Wallaby
  • Introduction
    • Welcome
    • Getting Started
    • Key Architecture Overview
    • SDK vs API
    • Authentication Overview
    • Security Overview
      • Wallaby System Security
      • Securing User Access Token
      • Securing API keys
      • Securing Device Auth Key
      • Securing the Seed Phrase
        • API only: Choosing encryption factors for the seed phrase
  • Capabilities
    • Core Wallet
      • Wallet Creation
      • Wallet Recovery
      • Wallet Export
      • Wallet Import
      • Seed Phrase Recovery (Beta)
    • Wallet Services
      • Asset Listings By Wallet Holders
      • Transfers
      • Spending Authorization
    • Wallet Data
      • View Assets, Addresses, & Balances
      • Transaction History & Status
      • Service Availability
  • Consumer Application SDK
    • SDK Quick Start
    • Authentication with the SDK
      • Account Creation
      • Login
      • Refresh Access
      • Update Client Public Key
    • Core Wallet SDK
      • Creating a wallet with the SDK
      • Recovering a wallet with the SDK
      • Exporting a wallet with the SDK
      • Importing a wallet with the SDK
    • Wallet Services SDK
      • Spending Authorization (Allowance) with the SDK
      • Transfers with the SDK
        • Use Case: Preparing a Transfer
    • Wallet Data SDK
      • Assets, Addresses, & Balance Fetching with the SDK
      • Transaction History with the SDK
      • Transaction Status with the SDK
      • Service Availability with the SDK
  • Consumer Application APIs
    • API Quick Start
    • API Authentication
      • Sign Up
      • Sign In
    • Core Wallet APIs
      • Creating a wallet with APIs
      • Recovering a wallet with APIs
      • Export a wallet with APIs
      • Import a wallet with APIs
    • Wallet Data APIs
      • Assets, Addresses, & Balance Fetching APIs
      • Transaction History APIs
      • Transaction Status APIs
    • Wallet Services APIs
      • Asset Listings By Wallet Holders API
      • Transfer API
      • Spending Authorization (Allowance) API
      • Algorand Opt In
    • Blockchain Specific APIs
      • Algorand Only APIs
      • EVM Only APIs
    • Error Codes
  • Wallet Administration
    • Admin Applications
      • Admin Authentication
      • Admin Security
      • Programmatically Listing Assets with the SDK
      • Programmatically Listing Assets as a Business
    • Admin Portal
      • Asset Listings By Your Business
        • Manually List Assets
        • Automate Listing Assets
Powered by GitBook
On this page
  • SDK Implementation
  • API Implementation
  1. Introduction
  2. Security Overview

Securing the Seed Phrase

Since we leave seed phrase storage up to the client's application, it is important to be strategic with encryption factors for that seed phrase. The encryption factors determine the user experience when setting up the wallet and signing transactions. They also affect the security of the system. Since our system generates private keys from the master seed, balancing security and accessibility of the seed is essential.

SDK Implementation

Our default SDK implementation utilizes storage on the wallet holder's browser OR mobile device and a three part encryption:

  1. a wallet holder's input such as a password/pin/biometric key that is not stored on any participating system (only known by the user)

  2. an encryption key generated & stored on the user's device

  3. a Wallaby salt value which is only accessible with valid authentication to Wallaby which requires that key from the user's device & a JWT from your system

This structure assumes that the existing authentication system used to generate your JWT is secure. You should be utilizing an MFA (preferably a TOTP) and expiring the session in a reasonable period of time.

API Implementation

The API implementation lets you choose your own encryption factors and storage location for the seed phrase. To decide what makes the most sense for your use case, you will want to evaluate the level of security you require, compare storage locations, and identify possible encryption factors.

To ensure you remain non-custodial, your decisions on storage location and encryption factors should leave you unable to independently access the seed phrase. If you would like to discuss your specific use case, please reach out to us.

PreviousSecuring Device Auth KeyNextAPI only: Choosing encryption factors for the seed phrase

Last updated 10 months ago