Skip to main content
By the end of this guide, you’ll have wallet ownership verification working in your integration, with the signed message payload captured and ready for compliance and audit purposes.
Before you start
  • Your core Mesh integration is working end-to-end (see Prepare for go-live)
  • You’ve determined which addresses or wallet types require verification in your app

Background and Overview

Travel Rule regulations have long existed in traditional financial markets as a way for regulators to enforce laws pertaining to the movement of money (eg. anti-money laundering, terrorist financing, sanctions, etc.). In short, regulated financial institutions are responsible for knowing who they are receiving assets from, and where they’re sending assets to. The crypto world has long-awaited clear Travel Rule guidelines for crypto, and on July 4th, 2024 the European Banking Authority (EBA) released its final guidelines. Other global regulatory regimes are likely not far behind. This guide dives into detail around Mesh’s support for verifying ownership of a self-hosted wallet.

How does wallet verification work?

The nature of self-hosted wallets is that they don’t know who the user is. In other words, a user doesn’t KYC with MetaMask like they would with Coinbase or another centralized exchange. So verifying ownership of a self-hosted wallet is not about receiving user information from that wallet. Instead, it is about confirming that the user you know is in control of the wallet in question. Verification pertains to an address (ie. 0x31…cF98), not a wallet app (ie. MetaMask). Keep in mind that a user can interact with the same wallet (ie. address) from multiple wallet apps, and can also interact with multiple wallets from within the same wallet app. The EBA specifies that one acceptable method of verifying ownership of a self-hosted wallet is having the user sign a self-attestation of ownership (ie. a message) in that wallet. The message doesn’t have to be anything specific, but the message the user signs must be the exact message requested by you (or Mesh). A message signature is an off-chain event (ie. it’s completely gasless), but is also fully verifiable with the combination of the signedMessageHash, the address, and message. In Mesh’s wallet verification flow, the user is prompted to sign a message immediately after connecting their wallet. Similar to connection requests and transfer requests, the user won’t need to configure anything — all they have to do is review and sign. Wallet verification can be completely independent of a transfer (ie. the user only connects their wallet and signs the message), or can be used in combination with a transfer (ie. the user connects their wallet, signs a message, and then continues to the transfer).

2. Store the walletMessageSigned payload

After the user signs the message in their wallet, you will receive the walletMessageSigned SDK event with the following payload:
  • signedMessageHash
  • message
  • address
  • timeStamp
  • isVerified (boolean)
This data can be stored on your side for audit purposes, as well as to improve the return user experience within your UX. Note: This is the only time the signedMessageHash will be provided — Mesh does not retain this data.

Test your implementation

Test using MetaMask (Sepolia testnet) or Phantom (Solana Devnet). See Sandbox & Testnets for wallet setup instructions. What to test:
  • Full flow: Launch a sandbox Link session with verifyWalletOptions configured. Connect a test wallet — the user should be prompted to sign immediately after connecting, with no additional configuration needed.
  • Payload capture: Confirm your onEvent handler receives walletMessageSigned with all five fields present: address, isVerified, message, signedMessageHash, and timeStamp.
  • Message match: Verify that message in the payload exactly matches what you passed in verifyWalletOptions.message. If you didn’t provide a custom message, confirm Mesh’s default language appears.
  • Rejection path: Reject the signature request in your test wallet (click “Reject” in MetaMask). Confirm you receive the verifyWalletRejected event and that your app handles it gracefully.
  • Payload storage: Confirm you’re capturing and storing signedMessageHash at the time of the event — it won’t be retrievable afterward.

What’s next

Explore the other Extend guides:
AI coding reference — a compact summary of this page’s APIs, parameters, and patterns for use by AI coding assistants (following the llms.txt standard). Human readers can safely ignore this.llms.txt — Verify self-hosted walletsWallet ownership verification via signed message (EBA Travel Rule compliance). User signs a message in their wallet immediately after connecting; you store the signed payload for audit.Link Token verifyWalletOptions params: verificationMethods: ["signedMessage"] (required) | message (optional — Mesh provides default if omitted) | networkId (optional, specific network; do not use with networkType) | networkType (optional, e.g. “solana” or “evm”) | addresses[] (optional — restrict to specific addresses)Get networkIds: Use GET /api/v1/transfers/managed/networks to fetch the full list of supported networks and their networkId values. These values don’t change — safe to cache permanently, no need to call this endpoint before every Link Token request.Compatible with transfer flows: Add verifyWalletOptions to any deposit or payment Link Token request. User verifies wallet then proceeds to transfer. Does not affect CEX flows.SDK event: walletMessageSigned Payload: signedMessageHash | message | address | timeStamp | isVerified (boolean) Critical: Store signedMessageHash at event time — Mesh does not retain it.Rejection event: verifyWalletRejected fires if user declines to sign.Test: MetaMask (Sepolia testnet) or Phantom (Solana Devnet). See Sandbox & Testnets guide for setup.Verify use case — Link Token request body:
curl --request POST \
  --url https://sandbox-integration-api.meshconnect.com/api/v1/linktoken \ // This is pointing to sandbox
  --header 'Content-Type: application/json' \
  --header 'X-Client-Id: YOUR_CLIENT_ID' \ // Replace
  --header 'X-Client-Secret: YOUR_API_KEY' \ // Replace
  --data '
{
  "userId": "UNIQUE_USER_ID", // Replace
  "restrictMultipleAccounts": true,
  "integrationId": "757e703f-a8fe-4dc4-d0ec-08dc6737ad96", // Phantom, replace, optional
  "verifyWalletOptions": {
    "verificationMethods": [
      "signedMessage"
    ],
    "message": "MESSAGE_TO_BE_SIGNED", // Replace
    "networkId": "0291810a-5947-424d-9a59-e88bb33e999d", // Solana, replace, optional
    "networkType": "solana", // Replace, optional
    "addresses": [ // Optional
      "xxx" // Replace
    ]
  }
}
'
walletMessageSigned event payload (capture immediately — Mesh does not store it):
{
  "address": "0xABC...",
  "isVerified": true,
  "message": "I confirm I own this wallet address.",
  "signedMessageHash": "0xDEF...",
  "timeStamp": "2024-07-04T12:00:00Z"
}