search
Ctrlk
githubEdit

User Wallet Data Format

Ty Everett ([email protected])

hashtag
Abstract

This specification defines a canonical, complete, portable file format for exporting Wallet Toolbox data for a single user as one blob.

The format is intended to support:

  • strong user data portability

  • GDPR and similar access/export requirements

  • wallet import and export

  • storage-provider migration

  • backup, archival, and forensic recovery

This specification is based on the Wallet Toolbox storage implementation. It defines a canonical plaintext payload format for a single-user export. Encryption and protected transport are out of scope for this document and belong in a separate extension.

hashtag
Motivation

Wallet data portability is only meaningful if the exported artifact is complete, stable, and implementation-neutral.

Exporting only high-level balances or transaction lists is insufficient. A serious wallet export must preserve:

  • all user-owned records

  • all user-linked proof and broadcast state

  • deleted/tombstoned rows

  • wallet-local metadata needed to reconstruct labels, baskets, certificates, sync state, and action history

Wallet Toolbox already has a rich schema that captures this information, but it does not yet define a canonical single-file export format. This specification fills that gap.

hashtag
Specification

hashtag
1. Scope

This specification defines the canonical plaintext payload for exporting all Wallet Toolbox data for one user.

It does not define:

  • encryption of the export blob

  • compression of the export blob

  • transport protocols for moving the blob

  • multi-user export containers

  • chain-wide or storage-global operational logs unrelated to one user

  • root-key, profile, or encrypted snapshot material that is not part of the Wallet Toolbox storage schema

hashtag
2. Conformance

An implementation conforms to BRC-38 if it can:

  1. export a single user's Wallet Toolbox data into the canonical format defined here

  2. parse a BRC-38 blob and reconstruct the exported dataset semantics

  3. preserve all included row values, relationships, tombstones, and binary payloads without loss

hashtag
3. Canonical File Form

The canonical BRC-38 artifact is a UTF-8 JSON document serialized according to RFC 8785 JSON Canonicalization Scheme (JCS).

The canonical unencrypted file extension SHOULD be:

  • .brc38.json

If a deployment wraps, compresses, or encrypts the document, the canonical BRC-38 payload remains the inner JSON document defined here.

hashtag
4. Top-Level Document

The canonical top-level object MUST have the following shape:

Top-level requirements:

  • brc MUST equal 38.

  • title MUST equal User Wallet Data Format.

  • formatVersion MUST equal 1 for this version of the format.

  • exportedAt MUST be the UTC timestamp at which the export payload was finalized.

  • sourceStorage MUST contain the exported storage's current settings row in portable form.

  • user MUST contain exactly one exported user row in portable form.

  • tables MUST contain every array listed above, even if empty.

hashtag
5. Canonical Value Encoding

hashtag
5.1 Timestamps

All timestamp values MUST be exported as strings in UTC using the exact form:

  • YYYY-MM-DDTHH:MM:SS.sssZ

Offsets other than Z MUST NOT be used.

hashtag
5.2 Binary Data

Fields stored in Wallet Toolbox as number[] byte arrays MUST be exported as standard RFC 4648 base64 strings with padding.

No whitespace is permitted in base64 values.

The following fields are binary:

  • TableCommission.lockingScript

  • TableOutput.lockingScript

  • TableProvenTx.merklePath

  • TableProvenTx.rawTx

  • TableProvenTxReq.rawTx

  • TableProvenTxReq.inputBEEF

  • TableTransaction.inputBEEF

  • TableTransaction.rawTx

hashtag
5.3 Structured JSON-in-String Fields

The Wallet Toolbox schema stores some structured values as JSON strings. In BRC-38 these MUST be exported as decoded JSON values, not as embedded JSON strings.

The affected fields are:

  • TableProvenTxReq.history

  • TableProvenTxReq.notify

  • TableSyncState.syncMap

  • TableSyncState.errorLocal

  • TableSyncState.errorOther

Their portable BRC-38 forms are:

  • history: object

  • notify: object

  • syncMap: object

  • errorLocal: object or omitted

  • errorOther: object or omitted

hashtag
5.4 Optional Fields

If a field is absent or undefined in the source dataset, it MUST be omitted from the exported JSON rather than emitted as null.

hashtag
6. Export Closure

The exported dataset for a user is the following closure over the Wallet Toolbox schema.

hashtag
6.1 Required Singletons

The export MUST include:

  • exactly one user row for the requested user identity

  • exactly one sourceStorage object derived from the exporting storage's settings row

hashtag
6.2 User-Owned Tables

The export MUST include every row from the following tables where userId equals the exported user's userId:

