> ## Documentation Index
> Fetch the complete documentation index at: https://docs.polygon.technology/llms.txt
> Use this file to discover all available pages before exploring further.

# OMS Wallet Architecture

> How OMS Wallet works: the WaaS embedded wallet service, wallet contracts v3, smart sessions, and the Guard Firewall.

OMS Wallet is built on a WaaS (Wallet as a Service) embedded wallet model. The service runs inside an AWS Nitro Enclave: the user's signing key never leaves that enclave, and transactions execute against smart contract accounts on-chain.

## Core systems

* **WaaS service** (Nitro Enclave): authenticates the user (OIDC, OAuth + PKCE, email OTP), holds the wallet's signing key, and signs transactions via an authenticated RPC API. See [Infrastructure](/wallets/infrastructure).
* **Wallet contracts v3** (on-chain smart accounts): the wallet is a smart contract account whose configuration is committed as a Merkle root on-chain; v3 contracts validate signatures and enforce session rules. See [Wallet Configuration](/wallets/wallet-configuration).
* **Smart Sessions** (API-driven): a remote backend or in-app flow can submit transactions from a user's wallet within on-chain permission bounds, granted by the user once and enforced by the Sessions Module on every call. See [Smart Sessions](/wallets/smart-sessions).
* **Guard Firewall** (policy enforcement): reviews each transaction against ecosystem policies, threat simulations, and blacklists before allowing on-chain execution. See [Guard Firewall](/wallets/guard-firewall).

## Deployment options

<CardGroup>
  <Card title="Hosted Wallet" href="/wallets/hosted-wallet">
    OMS operates the wallet on your domain with your branding. Control configuration in Builder and launch on a custom domain.
  </Card>

  <Card title="Custom Wallet" href="/wallets/custom-wallet">
    Build a wallet with the Wallet Development Kit on top of OMS wallet infrastructure. Critical components can be self-hosted. Includes native mobile (iOS and Android) via React Native.
  </Card>
</CardGroup>

## Security model

* User authentication, signing keys, and encryption all happen inside the Nitro Enclave. No unencrypted key material ever leaves enclave memory. See [Infrastructure](/wallets/infrastructure).
* Encryption keys are split across a Trusted Third Party council (Polygon, Quantstamp, CoinCover). No single party can decrypt user data unilaterally. See [Infrastructure](/wallets/infrastructure).
* Wallets are smart contract accounts on-chain; their existence does not depend on WaaS being online. See [Wallet Configuration](/wallets/wallet-configuration) and [Timed Recovery](/wallets/timed-recovery-technical).
