A coffee, a vault, an irreversible end, and a refund only Maya can authorize
A concrete commercial transaction in six stages: token-release decryption, vault storage, per-tier retention destruction, and a refund requiring structural first-party participation. Plaintext never traverses the network at any stage.
Reference implementation: cinematiccard.com · US Provisional 64/056,353, filed May 4 2026 · Counsel review: → counsel version
Plaintext never moves over the wire. Ciphertext and tokens move. Decryption happens at endpoints.
Stage 01 of 06
Maya buys a $4.50 coffee
Her phone holds a persistent API key. From it, the device derives a tokenized decryption key scoped to this one transaction. Neither the key nor plaintext leave the device.
Consumer · Maya's device
Phone
api_key_maya
never leaves device
↓ derives per-tx token
tx_token_a3f2
valid this transaction only
encrypted envelope · tx_a3f2
Merchant · Cafe Reverie
Receives ciphertext
holds encrypted bytes
no decryption token
cannot read envelope
What travels over the wire is ciphertext only. The cafe receives an encrypted envelope. They hold no decryption material at this stage. The on-device key that derived the transaction token never leaves Maya's phone.
on-deviceapi_key_maya is the persistent root key from which all per-transaction tokens are derived. No party — not the cafe, the registry, or the vault — ever holds or sees this key.
Stage 02 of 06
Envelope created, tokenized key stored in vault
The encrypted envelope is bound to a tokenized decryption key. Both are stored in the vault. The merchant holds neither. All 18 tier slots are structurally present; three are active.
The envelope contains all 18 ABT-C tier categories. Three are active: operational_consumer, operational_merchant, taxation. Fifteen are placeholder slots — architectural reservations for tier authorities not yet onboarded to the registry.
The tokenized key controls access. The vault holds it but releases tier-specific slices only upon authorization from Maya's device. The merchant cannot request or hold the full token — only the slice their tier is authorized to receive.
Stage 03 of 06
Merchant requests, Maya's device releases, decryption at endpoint
The cafe requests the merchant-tier token slice. The vault forwards the request to Maya's device. Maya's device verifies and releases a scoped slice. The cafe decrypts at its own endpoint — never on the wire.
Merchant · Cafe Reverie
Token request
"release merchant-tier
slice for tx_a3f2"
token request
Vault
Forwards request
requires Maya's device
to authorize
authorize?
Consumer · Maya's device
Authorizes
verifies merchant
releases merchant-tier
token slice only
Merchant · decryption result
At cafe's endpoint
$4.50 · oat latte · pickup
consumer identity layer: sealed
taxation layer: sealed
15 placeholders: sealed
Plaintext appears only at the merchant's endpoint, only for the tier Maya authorized, only for the duration of that authorization. The cafe receives what they need to complete the transaction. The consumer identity and taxation layers are sealed — they are structurally inaccessible to the cafe.
Stage 04 of 06
Retention expires — consumer identity destroyed
After 30 days, the consumer identity tier's decryption pathway is irreversibly destroyed. The destruction is structural: the decryption material is gone, not archived. The transaction record and non-identity tiers remain accessible to their respective authorities.
refund_pathwayrequires Maya's device to reconstruct
The consumer identifying information is structurally gone. The cafe cannot retrieve Maya's identity — not by request, not by any unilateral action. The decryption material for that tier was destroyed at retention expiration. This is not a policy assertion; the cryptographic capability no longer exists.
What remains: the merchant retains amount, item, and jurisdiction for their own records. The taxation authority — registered in the registry — retains access to the taxation tier: $4.50, taxable food, jurisdiction, merchant identity. They never held Maya's identity, and after retention expiration, no party can recover it.
Stage 05 of 06
Maya requests a refund 45 days later
The PII layer is destroyed. The only path to reconstruct the transaction binding runs through Maya's device — to the registry for signature verification, then to the merchant. The merchant alone cannot initiate this.
Consumer · Maya's device
Issues refund request
"refund tx_a3f2"
signed: api_key_maya
signed refund request
Registry
Verifies & routes
verifies Ed25519 sig
routes to merchant
holds no decryption material
verified refund request
Merchant · Cafe Reverie
Awaiting token
PII layer: destroyed
cannot process alone
awaits fresh token
The merchant cannot process this refund unilaterally. The consumer identity tier is structurally inaccessible — the decryption pathway was destroyed at day 30. Without a fresh token from Maya's device, there is no way to bind the refund claim to the original buyer.
The registry's role in this stage is routing and signature verification, not authorization. The registry cannot release decryption material. It verifies that the request carries Maya's signature and forwards it to the correct merchant endpoint.
Stage 06 of 06
Maya's device releases a fresh token — refund completes
A new tokenized decryption key, derived freshly from the on-device root key, restores the consumer identity layer for the duration of the refund. After the refund completes, the new retention window closes and the layer returns to destroyed state.
Consumer · Maya's device
Issues refund token
api_key_maya
↓ derives
tx_token_a3f2_refund
scoped: refund only
refund token
Vault
Reconstructs consumer tier
re-encrypts consumer layer
with refund-scoped token
retention: 7 days
re-enabled envelope
Merchant · Cafe Reverie
Processes refund
refund $4.50 → Maya
consumer tier: readable
brief window, refund only
Restoration is structurally tied to Maya's device. The cafe cannot initiate this. The registry cannot initiate this. The on-device root key is the only material in existence from which a valid refund token can be derived. No third party — not a payment processor, not an accountant, not a court order applied to the merchant or vault — can reconstruct the binding.
After the refund completes, the 7-day refund retention window closes. The refund-scoped token is destroyed. The consumer identity layer returns to destroyed state. The taxation tier and merchant record now include the refund event, which appears in subsequent taxation authority audits as a verified legitimate refund.