GLAM IDL Reference
A searchable reference of every instruction in the GLAM Protocol family.
Global context
GLAM is a modular Solana program for tokenized vaults, external integrations, and policy enforcement. GLAM Protocol is the core program: it owns the state account, derives the vault account from the state account, records access control, stores vault-level policies, and authorizes vault-signed actions. Readers who want the underlying Solana model for deterministic program-controlled accounts can refer to the official Program Derived Addresses documentation.
GLAM Mint manages Token-2022 share mints, subscription and redemption flows, fee logic, request queues, escrows, and pricing validation for tokenized vaults. Token-2022 behavior such as extensions, transfer hooks, and default account state is documented by Solana in the official Token-2022 extensions documentation. Integration programs connect a GLAM vault to external protocols while preserving GLAM-level authorization. GLAM Config stores protocol-wide configuration, and GLAM Policies provides Token-2022 transfer-hook policy checks.
Account ownership and purpose:
This document covers 21 programs and 274 instructions. The table below summarizes the persistent accounts each program owns or controls. It intentionally describes account purpose rather than raw PDA seed arrays.
Policies and access control:
Access control has three layers that must be read together:
- The vault owner has all rights on the vault, but only for functionality enabled at the vault level (e.g., an enabled integration).
- Integrations are opt-in. A Kamino, SPL, CCTP, Bridge, Registered Positions, Loopscale, Neutral Trade, Phoenix, Jupiter Lend, Orca, or MarginFi instruction requires the corresponding integration to be enabled on the vault before it can run.
- Delegates start with no rights. Adding a delegate only registers an address; the owner must explicitly grant protocol-specific permissions before that delegate can act.
The recommended operating pattern is for the owner to be a multisig, such as Squads, with timelocks enabled for sensitive changes. Timelocks make policy, fee, integration, and access-control changes visible before they take effect. Emergency access updates are intended for narrow response actions such as disabling a compromised delegate or integration.
Policies apply even when the signer is the owner. Vault policies cover asset allowlists, borrowable assets, transfer destinations, and timelocks. Mint policies cover capacity, minimum subscription and redemption amounts, allowlists, blocklists, lockups, and fulfillment rules. Integration policies add protocol-specific restrictions such as slippage limits, market allowlists, borrow allowlists, vault allowlists, destination allowlists, etc.
Pricing atomicity:
All pricing instructions for a given pricing operation must be included in the same Solana transaction.
Splitting pricing instructions across multiple transactions is not supported and will produce incorrect or rejected NAV calculations. Pricing writes per-protocol valuation records into the GLAM state. Subscription fulfillment, redemption fulfillment, fee crystallization, and AUM validation rely on those records being fresh and internally consistent for the same operation.
Remaining-account validation:
Many GLAM instructions accept additional accounts via Anchor's remaining_accounts slot — for CPI into external programs, batch operations, or transfer-hook extra metas. These extras are not constrained by Anchor's account-struct macros, so GLAM enforces them inside the instruction: the only vault-controlled accounts the instruction can touch are the ones it is meant to act on.
For example, jupiter_swap and jupiter_swap_v2 reject any vault token accounts in remaining_accounts other than the input and output ATAs — preventing a caller from sneaking additional vault token accounts into the route and having them swapped or otherwise mutated.
This is an ongoing effort: per-instruction validation is being applied progressively across every instruction that accepts remaining accounts.
Integration programs and protocols
GLAM Protocol is the core program that owns the vault state, applies vault policies, and enforces access. Integration programsare separate Anchor programs that connect a GLAM vault to a specific external protocol — Kamino, SPL Token, CCTP, Marinade, and so on — under GLAM's authorization.
Within a single integration program, related on-chain surfaces are grouped into protocols (matching the program's SupportedProtocols enum). Each protocol corresponds to:
- An entry the vault owner can enable or disable on the integration ACL — gating the entire protocol on or off.
- A delegate-permission set the owner can grant to a specific delegate, scoped to that protocol only.
- An optional protocol policy (allowlists, limits) that gates what arguments the integration will accept.
Most integrations expose a single protocol; a few — Kamino (Lending / Vaults / Farms), Stake Pool (StakePool / Sanctum / SanctumMulti), and GLAM Protocol itself (System / Stake / Jupiter Swap) — span several. The sidebar groups instructions by protocol when a program declares more than one. The program's overview page lists the protocols and what each one covers.
Big Seven account pattern
Most integration instructions share a standard account pattern before the destination protocol's own accounts appear. This common prefix gives GLAM enough information to authorize the action, prove the vault authority, and invoke the external program. The destination-program accounts that follow then mirror that protocol's instruction requirements one-for-one; GLAM validates the accounts it needs, adds any policy-specific data or checks, and forwards the external protocol accounts through CPI.
| # | Account | Purpose |
|---|---|---|
| 1 | State | GLAM state account owned by the core protocol program. It records owner, enabled integrations, delegate permissions, policies, assets, borrowable assets, timelocks, mint linkage, and pricing records. |
| 2 | Vault | Vault PDA controlled by the core protocol program and derived conceptually from the state account. It acts as the vault authority for SOL, token accounts, and supported registered positions. |
| 3 | Signer / FeePayer | Owner, authorized delegate, manager, or transaction fee payer. Delegates must hold the exact permission required by the instruction. |
| 4 | Integration Authority PDA | PDA controlled by the integration program for integration-level signing and authorization flows. |
| 5 | Destination Program | External program being invoked, such as Kamino, SPL Token, Circle CCTP, LayerZero, Loopscale, Neutral Trade, Phoenix, Jupiter Lend, Orca, or MarginFi. |
| 6 | GLAM Core Protocol Program | Core program used by the integration to authorize vault-signed CPI and update GLAM state where required. |
| 7 | System Program | Solana System Program, required for account creation, SOL movement, rent handling, or PDA-related flows. |