Does SEP-24 allow deposits and withdraws to & from unauthenticated accounts?

[yuriescl]

I generated a SEP-10 token using an account (not muxed), and then used that SEP-10 token in a SEP-24 deposit call with another account value. It successfully gave me a interactive URL response. Is this an expected behavior? Shouldn't SEP-24 only allow depositing only to the same account authenticated in SEP-10?

Polaris v2.2.0

[JakeUrban]

Hi @yuriescl, this is the expected behavior. It supports the case where the user's funds are held by an account that cannot be used to authenticate via SEP-10.

For example, if a custodial wallet uses Circle or Fireblocks to custody their users' funds, the wallet cannot use the account held by the custody service in SEP-10 because the wallet doesn't have access to the secret key.

In this case, the wallet needs to use a different keypair that they do have access to in SEP-10. This other keypair doesn't need to be funded on the network. However, the actual source of funds will still be the account held by the custody service.