Skip to main content
The Musubi console is a web UI your ops team logs into. It handles the proposal review, quote comparison, and co-signature workflow so you don’t build a custom ops UI. This page describes what your team does in the console; for the protocol-level view of what Canton is doing under the hood, see Authorization Workflow.
This page describes the console workflow. For custodians with custom compliance rails that need to automate the authorization step programmatically, see Programmatic Access.

Who uses the console

Typical custodian team mapping:
Role in your orgWhat they do in the console
Authorizer (treasury / ops lead)Accepts or rejects order proposals; co-signs quote acceptance
Reviewer (compliance / risk)Cross-checks KYC references, reviews orders for unusual patterns before authorization
Observer (finance / reconciliation)Watches settled volume and reconciles against the accounting system
Role-based access maps to your existing JWT claims; your IdP decides who can authorize vs. read-only.

Inbox — pending proposals

When an institutional client creates an FX order referencing your Party ID, it appears in the Inbox as a pending proposal with:
  • Target currency and amount
  • Receiver institution + their custodian
  • Source of funds, purpose code, jurisdictions
  • KYC / sanctions references (cross-check against your internal records)
  • Cost guard (source_amount_max) if the sender specified one
From the Inbox you accept (proposal proceeds to quoting) or reject (proposal is cancelled, no quotes are solicited). Rejection is immediate and non-reversible.

Quote review

After acceptance, market makers submit competing quotes. The console shows them side-by-side:
  • FX rate, source amount, target amount
  • Validity window (each quote has its own expiry, typically 30 seconds)
  • Whether each quote satisfies the cost guard
Your authorizer reviews and selects — the institution does the same on their side. Either party can hold off; neither can unilaterally force the decision.

Co-signature

When the institution selects a quote, the console surfaces a co-signature action. Clicking co-sign:
  • Verifies the quote is still within its validity window
  • Confirms cost-guard compliance
  • Adds your cryptographic signature to the quote acceptance
  • Transitions the order to QUOTED
Without your co-signature, the quote acceptance fails and no assets move. This is the dual-authorization gate — institution selects the rate, you authorize the movement.

Dashboards

The Home dashboard shows:
PanelWhat it tells you
Orders by statusHow many orders are PENDING / QUOTED / EXECUTING / SETTLED / FAILED / EXPIRED right now
Settled volumeDaily / weekly / monthly settled volume by currency pair
Recent settlementsLast N settlements with transaction_hash, settled_at, amounts
AlertsPENDING accumulating, FAILED spikes, quote-response latency

Veto at each step

Your authorizer can refuse at any of three points:
ActionEffect
Reject proposalOrder cancelled immediately. No quotes solicited.
Ignore all quotesOrder remains PENDING until another quote is accepted or it expires.
Refuse to co-signQuote acceptance fails. Order remains PENDING.
If something looks wrong — unusual amount, unfamiliar receiver, KYC mismatch — you don’t need to explain or reach a committee. Refuse and the trade doesn’t happen.

Next steps

For how settlement records land in your archive, see Audit Exports. For the protocol-level “what the four signatories are doing,” see Authorization Workflow.