Skip to main content

Documentation Index

Fetch the complete documentation index at: https://musubinetwork.com/llms.txt

Use this file to discover all available pages before exploring further.

As a sender custodian, you’re a co-signer in a multi-party FX settlement — not just a send/receive operator. No assets move without your cryptographic co-signature.

Dual Authorization: Institution + Custodian

Every trade requires two independent authorizations from the sending side:
StepWhoWhat They Do
1. Select quoteInstitution (your client)Reviews competing quotes, picks the best rate
2. Authorize movementYou (the custodian)Co-signs the quote acceptance, authorizing asset release
Neither party can act alone. The institution cannot move assets without your co-signature. You cannot initiate a trade — only authorize one that your client has requested.

How This Differs from Standard Multisig

If you’re used to threshold multisig (2-of-3, 3-of-5), the Canton model works differently:
Standard Multisig (EVM)Canton 4-Party Approval
SignersAnonymous key holders (any 2 of 3)4 named parties with specific roles
ThresholdN-of-M (any combination)All 4 required — no substitutes
OrderingSignatures collected simultaneouslyRolling approval — each party signs sequentially
MechanismOn-chain signature aggregationDAML choice exercise — each Approve creates an updated contract
VisibilityAll signers see the same on-chain dataEach party sees only what they’re authorized to see
VetoAny signer can refuse (blocks threshold)Any of the 4 parties can refuse (blocks settlement)
The four required confirming parties for every settlement (Canton mediator confirmation derived from per-leg Allocation contracts’ signatory closure — see ADR-0004 §B4):

Why You See Quotes

Competing quotes are visible to you because your co-signature is the best-execution gate. Three practical consequences:
  • Your co-signature confirms the rate is acceptable at the moment of authorization.
  • You can refuse a quote whose rate doesn’t meet the cost guard or looks off-market — the acceptance fails and no assets move.
  • quote_accepted_at becomes the timestamped evidence of which rate you authorized.

The Authorization Flow

1

Order Proposal Arrives

Your client creates an FX order referencing you as their custodian. The order appears on your system with:
  • Target currency and amount (e.g., 100,000 USDCx)
  • Target currency (USDCx)
  • Receiver institution and their custodian
  • KYC/AML clearance reference
  • Optional cost guard (source_amount_max)
You can accept the proposal (order proceeds to quoting) or reject it (order is cancelled).
2

Market Maker Quotes Arrive

After you accept the proposal, market makers submit competing quotes. You see all quotes for orders you custody:
QuoteFX RateUSDCx OfferedValid Until
MM-A112.011,200,00030s
MM-B8.895088,950,00030s
MM-C8.920089,200,00020s
You and your client review these independently. The institution selects the best one; you co-sign.
3

You Co-Sign the Quote Acceptance

When the institution selects a quote, the acceptance requires your co-signature:
  • Your co-signature authorizes the JPYSC0 release from your custody
  • Without your co-signature, the quote acceptance fails and no assets move
  • Musubi validates: quote still valid (valid_until not passed), cost guard met, order still PENDING
After your co-signature, the order transitions to QUOTED and settlement proceeds automatically.
4

4-Party Settlement Approval

Your approval from the previous step carries forward into the rolling approval process. The settlement protocol collects the remaining approvals (market maker, receiver custodian) automatically. Once all four have signed, the atomic DvP executes.
5

Settlement Confirmation

The atomic DvP completes in ~4 seconds. You see the settled order with:
  • transaction_hash — single proof covering all four legs
  • settled_at — settlement timestamp
  • Final amounts and executed rate
Your client’s JPYSC0 balance decreases; the receiver custodian’s USDCx balance increases. Both changes are atomic.

Receiver Custodian Workflow

As a receiver custodian, your workflow is simpler:
  1. Settlement confirmation arrives — USDCx deposited in your custody by the atomic DvP
  2. Update client balance — credit the receiver institution’s account
  3. Reconcile — match transaction_hash, amounts, and timestamps against your records
No approval is required from you during the trade flow. Your consent is established through your whitelist configuration (see Compliance).

What You Can Block

As a sender custodian, you have veto power at two points:
ActionEffect
Reject order proposalOrder is cancelled immediately. No quotes are solicited.
Refuse to co-sign quote acceptanceQuote acceptance fails. Order remains PENDING until another quote is accepted or it expires.
If something looks wrong — unusual amount, unfamiliar receiver, suspicious timing — you can stop the trade.

Declining a quote

When you click Decline on a pending co-sign:
  1. You must enter a rejection_detail of at least 20 characters. This text becomes a permanent audit field — auditors will read it.
  2. The proposed quote is terminally rejected (β quote-tainting) — the same quote cannot be re-proposed by the institution. The market maker sees their FXQuote transition to QUOTE_REJECTED immediately on their feed.
  3. Other PENDING quotes for the same order remain selectable. The institution may propose a different one.
  4. The FX order stays in PENDING status until a different quote is co-signed or the order’s expiresAt is reached.
The institution can also withdraw its own proposal before you act, by calling POST /api/v1/orders/{intent_id}/quotes/{quote_id}/withdraw-acceptance with a 20-character withdrawal_reason. After withdrawal, the proposed quote stays PENDING and the institution can pick another. If neither side acts before quote.validUntil, the operator’s expiry cron archives the proposal automatically — no on-ledger trace beyond the QuoteCoSignExpired SSE event.