Mobile key. Hardware key. Recovery key. Lose any one and the other two sign. Built on BIP48 and P2WSH — the same standards the most careful Bitcoin custody teams have relied on for years — wrapped in an app designed for humans.
Your Bitcoin lives in a native SegWit multisig script — P2WSH — controlled by three independent keys. Any two of them together can authorize a transaction. No single key can move funds alone. That includes ours.
Generated on your phone, held in the device's secure element. An encrypted backup lives in your iCloud or Google Drive — we can't read it, and you won't be asked to copy a seed phrase.
Trezor or Ledger, paired through a desktop bridge so private keys stay on the device. Every send is verified on the hardware wallet's own screen before it signs.
Held in an AWS CloudHSM and only signs during recovery — after a 7-day cooling period with daily alerts to everyone on the vault. Cancellable at any time with one click.
Single-key wallets fail with a single mistake. In a 2-of-3 vault, two of the events below would have to happen simultaneously before funds are at risk.
The mobile key goes with it — but it never held funds alone. Install Coinhost on a new phone, pair your hardware wallet, and our recovery key signs alongside it after the cooling period. A new mobile key is generated; the old one is retired.
Its PIN and passphrase stop anyone who finds it. Even unlocked, one key is not enough. Order a replacement, pair it through the bridge, and rotate keys with your mobile key plus our recovery key — funds sweep to a new vault using fresh keys.
You still hold two keys — and two keys are the full wallet. Export the vault descriptor from the app (or the monthly copy we send to your email) and open it in Sparrow, Electrum, or Specter. You can spend from there with no involvement from us.
Tap Emergency Lockdown: every vault freezes for 72 hours, with early unlock gated by a further 48-hour delay and your security questions. The 7-day recovery window means nothing can be forced through quickly, and every participant on the vault is alerted.
Sign up with your email, choose a PIN, enable biometrics. Your mobile signing key is generated silently on-device the first time you open the app.
≈ 90 secondsOpen the Coinhost bridge on a desktop and plug in your Trezor or Ledger. We read the public key, confirm it on-device, and register it as the second signer.
≈ 3 minutesName it, choose mainnet or testnet, review the 2-of-3 descriptor and the three fingerprints, and confirm. The recovery key is added automatically from the HSM.
≈ 1 minuteFresh receive addresses on every request, coin-control by default, RBF enabled, and hardware verification required for every outgoing transaction.
ongoing“Seed phrases were never a feature. They were the only available mitigation for a design that assumed one key, one person, one device. Coinhost is what self-custody looks like once you stop pretending those assumptions hold.”
Testnet beta is open to a small group of Bitcoin holders and developers. No KYC, no payment, no commitment — we just want to know how you currently self-custody and what you want to stress-test.