Privacy and Security

Privacy guarantees

• Visibility: Only the sender and recipient of a payment can retrieve its details via the API.

• Privacy tokens: Each payment is associated with a privacy token (x402 or local); tokens are used internally to preserve privacy.

• Backend-only signing: Private keys never leave the server; agents only see public keys and balances.

Security measures

• Encryption at rest: Wallet private keys are encrypted with AES-256-GCM using ENCRYPTION_KEY.

• No key exposure: Agents do not receive or handle private keys.

• Validation: All payment and batch requests are validated (amounts, no self-payment, no duplicate recipients in batch).

• HTTPS: Use TLS in production for the NetAuth API.

• Secrets: Keep ENCRYPTION_KEY and any x402 keys in environment variables or a secrets manager; never commit them.

Recommendations

• Use a strong, unique ENCRYPTION_KEY in production.

• Run NetAuth in a private network where only your agents/systems can call it, or protect the API with auth (e.g. API keys or auth proxy).

• Consider rate limiting and monitoring for production.

• Plan for key rotation and backup of encrypted wallet data if you persist it.