Policy concepts

Transaction policies are the security rules that control what funds can leave your wallets. Every wallet in Wallet-as-a-Service (Palisade) is deposit-only by default. You must create at least one policy for an asset before you can send that asset from the wallet.

Think of policies as programmable spending limits. They automatically evaluate every outgoing transaction and block any that would exceed your configured limits. This protects your assets even if someone gains unauthorized access to your API credentials or user accounts.

Policies answer these questions:

How much can leave in a single transaction?
How much can leave over a period of time?
What is the maximum that can ever leave?
Who can initiate transactions, and to where?

This page explains the core concepts you need to understand before creating and managing policies.

Policy scope

Policies operate at the wallet level only. Each policy applies to a single wallet and controls transactions for a specific asset within that wallet.

No vault-level or organization-level policies

You can't create a policy that applies to multiple wallets simultaneously. If you need the same limit across ten wallets, you must create ten separate policies—one for each wallet.

Multi-chain EVM wallets

If your organization uses separate wallets for different EVM chains (for example, one Ethereum wallet and one Arbitrum wallet), policies on one wallet do not apply to the other—even if both wallets hold the same asset (ETH). You must create policies independently on each wallet.

Limit types

Wallet-as-a-Service (Palisade) supports three limit types:

Per transaction (PER_TX) – Maximum amount for any single transaction
Rolling duration (ROLLING_DURATION) – Maximum cumulative amount within a sliding time window
Max total value (CONSTANT) – Lifetime cap on total withdrawals

You can combine multiple limit types on the same wallet for layered protection.

How rolling windows work

When you attempt a transaction, the system calculates how much has already left the wallet within the current window. If your new transaction would push the total over the limit, the system rejects it immediately. As older transactions "roll off" the window, capacity becomes available again.

See Policy reference for complete limit type documentation, duration values, and examples.

Policy uniqueness

Each policy must be unique within its wallet. The system identifies a policy by four attributes:

Attribute	Description
Wallet ID	The wallet the policy belongs to
Limit type	`PER_TX`, `ROLLING_DURATION`, or `CONSTANT`
Symbol	The asset symbol (for example, `ETH`, `BTC`, `USDC`)
Matchers	Optional filters that narrow when the policy applies

You can create multiple policies with the same limit type and symbol if they have different matchers. For example:

PER_TX + ETH + no matchers → Applies to all ETH transactions
PER_TX + ETH + TRANSACTION_TYPE: WITHDRAWAL → Applies only to ETH withdrawals

Both policies can coexist because their matcher configurations differ.

Duplicate policy error

If you try to create a policy that matches an existing policy's wallet, limit type, symbol, and matchers, the API returns error PAL006.023: limit policy already exists.

Policy immutability

Policies are immutable. You can't edit an existing policy's limit amount, duration, or matchers.

To modify a policy:

Delete the existing policy (see Manage policies).
Create a new policy with the updated values.

Why policies are immutable

Immutability provides a clear audit trail. Every policy change creates a new record with its own approval history, making it easy to track who authorized what and when.

Policy lifecycle

Every policy moves through a series of states from creation to deletion.

Failed to render mermaid diagram: Parse error on line 16: ...IMIT_ENABLED: active: true note righ -----------------------^ Expecting 'SPACE', 'NL', 'HIDE_EMPTY', 'scale', 'COMPOSIT_STATE', 'STRUCT_STOP', 'STATE_DESCR', 'ID', 'FORK', 'JOIN', 'CHOICE', 'CONCURRENT', 'note', 'acc_title', 'acc_descr', 'acc_descr_multiline_value', 'CLICK', 'classDef', 'style', 'class', 'direction_tb', 'direction_bt', 'direction_rl', 'direction_lr', 'EDGE_STATE', got 'DESCR' Parser.parseError (/tmp/diagram-microservice-assets/mermaid.min.js:2192:8039)

Policies move through five statuses: pending approval, enabled, rejected, pending deletion, and deleted. A policy in LIMIT_DELETION_APPROVAL_PENDING status continues to enforce transactions until approvers approve the deletion—this prevents gaps in protection.

See Policy reference for the complete status reference.

Approval requirements

Whether a policy requires approval depends on your organization's approval group configuration.

