# Privacy and Security

#### Privacy guarantees

* **Visibility**: Only the sender and recipient of a payment can retrieve its details via the API.
* **Privacy tokens**: Each payment is associated with a privacy token (x402 or local); tokens are used internally to preserve privacy.
* **Backend-only signing**: Private keys never leave the server; agents only see public keys and balances.

#### Security measures

* **Encryption at rest**: Wallet private keys are encrypted with AES-256-GCM using `ENCRYPTION_KEY`.
* **No key exposure**: Agents do not receive or handle private keys.
* **Validation**: All payment and batch requests are validated (amounts, no self-payment, no duplicate recipients in batch).
* **HTTPS**: Use TLS in production for the NetAuth API.
* **Secrets**: Keep `ENCRYPTION_KEY` and any x402 keys in environment variables or a secrets manager; never commit them.

#### Recommendations

* Use a strong, unique `ENCRYPTION_KEY` in production.
* Run NetAuth in a private network where only your agents/systems can call it, or protect the API with auth (e.g. API keys or auth proxy).
* Consider rate limiting and monitoring for production.
* Plan for key rotation and backup of encrypted wallet data if you persist it.

***


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.netauthpay.com/agents/privacy-and-security.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.