Skip to main content
Porto by Anchorage Digital is an institutional self-custody wallet built with the security and technology Anchorage Digital is best known for, enabling full Web3 access and seamless integration with the Anchorage Digital platform.
This documentation is for Porto users only. Any external sharing beyond authorized Porto users requires approval from Anchorage Digital. For support, contact portohelp@anchorage.com.

About Porto by Anchorage Digital

Porto makes institutional self-custody simple, while ensuring assets are safeguarded using a robust security architecture.

Secure self-custody

World-class security with end-to-end cryptographic integrity, FIPS-140 policy and private key security, and hardware security modules (HSMs).

Broad Ethereum network support

Transact and self-custody all ERC-20 tokens—including new assets—with support for more Layer 1s coming soon.

Seamless smart contract interactions

Connect to dApps for staking, reward-claiming, governance voting, and more.

Device requirements

All users are required to have an iPhone 8 or later with Touch ID or Face ID enabled. The Porto security model leverages the secure enclave in the Apple device. During onboarding, each device is tethered to Porto. Supported devices:
  • iPhone 8 or later with Face ID or Touch ID enabled
  • iPad 5th generation or later

Onboarding

Prior to onboarding, all admin users should download the Porto by Anchorage Digital app by searching “Porto by Anchorage Digital” in the Apple App Store.
You may need to upgrade to the latest iOS software to download the app.
Porto recommends onboarding with at least 3 users. There are two critical steps to secure your organization and complete onboarding:
1

Download the organization recovery document

The organization recovery document is used to restore your access to Porto if you lose access to all Porto-enrolled devices. Store it safely so that Anchorage Digital can use it to help you restore access to Porto.Unlike a seed phrase, this PDF is not sensitive material on its own—it is only relevant within Anchorage Digital’s security architecture. Only a quorum of an organization’s admins can provide this to Porto to initiate a recovery process.
Porto cannot restore your access if you lose your organization recovery document.
2

Distribute the wallet recovery shares

Wallet recovery shares can be used to export your wallets outside of Porto, as long as you have 2 out of 3 recovery shares. A single wallet recovery share is not sensitive on its own, but with 2 out of 3 shares, your wallets become accessible outside of Porto.During onboarding, distribute each share to a different team member to ensure they are kept separate and secure. Maintaining the separation and security of each wallet recovery share is crucial for safeguarding your wallets against unauthorized access.

Security model

Every product decision is informed by deep expertise in security. The result is a wallet that sets the standard for digital asset security.

No passwords

Porto forgoes the use of usernames and passwords, which are susceptible to fraud, impersonation, and abuse.

No emails or texts

Porto does not use emails or phone numbers, so attackers cannot gain access by triggering email or SMS-based account recovery.

No unauthorized devices

Only pre-approved devices may access an account.

Biometric authentication

Users can only unlock the app using Face ID or fingerprint. Sensitive operations require biometric approval.

Authentication via hardware security modules

Once a transaction is fully approved by the organization’s team, it advances to a specialized hardware system to be processed within minutes.
  • Hardware security modules: Private keys are generated on air-gapped HSMs. The system signs transactions without ever exposing private keys.
  • Hardware-enforced logic: Custom logic verifies that each operation has a valid quorum of approvals. Transactions can process only if approved.
  • High-security data centers: Porto HSMs are housed in protected data centers with 24/7 physical security. Visitors must pass through man traps and biometric authentication. No individual can manually override a given HSM.

How it works

The Porto transaction flow is designed to prove with certainty that a given transaction reflects an organization’s intent. Once all three steps are complete, Porto processes the transaction within minutes.
1

iOS biometrics

Sensitive operations require the user’s biometric approval using Face ID. Each user’s identity is tied to a unique and unforgeable cryptographic key, created and stored in the iOS Secure Enclave so only authorized devices can access the account.
2

Multi-user approval

Every transaction requires approval from at least two members of the organization, using authentication through authorized devices.
3

Hardware-enforced logic

HSMs process the transaction once quorum approval is met. The system signs transactions without ever exposing private keys.

Access and policies

User permission levels

The platform has three permission levels. Users can hold multiple roles, and each vault can have its own user access configuration.
PermissionEdit vault & org policiesAdd/remove usersCreate vaultAdd/remove trusted destinationsDeposit & withdrawView balances
AdminSupportedSupportedSupportedSupportedSupportedSupported
OperatorNot supportedNot supportedNot supportedNot supportedSupportedSupported
View-onlyNot supportedNot supportedNot supportedNot supportedNot supportedSupported
  • Admin: Full access to perform administrative tasks, including the ability to create and modify policies, add and delete users, manage trusted destinations, and create and edit vaults.
  • Operator: Access to perform operations in a vault, including initiating and approving withdrawals.
  • View-only: View permissions to vaults and the ability to view balances.

Device-based account access

ActioniOSWeb dashboardQuorum needed
DepositsSupportedSupportedNot required
WithdrawalsSupportedSupportedRequired

Vault overview

Users can take advantage of multi-asset vaults to organize assets in the Porto wallet. There is no limit on the number of vaults. Each vault must have a minimum of 3 members and a minimum quorum of 2 approvers. With those conditions met, quorum approval can be customized. The number of members and approvers may be influenced by factors like the use case for each vault—frequent or infrequent withdrawals—and the amount of value in the vault.

Customize and configure policies

  • Customize all permissions: Configure permission policies across the entire organization and specific to each vault, ensuring everyone has only the permissions needed.
  • Configure quorums and sub-quorums per vault: Set one vault’s quorum to require approvals from 2 of 9 members, and another’s to require approvals from 5 of 6 members. Designating a sub-quorum of required approvers is also an option.
  • Empower administrators: Unlike other users, administrators can—if approved by the necessary quorum—add and delete users, add and remove trusted destinations, create and edit vaults, and change organizational policies.
Quorum definitions:
  • Quorums: A group of users with permission to initiate and approve operations, such as default, governance, staking, or withdrawal operations.
  • Sub-quorums: Additional approval layers ensuring operations cannot proceed without a set number of approvals from designated members. Policies may have as many sub-quorums as needed.
For more details, see Creating a vault and Adding users.