> ## Documentation Index
> Fetch the complete documentation index at: https://ramps-04-30-docs-add-grid-tutorial-skill-interactive-zero-t.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Global Accounts

> Give your customers a branded, self-custody dollar account powered by Grid.

export const FeatureCardGrid = ({cols = 3, children}) => <div className={`not-prose feature-cards-grid feature-cards-cols-${cols}`}>
    {children}
  </div>;

export const FeatureCard = ({icon, title, children, href, linkHref, linkText, color, tag, tagPosition, layout, variant, iconSize}) => {
  const isHorizontal = layout === 'horizontal';
  const isFlat = variant === 'flat';
  const isLargeIcon = iconSize === 'lg';
  const isInlineTag = tagPosition === 'inline';
  const card = <div className={`feature-card ${href ? 'feature-card-link' : ''} ${!icon ? 'feature-card-no-icon' : ''} ${isHorizontal ? 'feature-card-horizontal' : ''} ${isFlat ? 'feature-card-flat' : ''} ${isLargeIcon ? 'feature-card-icon-lg' : ''}`}>
      {icon && <div className="feature-card-icon-wrapper">
          {color ? <div className="feature-card-icon" style={{
    WebkitMaskImage: `url(${icon})`,
    maskImage: `url(${icon})`,
    backgroundColor: color,
    width: '24px',
    height: '24px',
    WebkitMaskSize: 'contain',
    maskSize: 'contain',
    WebkitMaskRepeat: 'no-repeat',
    maskRepeat: 'no-repeat'
  }} /> : <img src={icon} alt="" className="feature-card-icon" />}
        </div>}
      <div className="feature-card-content">
        {isInlineTag ? <div className="feature-card-title-row">
            <span className="feature-card-title">{title}</span>
            {tag && <span className="feature-card-tag">{tag}</span>}
          </div> : <div className="feature-card-title">{title}</div>}
        <div className="feature-card-desc">{children}</div>
        {tag && !isInlineTag && <div className="feature-card-tag-row"><span className="feature-card-tag">{tag}</span></div>}
        {linkText && <div className="feature-card-link-row">
            {linkHref ? <a href={linkHref} className="feature-card-text-link" style={{
    color: color
  }}>
                {linkText}
              </a> : <span className="feature-card-text-link feature-card-coming-soon" style={{
    color: color,
    opacity: 0.6
  }}>
                {linkText}
              </span>}
          </div>}
      </div>
    </div>;
  return href ? <a href={href} className="feature-card-anchor">{card}</a> : card;
};

<img src="https://mintcdn.com/ramps-04-30-docs-add-grid-tutorial-skill-interactive-zero-t/vZ4k3ntKKLXK97r8/images/heroes/hero-gga.webp?fit=max&auto=format&n=vZ4k3ntKKLXK97r8&q=85&s=083177865ff82b254a91e0ab88057221" alt="Grid Global Accounts hero" className="page-hero" width="1856" height="800" data-path="images/heroes/hero-gga.webp" />

A Grid Global Account is powered by a self-custody embedded [Spark](https://spark.money) wallet Grid provisions for your customer that holds a stablecoin or BTC balance and participates in the standard Grid payment flows. It behaves like any other internal account for *incoming* funds, but every outbound transfer must be authorized by the customer — a session signing key issued for their device signs each payment. In the API, a Global Account is an internal account with `type: "EMBEDDED_WALLET"` that participates in the standard Grid customer, quote, transaction, and webhook flows.

## Why a Grid Global Account?

* **Self-custody.** Grid never has unilateral access to move user funds, and neither do you. The customer's device is the only party that can authorize a transaction.
* **Stablecoin-denominated.** Balances are held as stablecoins like [Brale-issued USDB](https://brale.xyz/stablecoins/USDB). Use the standard `/quotes` API to convert in from fiat or out to any supported Grid bank-account rail (ACH, PIX, CLABE, UPI, IBAN, UMA, …).
* **Grid-native.** You reuse the customer, internal-account, quote, transaction, and webhook primitives you already integrated for Payouts or P2P. The only thing that's new is an auth + signing layer at the account.
* **Built on Bitcoin.** Global Accounts run on Spark, a Lightning-compatible Bitcoin L2 that supports instant, low-fee Bitcoin and Stablecoin transfers. You get the benefits of running on Bitcoin, the most neutral, decentralized, and secure network for money.

## Payment flow

Grid Global Accounts ride on the same `/quotes` + `/quotes/{id}/execute` pattern as every other Grid payment. The only thing that's different is that outbound transfers need a client signature.

* **Incoming funds.** Funding an account works like any other internal account. Create a quote with the Global Account as the `destination`, execute it, and Grid converts the source currency into USDB and credits the account. No customer approval needed — incoming value is passive.
* **Outgoing funds.** Withdrawals and transfers out require the customer to authorize them on their device. Grid returns a `payloadToSign` in the quote's `paymentInstructions`; the client signs those bytes with its session signing key and passes the base64 signature as the `Grid-Wallet-Signature` header on `/quotes/{id}/execute`. Only then does Grid release the funds.

Sessions are short-lived (15 minutes by default) and bound to a specific device via the client key pair, so a stolen signature can't be replayed from a different device or after the session expires. Standard transaction webhooks fire throughout the lifecycle — see [Transaction lifecycle](/platform-overview/core-concepts/transaction-lifecycle).