With approval groups configured

If your organization has an approval group for Policy rules, new policies enter LIMIT_CREATION_APPROVAL_PENDING status. Designated approvers must authorize the policy before it takes effect.

The policy activates after the required number of approvers authorize it (for example, 2 of 3 approvers). If the approval threshold becomes mathematically impossible to reach (for example, too many approvers skip), the policy moves to LIMIT_REJECTED.

Without approval groups configured

If no approval group exists for Policy rules, the policy automatically activates immediately after creation. It transitions directly to LIMIT_ENABLED with active: true.

Security consideration

Without approval groups, anyone with API credentials that include keylimit:create scope can instantly enable policies. Consider configuring approval groups to add human oversight.

See Approvals to configure approval groups for your organization.

Policy evaluation

When you submit a transaction, the policy engine evaluates it against all active policies for that wallet and asset. Policy checks are one stage in the full transaction pipeline.

Where policies fit in the transaction pipeline

Policy evaluation is the first check after a user or API credential creates a transaction. The full pipeline is:

Policy check – The engine evaluates the transaction against all matching policies. If any policy rejects it, Palisade rejects the transaction immediately and never sends it to approvers.
Approval check – If your organization configures approval groups for transactions, designated approvers must authorize the transaction.
MPC signing – The wallet's MPC quorum signs the transaction.
Blockchain submission – Palisade publishes the signed transaction to the network.

See Signing & approvals overview for details on approvals and MPC quorums.

Evaluation order

The engine finds all LIMIT_ENABLED policies that match the transaction's wallet, asset, and attributes.
For each matching policy, the engine checks whether the transaction would exceed the limit.
If any policy rejects the transaction, the entire transaction fails.
If all matching policies pass, the transaction proceeds to the next stage (approvals or signing).

Network fees and policy limits

Palisade checks policy limits against the transaction amount only and excludes network fees (gas on EVM chains, transaction fees on XRP Ledger) from the limit calculation. For example, if you have a PER_TX limit of 10 ETH and send exactly 10 ETH, the policy check passes — the gas cost doesn't push the transaction over the limit.

Operations that bypass policies

Policy checks don't cover all outgoing fund movements. Asset sweeping bypasses policies entirely. A wallet doesn't need any policies in place before Palisade can sweep it, and Palisade doesn't evaluate sweep transactions against existing policies.

This means policies alone don't prevent all fund movement from a wallet. If you need to restrict sweeping, manage sweep configurations separately through Settings > Workflows. Only owners and administrators can configure sweeping operations.

See Asset sweeping for details on sweep configuration.

Transaction freeze is separate from policies

Transaction freeze controls apply to inbound transactions only (holding incoming funds for compliance review). Policies apply to outbound transactions only. These two controls operate on different transaction directions and don't interact with each other.

Matcher evaluation

Matchers filter which transactions a policy applies to. A transaction must match all matchers on a policy for that policy to apply. If a policy has no matchers, it applies to all transactions for that asset.

Active matcher types include: TRANSACTION_TYPE, USER, API_CREDENTIAL, SIGN_FOR, COUNTERPARTY_ID, ADDRESS_ID, WALLET_ID, and CHAIN_ID. Use COUNTERPARTY_ID for new policies; reserve the older COUNTERPARTY matcher for backward compatibility.

See Policy reference for detailed matcher documentation and examples.

Monitoring policy checks with webhooks

If you have webhooks configured for the TRANSACTION domain, you receive notifications as transactions move through the policy check stage. The relevant statuses are:

Status	Description
`POLICY_CHECK_PENDING`	Palisade is evaluating the transaction against policies
`POLICY_CHECK_PASSED`	Transaction passed all policy checks
`REJECTED`	A policy or approval rejected the transaction

These webhooks allow you to build automated monitoring for policy enforcement — for example, alerting on rejected transactions or tracking policy check latency.

No policy lifecycle webhooks

Webhook notifications cover transaction status changes only. There are no webhook events for policy creation, approval, or deletion. To track policy lifecycle changes, use the Approval domain webhooks, which notify you when Palisade creates or resolves approval requests for policy rules.

See Webhooks overview for setup instructions and payload format.