Wallaby
  • Introduction
    • Welcome
    • Getting Started
    • Key Architecture Overview
    • SDK vs API
    • Authentication Overview
    • Security Overview
      • Wallaby System Security
      • Securing User Access Token
      • Securing API keys
      • Securing Device Auth Key
      • Securing the Seed Phrase
        • API only: Choosing encryption factors for the seed phrase
  • Capabilities
    • Core Wallet
      • Wallet Creation
      • Wallet Recovery
      • Wallet Export
      • Wallet Import
      • Seed Phrase Recovery (Beta)
    • Wallet Services
      • Asset Listings By Wallet Holders
      • Transfers
      • Spending Authorization
    • Wallet Data
      • View Assets, Addresses, & Balances
      • Transaction History & Status
      • Service Availability
  • Consumer Application SDK
    • SDK Quick Start
    • Authentication with the SDK
      • Account Creation
      • Login
      • Refresh Access
      • Update Client Public Key
    • Core Wallet SDK
      • Creating a wallet with the SDK
      • Recovering a wallet with the SDK
      • Exporting a wallet with the SDK
      • Importing a wallet with the SDK
    • Wallet Services SDK
      • Spending Authorization (Allowance) with the SDK
      • Transfers with the SDK
        • Use Case: Preparing a Transfer
    • Wallet Data SDK
      • Assets, Addresses, & Balance Fetching with the SDK
      • Transaction History with the SDK
      • Transaction Status with the SDK
      • Service Availability with the SDK
  • Consumer Application APIs
    • API Quick Start
    • API Authentication
      • Sign Up
      • Sign In
    • Core Wallet APIs
      • Creating a wallet with APIs
      • Recovering a wallet with APIs
      • Export a wallet with APIs
      • Import a wallet with APIs
    • Wallet Data APIs
      • Assets, Addresses, & Balance Fetching APIs
      • Transaction History APIs
      • