Self-Custody
No one holds your money but you.
AT Protocol was built on a specific promise: users should be able to leave any app at any time and take everything with them — their identity, their social graph, their data. This is what the protocol calls credible exit. Atmosphere Money extends that promise to money.
Your Atpay wallet is self-custodial. Your private key is generated on your device and never transmitted to or stored by Atmosphere Money. We cannot access your funds, freeze your wallet, or block you from moving your money. Not by design, and not by accident.
If Atmosphere Money disappeared tomorrow, you would still have your keys and your funds would be entirely intact.
Security Architecture
How your wallet is protected.
Your wallet is secured using industry-standard hardware and cryptography, the same model used by leading self-custody wallets. Security happens at the device level, not at the server level.
01
Secure Enclave (iOS) & TEE (Android)
Your private key is generated inside and stored within a protected hardware environment isolated from the rest of your device. It never exists in plain memory and cannot be extracted by other apps or processes.
02
Biometric protection
Every transaction requires your biometric confirmation — Face ID on iPhone, fingerprint on Android. No one can sign a transaction from your wallet without passing your device's biometric check.
03
Encrypted key backup
Your key is backed up in encrypted form so you can recover your wallet if you lose or replace your device. The backup is encrypted before it leaves your device — we cannot read it.
04
Never held by us
Atmosphere Money never receives, stores, or has access to your private key in any form. Our servers do not participate in transaction signing. Custody stays entirely with you.
AT Protocol Integration
Your handle is your payment address — but your wallet stands alone.
When you set up Atpay, a wallet is created with its own independent keypair. Separately, your wallet address is published as a verifiable record in your atproto repository, creating a public link between your DID and your payment address. This is what lets your atproto handle work as a payment address across the Atmosphere.
Critically, the link and the wallet are two different things. Your atproto DID has its own keys; your wallet has its own keys. The record in your repo is simply a pointer — like a verified email address on a social profile. Revoking or updating that record has no effect on your wallet or your funds.
- Verifiable and public: anyone on the Atmosphere can resolve your DID and find your wallet address, making your handle a universal payment identifier.
- Independent keypairs: your wallet private key and your atproto signing key are separate. Compromising one does not compromise the other.
- Unlinkable at any time: you can remove the wallet record from your atproto repo at any time. This removes discoverability but does not touch your wallet or funds.
- Portable with your DID: because your atproto identity is portable by design, so is the linked wallet address — it moves with you across any AT Protocol app or PDS.
Our Limits, By Design
What Atmosphere Money cannot do.
Self-custody means accepting that certain things are genuinely impossible for us, not just against policy. These are constraints we have built into the architecture on purpose, because we believe the alternative — a system where we could do these things — would be a worse system.
Cannot access your funds
Your private key never leaves your device. We have no server-side key, no admin key, and no recovery backdoor that would allow us to move your funds.
Cannot reverse transactions
Transactions settled on Tempo are final. Once confirmed, a payment cannot be reversed, recalled, or clawed back by us or anyone else. Always verify recipients before sending.
Cannot freeze your wallet
There is no admin key or blacklist mechanism that would allow us to freeze, pause, or restrict a wallet. Your funds remain accessible regardless of our relationship with you.
Cannot block your export
The private key export function is always available. No account status, no dispute, and no business decision on our part can prevent you from exporting your key and taking your funds elsewhere.
If you ever need to export your private key, full instructions are available here.