you must provide all three KeyServer object IDs, even if you're using a 2-out-of-3 threshold.

the threshold parameter (threshold: 2) defines how many key shares are required to decrypt, but all participating KeyServers must be listed during encryption. This allows the SealClient to properly coordinate with all servers involved in key generation and encryption, even if only a subset will be needed to decrypt later.

So, your keyServerIds array should include all 3 server object IDs. Internally, the system ensures only the threshold number of shares are used or required when decrypting.

Provide all 3 KeyServer IDs in serverObjectIds.

Set threshold: 2 to require any 2 of them to decrypt.

This ensures full fault tolerance and proper multi-party encryption setup.

In the case of a 2-out-of-3 threshold encryption setup, you only need to provide two of the three KeyServer object IDs when you create the SealClient.

The purpose of the threshold setting (which is 2 in this case) is to specify how many of the KeyServer objects must agree on the encryption or decryption process. For a 2-out-of-3 threshold, you are essentially saying that any two of the three servers can participate in the decryption process, and you don't need to specify all three when creating the SealClient. The SealClient will handle the threshold logic internally, using the two provided KeyServer object IDs.

Example Code

const suiClient = new SuiClient({ url: getFullnodeUrl('testnet') });
const client = new SealClient({
    suiClient,
    serverObjectIds: keyServerIds,  // Only provide two server object IDs here
    verifyKeyServers: false,
});
const { encryptedObject: encryptedBytes, key: backupKey } = await client.encrypt({
    threshold: 2,  // 2-out-of-3 threshold
    packageId: fromHEX(packageId),
    id: fromHEX(id),
    data,
});

Explanation:

• serverObjectIds: This is where you provide the list of the KeyServer object IDs. For a 2-out-of-3 threshold, you only need to provide the two KeyServer IDs you intend to use for encryption/decryption.
• threshold: 2: This specifies that you need 2 out of 3 servers to participate in encryption/decryption.

In summary, the SealClient only requires two KeyServer object IDs to implement 2-out-of-3 threshold encryption. The third KeyServer is not necessary for the encryption process but would be used in the decryption process if needed, following the threshold logic.

For a 2-out-of-3 threshold encryption setup with SealClient, you should provide all three KeyServer object IDs in the serverObjectIds array when initializing the client. The threshold parameter (set to 2 in your example) determines how many key shares are required for decryption, while the server IDs represent all available key servers in the network. The SealClient will automatically handle distributing shares across all three servers while enforcing that any 2 can reconstruct the key. This design ensures redundancy while maintaining security through the threshold mechanism. The actual threshold value is only used during encryption/decryption operations, not during client initialization.

For 2-out-of-3 threshold encryption, provide all 3 KeyServer object IDs when creating SealClient. The threshold: 2 parameter ensures only 2 servers are needed to decrypt.

Why?

• serverObjectIds expects the full set of KeyServers (3 in this case).
• The threshold value (2) determines how many must cooperate for decryption.

Example:

const client = new SealClient({
    suiClient,
    serverObjectIds: [id1, id2, id3], // All 3 KeyServer IDs
    verifyKeyServers: false,
});

(The threshold is enforced during decryption, not client setup.)

you must provide all three KeyServer object IDs, even if you're using a 2-out-of-3 threshold.

the threshold parameter (threshold: 2) defines how many key shares are required to decrypt, but all participating KeyServers must be listed during encryption. This allows the SealClient to properly coordinate with all servers involved in key generation and encryption, even if only a subset will be needed to decrypt later.

So, your keyServerIds array should include all 3 server object IDs. Internally, the system ensures only the threshold number of shares are used or required when decrypting.

Provide all 3 KeyServer IDs in serverObjectIds.

Set threshold: 2 to require any 2 of them to decrypt.

This ensures full fault tolerance and proper multi-party encryption setup.

You must provide all three KeyServer object IDs when creating the SealClient, even if your threshold is only 2-out-of-3.

Explanation:

The SealClient constructor needs the full list of participating KeyServer object IDs so that it can properly coordinate threshold encryption and ensure all participants are recognized during key generation and decryption.

Your example is correct:

const client = new SealClient({
    suiClient,
    serverObjectIds: keyServerIds, // ✅ All 3 server object IDs go here
    verifyKeyServers: false,       // optional
});

Then, when calling encrypt, you specify:

const { encryptedObject, key } = await client.encrypt({
    threshold: 2,                 // ✅ Only 2 servers required to decrypt
    packageId: fromHEX(packageId),
    id: fromHEX(id),
    data,
});

This setup allows:

• The system to generate shares across all 3 servers
• But only 2 shares are required to decrypt (threshold: 2)

Reference:

As per Seal’s official docs, the serverObjectIds must include all servers participating in the scheme, regardless of threshold.