  • output_baskets

  • transactions

  • commissions

  • outputs

  • output_tags

  • tx_labels

  • certificates

  • certificate_fields

  • sync_states

hashtag
6.3 User-Linked Map Tables

The export MUST include:

  • every tx_labels_map row whose txLabelId references an exported tx_labels row

  • every output_tags_map row whose outputTagId references an exported output_tags row

An exporter SHOULD additionally verify that:

  • every exported tx_labels_map.transactionId references an exported transaction

  • every exported output_tags_map.outputId references an exported output

hashtag
6.4 User-Linked Proof Tables

The export MUST include:

  • every proven_tx_reqs row whose txid matches the txid of an exported transaction

  • every proven_txs row whose provenTxId is referenced by:

    • an exported transaction, or

    • an exported proven_tx_reqs row

hashtag
6.5 Excluded Storage-Global Tables

The export MUST NOT include storage-global tables that are not scoped to a single user.

In the Wallet Toolbox implementation this means:

  • monitor_events MUST NOT be included

hashtag
7. Portable Row Forms

The BRC-38 portable row forms are defined below.

hashtag
7.1 User

hashtag
7.2 Proven Transaction

hashtag
7.3 Proven Transaction Request

history MUST conform to:

notify MUST conform to:

hashtag
7.4 Output Basket

hashtag
7.5 Transaction

hashtag
7.6 Commission

hashtag
7.7 Output

hashtag
7.8 Output Tag

hashtag
7.9 Output Tag Map

hashtag
7.10 Transaction Label

hashtag
7.11 Transaction Label Map

hashtag
7.12 Certificate

hashtag
7.13 Certificate Field

hashtag
7.14 Sync State

Each sync error object MUST conform to:

hashtag
8. Array Ordering

For canonical serialization, the arrays inside tables MUST be sorted ascending as follows:

  • provenTxs by provenTxId

  • provenTxReqs by provenTxReqId

  • outputBaskets by basketId

  • transactions by transactionId

  • commissions by commissionId

  • outputs by outputId

  • outputTags by outputTagId

  • outputTagMaps by outputId, then outputTagId

  • txLabels by txLabelId

  • txLabelMaps by transactionId, then txLabelId

  • certificates by certificateId

  • certificateFields by certificateId, then fieldName

  • syncStates by syncStateId

hashtag
9. Relationship Integrity

An exporter MUST ensure that every foreign-key-like reference inside the payload resolves within the exported document, except where the source schema intentionally stores an optional unresolved reference.

At minimum:

  • every exported transaction.userId MUST equal user.userId

  • every exported output.userId MUST equal user.userId

  • every exported output.transactionId MUST reference an exported transaction

  • every exported commission.transactionId MUST reference an exported transaction

  • every exported txLabelMap.txLabelId MUST reference an exported transaction label

  • every exported txLabelMap.transactionId MUST reference an exported transaction

  • every exported outputTagMap.outputTagId MUST reference an exported output tag

  • every exported outputTagMap.outputId MUST reference an exported output

  • every exported certificateField.certificateId MUST reference an exported certificate

If user.activeStorage does not equal sourceStorage.storageIdentityKey, the exporter MUST still preserve the exact user.activeStorage value.

hashtag
10. Import Semantics

BRC-38 defines the portable payload, not a mandatory database insertion strategy.

Importers:

  • MUST preserve row values and relationships semantically

  • MAY preserve numeric primary IDs exactly

  • MAY remap numeric primary IDs during import, provided every internal reference is updated consistently

  • MUST preserve tombstones such as isDeleted

  • MUST preserve status fields exactly

Importers MAY treat the following as operationally sensitive and choose whether to activate them immediately after import:

  • user.activeStorage

  • syncStates

However, a conforming importer MUST still parse and preserve those values in the imported dataset.

hashtag
11. Privacy and Security

BRC-38 exports are intentionally complete and sensitive.

A BRC-38 blob may contain:

  • raw transactions

  • merkle proofs

  • wallet labeling and description data

  • certificate contents

  • encrypted field material and derivation metadata

  • sync history and storage topology hints

Implementations MUST treat BRC-38 blobs as highly sensitive user data.

hashtag
12. Implementation Notes

This specification is based on the Wallet Toolbox schema:

  • users

  • proven_txs

  • proven_tx_reqs

  • output_baskets

  • transactions

  • commissions

  • outputs

  • output_tags

  • output_tags_map

  • tx_labels

  • tx_labels_map

  • certificates

  • certificate_fields

  • sync_states

  • storage settings as export metadata

The storage-global monitor_events table is intentionally excluded because it is not scoped to a single user.

hashtag
References

PreviousBasket and Custom Instructions Extension for Bitcoin OutpointsNextUser Wallet Data Format Encryption Extension

Last updated

Was this helpful?