Payment Settlement Flow

The actual Gnosis Pay architecture — how it works:

Each user's account is a Safe smart contract wallet deployed on Gnosis Chain. The user's EOA (externally owned account) is the sole owner. Two critical modules are attached:

Roles Module: Governs what Gnosis Pay can do with the Safe. Defines:

• Which token can be spent (EURe — Monerium's euro stablecoin)
• Approved recipient address (the issuer's settlement Safe only)
• Daily spending limit (user-configurable, max €8,000)
• Gnosis Pay is delegated the role — but strictly within these constraints

Delay Module: Adds a 3-minute delay to all non-card outgoing transactions. During this delay, the card is paused. This prevents double-spending: a user can't tap their card and simultaneously drain their Safe. Transactions queue sequentially and expire after 30 minutes if unexecuted.

The actual payment flow:

User taps Visa card at merchant
→ Visa sends authorization request to Gnosis Pay
→ Backend verifies: cardholder identity, EURe balance in Safe (on-chain real-time check),
  transaction queue is empty, daily limit compliance
→ Backend responds YES/NO to Visa (must reply in < 2 seconds)
→ If approved: Roles Module triggers EURe transfer from user's Safe → Issuer's Safe
→ 3-minute Delay Module pauses card during pending non-card txs
→ Issuer collects EURe, converts to EUR via Monerium IBAN
→ Issuer settles with Visa by sending EUR to Visa's bank account
→ Reconciliation confirms match

Gasless UX via Gelato Relay: Users never need xDAI for gas. Safe creation and all payment transactions are executed gaslessly through Gelato's relayer infrastructure. When a card swipe triggers a settlement, Gelato Relay submits the on-chain transaction and covers gas.

On/Off-Ramp via Monerium: Users receive a personal IBAN linked to their Safe. SEPA bank transfers in → Monerium mints equivalent EURe in the Safe. EURe is legally recognized as euro, backed 102% by bank deposits/high-quality securities. Users can also off-ramp: EURe burns → EUR sent to any bank account via SEPA.

Self-Custody Guarantee: The user's EOA owns the Safe. Users can revoke Gnosis Pay's permissions at any time (disabling the card). Even if Gnosis Pay shuts down, funds remain accessible in the Safe. The Delay and Roles modules are removable by the owner.

Authentication: SIWE (Sign-In With Ethereum) — users sign a message with their wallet to authenticate API sessions. JWT tokens for ongoing access. Separate from on-chain ownership (auth wallets ≠ signing keys).

Balance Model (3 types):

• total: Full EURe balance in the Safe
• spendable: Amount available for card payments (after pending holds)
• pending: Authorized but unsettled card transactions

Daily Limit Changes: Require EIP-712 typed data signature from the Safe owner. 3-step process: get typed data → sign with wallet → submit signature. Changes take effect after Delay Module's 3-minute window.