## Architecture

Three parties participate in every signed action:

| Party                  | Role                                                                                                                                                                   |
| ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Client**             | The customer's device (browser, iOS app, or Android app). Generates the client key pair, runs WebAuthn, decrypts the session signing key, and signs outbound requests. |
| **Integrator backend** | Your server. Holds your Grid API credentials, brokers every call to Grid on behalf of the client, and issues WebAuthn challenges for initial passkey registration.     |
| **Grid**               | Verifies auth credentials, issues session signing keys (encrypted to the client's public key), and enforces that every account action is authorized.                   |

The client **never** talks to Grid directly. Every request flows client → integrator backend → Grid.

## Auth credentials, client keys, and session signing keys

Three distinct pieces of crypto collaborate to authorize actions on the Global Account (withdrawals, credential changes, session revocations, and wallet exports):

| Piece                                                   | Where it lives                                                                                                      | How long it lives             | What it proves                                                                                                                                                                           |
| ------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------- | ----------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Auth credential** — passkey, OIDC token, or email OTP | Registered on the account; the passkey itself lives on the authenticator, OIDC on your IdP, OTP in the user's inbox | Until the customer revokes it | *"I am the human who owns this account."* Used to authenticate the user at the start of each session.                                                                                    |
| **Client key pair** (P-256)                             | Generated on the client device for each verification request; private key stays in device-local secure storage      | One verification request      | Binds a given session signing key delivery to the exact device that asked for it — Grid encrypts the session to this public key, so only this device can decrypt.                        |
| **Session signing key** (P-256)                         | Issued by Grid, sealed to the client public key, decrypted and held on the device for the session's lifetime        | 15 minutes (default)          | *"This specific account action was approved on an authenticated device."* Signs the `payloadToSign` Grid returns on quotes, credential changes, session revocations, and wallet exports. |

The flow is always the same: verify an auth credential → receive a short-lived session signing key → sign `payloadToSign` bytes on the client → pass the signature as the `Grid-Wallet-Signature` header on the request that actually moves funds or changes account state. This applies to withdrawals, adding or removing credentials, revoking sessions, and exporting the wallet seed.

## Core capabilities

<FeatureCardGrid cols={3}>
  <FeatureCard icon="/images/icons/wallet1.svg" title="Branded dollar accounts">
    Give each customer a branded account experience backed by Grid account infrastructure.
  </FeatureCard>

  <FeatureCard icon="/images/icons/coins.svg" title="Stablecoin balances">
    Hold dollar-denominated value and use Grid quotes to move between account balances and supported rails.
  </FeatureCard>

  <FeatureCard icon="/images/icons/globe.svg" title="Local off-ramps">
    Let customers move value to supported local bank rails, including corridors such as PIX, UPI, SEPA, FPS, and more.
  </FeatureCard>

  <FeatureCard icon="/images/icons/shield.svg" title="Self-custody authorization">
    Require customer approval for outbound account actions. Grid and your platform cannot unilaterally move customer funds.
  </FeatureCard>

  <FeatureCard icon="/images/icons/bitcoin.svg" title="Built on Spark">
    Use Spark, a Lightning-compatible Bitcoin L2, to support Bitcoin and stablecoin flows where enabled for your platform.
  </FeatureCard>

  <FeatureCard icon="/images/icons/bell.svg" title="Webhooks and reconciliation">
    Track funding, withdrawals, and settlement status with standard Grid account and transaction webhooks.
  </FeatureCard>
</FeatureCardGrid>

## Additional capabilities

Some Global Accounts capabilities require platform enablement before you can build with them. [Book a demo](https://www.lightspark.com/contact) to see how they fit your platform.

<FeatureCardGrid cols={3}>
  <FeatureCard icon="/images/icons/credit-card1.svg" title="Card programs">
    Issue cards tied to Global Account balances where enabled for your platform.
  </FeatureCard>

  <FeatureCard icon="/images/icons/agent.svg" title="Agentic payments">
    Support bounded account access for AI agents with policy-controlled movement.
  </FeatureCard>

  <FeatureCard icon="/images/icons/IconSquareChecklistMagnifyingGlass.svg" title="Advanced account controls">
    Configure limits, permissions, and controls for more complex account programs.
  </FeatureCard>
</FeatureCardGrid>

## Where to next

<CardGroup cols={2}>
  <Card title="Implementation overview" href="/global-accounts/implementation-overview" icon="rocket">
    End-to-end walkthrough: create a customer, register a passkey, fund the account, and execute a signed withdrawal.
  </Card>

  <Card title="Authentication" href="/global-accounts/authentication" icon="shield-check">
    Passkey, OAuth (OIDC), and email OTP registration and reauthentication flows.
  </Card>

  <Card title="Client keys & signing" href="/global-accounts/client-keys" icon="key">
    Generate the P-256 key pair, decrypt the session signing key, and sign payloads on Web, iOS, and Android.
  </Card>

  <Card title="Sandbox testing" href="/global-accounts/platform-tools/sandbox-testing" icon="hammer">
    Magic values for OTP, signatures, and OAuth tokens that exercise the full request shape without standing up real auth providers.
  </Card>
</CardGroup>
