSC, and other EVM chains
• Solana wallets — Solana mainnet and devnet
• Bitcoin wallets — Bitcoin mainnet and testnet
• Cosmos wallets — per-chain addresses for Cosmos Hub, Stride, Neutron, and other Cosmos chains
• Tron wallets — Tron mainnet

Vault lifecycle

1. Creation — a keygen ceremony distributes MPC key shares to all vault members
2. Active — the vault is operational, wallets are funded, transactions can be initiated
3. Deleted — soft-deleted, the vault is no longer accessible (assets should be moved first)

Vault roles

Each user in a vault has a specific role that determines what they can do:

Role	Permissions
Manager	Full control — manage members, roles, and all vault operations
Signer	Can approve/reject transactions and policies
Initiator	Can create transactions and propose policies, but cannot approve them
Viewer	Read-only access to vault data, balances, and transaction history

See Roles & Permissions for the full hierarchy.

Balances

You can query vault balances per-wallet or across the entire vault:

# Get all balances for a vault
curl https://api.tholos.app/vault/{vaultId}/balances \
  -H "Authorization: Bearer $THOLOS_API_TOKEN"

# Refresh balances from on-chain data
curl -X POST https://api.tholos.app/vault/{vaultId}/update-balances \
  -H "Authorization: Bearer $THOLOS_API_TOKEN"

Contacts

Vaults maintain an address book of known contacts for safer transactions. Contacts can be added individually or imported via CSV:

# Add a contact
curl -X POST https://api.tholos.app/vault/{vaultId}/contacts \
  -H "Authorization: Bearer $THOLOS_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"name": "Treasury", "address": "0x...", "chain": "ethereum"}'

# List contacts
curl https://api.tholos.app/vault/{vaultId}/contacts \
  -H "Authorization: Bearer $THOLOS_API_TOKEN"

Key API endpoints

Operation	Method	Endpoint
Get vault	GET	/vault/{id}
Update vault	PATCH	/vault/{id}
Delete vault	DELETE	/vault/{id}
Get wallets	GET	/vault/{id}/wallets
Get balances	GET	/vault/{id}/balances
Update balances	POST	/vault/{id}/update-balances
List contacts	GET	/vault/{id}/contacts
Create contact	POST	/vault/{id}/contacts
Get transactions	GET	/vault/{id}/transactions
Get policies	GET	/vault/{id}/policies