MPC Vaults
Deploy a CKD-issuer contract bound to your NEAR account. OutLayer's keystore TEE derives your per-customer master inside the enclavevia NEAR's MPC network; from that master it generates keys for your agents' wallets, encrypted secrets, and payment checks on demand — all without anyone seeing the raw master.
You either let OutLayer's TEE manage this vault, or later take it over yourself (run it from your own TEE / runtime, or use the master manually). It's a one-way switch: once you take over, OutLayer stops serving this vault — but you keep every derived key, because the same MPC path reproduces the same master.
What is CKD?
Conditional Key Derivation is a NEAR MPC primitive. The MPC network's threshold-key holders jointly derive a private key for a given app id — deterministically, without any single node ever assembling the secret. The key is unique to the predecessor account that requested it.
Here, the predecessor is your vault contract and the app id is an HMAC of vault-master:<your_vault_id>. The keystore TEE asks NEAR MPC for the 32 bytes; same inputs ⇒ same master, every time. From that master, all your wallet keys and secret-encryption keys are HKDF-derived inside the enclave. Detaching from OutLayer = you query the same MPC path from the vault account and get the same master back. Full explanation.
Connect a NEAR wallet to create or manage vaults.
Create vault
vault.<your-account> with a single atomic NEAR transaction (CreateAccount + Transfer 0.10 NEAR + DeployContract + new() + AddKey TEE function-call key).Parent (= your account, immutable post-deploy) is the only NEAR account that can call unilateral_initiate_recovery, set_exit_window, or unlocked_add_key.