diff --git a/shared/protos/identity_client.proto b/shared/protos/identity_client.proto
--- a/shared/protos/identity_client.proto
+++ b/shared/protos/identity_client.proto
@@ -33,6 +33,22 @@
 
   // Called by clients to get a nonce for a Sign-In with Ethereum message
   rpc GenerateNonce(Empty) returns (GenerateNonceResponse) {}
+
+  // X3DH actions
+
+  // Called by clients to get all device keys associated with a user in order
+  // to open a new channel of communication on any of their devices
+  rpc GetDeviceKeysForUser(DeviceKeysForUserRequest) returns
+    (DeviceKeysForUserResponse) {}
+  // Called by clients to get required keys for opening a connection
+  // to a keyserver
+  rpc GetKeyserverKeys(KeyserverKeysRequest) returns
+    (KeyserverKeysResponse) {}
+  // Replenish one-time preKeys
+  rpc UploadOneTimeKeys(UploadOneTimeKeysRequest) returns (Empty) {}
+  // Rotate a devices preKey and preKey signature
+  // Rotated for deniability of older messages
+  rpc RefreshUserPreKeys(RefreshUserPreKeysRequest) returns (Empty) {}
 }
 
 // Helper types
@@ -220,3 +236,55 @@
 message GenerateNonceResponse{
   string nonce = 1;
 }
+
+// GetDeviceKeysForUser
+
+message DeviceKeysForUserRequest {
+  oneof identifier {
+    string username = 1;
+    string walletAddress = 2;
+  }
+}
+
+message DeviceKeysForUserResponse {
+  // Map is keyed on devices' public ed25519 key used for signing
+  map<string, RemoteDeviceInfo> devices = 1;
+}
+
+// GetKeyserverKeys
+
+// All keyserver must be registered with an existing user.
+// Conversely, one or zero keyservers can registered to a user.
+message KeyserverKeysRequest {
+  oneof identifier {
+    string username = 1;
+    string walletAddress = 2;
+  }
+}
+
+message KeyserverKeysResponse {
+  KeyserverSessionInfo keyserverInfo = 1;
+}
+
+// UploadOneTimeKeys
+
+// As OPKs get exhausted, they need to be refreshed
+message UploadOneTimeKeysRequest {
+  // Use device associated with token to insert OPKs
+  string accessToken = 1;
+  repeated string oneTimePreKeys = 2;
+}
+
+// RefreshUserPreKeys
+
+message PreKeyUpload {
+  // Rotating preKey, validated to be associatd with IdentityKeys
+  // through signature
+  string preKey = 1;
+  string preKeySignature = 2;
+}
+
+message RefreshUserPreKeysRequest {
+  string accessToken = 1;
+  PreKeyUpload newPreKeys = 2;
+}