Control Keys are what the user actually signs with in daily life.

• Device-bound or app-bound keys

• Can be rotated or revoked without destroying the identity

• Included in the State Commitment:

  state_commitment = H(
    identity_root,
    control_key,
    recovery_key,
    attributes_root,
    policies_root
  )
  
  

• Different control keys may have different scopes:

  • “phone key” – day-to-day approvals
  • “browser key” – web-only actions
  • “session keys” – short-lived ephemeral keys

These give you usability without risking the master key.