Guides
SupportStatusSign UpLogin

    Eject keys

    Enable users to reconstruct and export their private keys, retrieve backup shares, and securely exit the MPC model with full wallet ownership.

    Key eject lets a user exit the MPC model and reconstruct their full private key outside of Tatum. It is an escape hatch - once ejected, the wallet can no longer be used with Portal for signing.

    How Eject Works

    1. You (the custodian) enable eject for a wallet with a time window using enableEject()
    2. The client retrieves their encrypted backup share and Tatum's custodian backup share using getEjectableBackupShares()
    3. The client decrypts their backup share and combines it with Tatum's share to reconstruct the private key
    4. The client calls completeEject() to mark the wallet as ejected on Portal

    The wallet is then marked as ejected (ejectedAt is set on the client). No further signing is possible through Tatum.

    Enable Eject

    Eject must be explicitly enabled by the custodian. You set an ejectableUntil timestamp that limits the window during which the client can pull the shares:

    // Allow eject for 7 days
const result = await wallets.custodian.enableEject({
  path: { clientId: "cli_..." },
  body: {
    walletId: "wallet-id",
    ejectableUntil: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000).toISOString(),
  },
});

console.log(result.ejectableUntil); // ISO timestamp

    Retrieve Ejectable Backup Shares

    From the custodian side (you fetch on behalf of the client):

    const shares = await wallets.custodian.getEjectableBackupShares({
  path: {
    clientId: "cli_...",
    walletId: "wallet-id",
  },
});

// shares.custodianBackupShare      — Tatum's backup share (plain)
// shares.encryptedClientBackupShare — client's encrypted backup share (if stored with Portal)

    From the client side (client fetches their own shares):

    const shares = await client.getEjectableBackupShares({
  path: { walletId: "wallet-id" },
  query: { backupMethod: "PASSKEY" }, // "PASSKEY" | "PASSWORD" | "GDRIVE" | "ICLOUD"
});

    Complete Eject

    After the client has reconstructed their key, call completeEject() to finalize:

    await client.completeEject({
  path: { walletId: "wallet-id" },
});

    This sets ejectedAt on the client and prevents further Portal-based signing.

    Ownership & Exit Guarantees

    • Eject requires both the client's backup share (held by them) and Tatum's custodian backup share
    • The ejectableUntil window is enforced by Portal — Tatum will not release its backup share after the window closes
    • completeEject() is irreversible — the wallet cannot re-join Portal after ejection
    • If backup shares were not created before eject, key reconstruction is impossible

    Always create a backup before enabling eject.