Payout Policy
Available via: Dashboard only
Payout Policy lets you require N out of M approvals from designated team members before a withdrawal can leave your Inflow balance. It is the dashboard equivalent of a multi-sig wallet.
Why You Want This
- Prevents a single compromised account from draining your balance.
- Meets internal controls and audit requirements for treasury operations.
- Forces high-value payouts through a deliberate review by trusted members.
Concepts
| Concept | Description |
|---|---|
| Signers | Members allowed to approve withdrawals. Must be Owner or Admin — Member, Finance, and Viewer cannot be signers. |
| Required approvals | How many distinct signers must approve before a pending withdrawal can be executed. 0 disables the policy entirely. The maximum is the number of signers you configure. |
| Cooldown on new destinations | When you add a new bank or wallet destination, Inflow enforces a configurable delay (in seconds) before that destination can be paid out — allowPayoutToNewBankAfterTimeDuration and allowPayoutToNewWalletAfterTimeDuration. Prevents add-and-drain attacks where an attacker who steals a session immediately adds their own destination and withdraws to it. |
| Security lock | A timed kill-switch applied automatically when the policy is weakened (a signer is removed or demoted below Admin, or required-approvals is reduced). All payouts from your account are blocked until the lock expires — see below. |
The 48-Hour Security Lock
When the policy gets weaker, Inflow sets payoutSecurityLockUntil = now + 48h on your account. While the lock is active:
- All withdrawals are blocked, including those that already had enough approvals before the change.
- Adding new bank or wallet destinations still works, but their cooldown still applies on top of the lock.
- The lock is extended (not reset) if a second weakening event happens before the first lock expires.
The lock gives the Owner 48 hours to react in case the policy change was malicious — long enough to notice an unusual change, lock the account, rotate API keys, and revoke compromised members.
The lock is cleared automatically when its expiry is reached. There is no "force unlock" — even the Owner has to wait for the timer.
Configuring the Policy
- Go to Settings → Payout Policy.
- Pick the Signers from your member list (Owner / Admin only).
- Set the Required approvals count (between
0and the number of signers). - Optionally adjust the cooldown durations for new bank and wallet destinations.
- Click Save.
Only Owner can change the policy. Saving the change is gated by your standard login session; the dashboard does not currently re-prompt for a TOTP code on policy save, so treat your Owner password and session as security-critical.
How a Withdrawal Flows With the Policy
- An Admin or Owner requests a withdrawal from Balance → Payout.
- If
requiredApprovals > 0, Inflow records the withdrawal as Pending Approval instead of executing it. - Each configured signer receives a notification.
- Signers open the withdrawal detail page and approve with a fresh TOTP code (step-up).
- Once the required number of approvals is reached, any Admin or Owner can execute the withdrawal — also with TOTP step-up.
If you remove a signer or lower the threshold, in-flight withdrawals stay in their current state (already-collected approvals are kept) but the 48-hour security lock kicks in and prevents anyone from executing them until the lock expires.
Edge Cases
- Owner is also a signer: their approval counts as one approval, exactly like an Admin signer. They cannot solo-approve a withdrawal that requires
>= 2approvals. - Removing a member who is a signer (or demoting them below Admin): Inflow automatically removes them from the signer list, clamps
requiredApprovalsdown to the remaining signer count, and applies the 48h security lock. - Policy disabled (
requiredApprovals: 0): any Admin or Owner can execute payouts directly with TOTP step-up — no approval queue. - Lowering required approvals while the policy stays enabled: also triggers the 48h security lock, since this is treated as a weakening event.
Related
- Adding a Bank Account or Crypto Wallet — payout destinations and cooldown.
- Two-Factor & Security — TOTP setup and step-up rules.
- Team & Members — assigning Admin / Owner roles to potential signers.
Updated 2 days ago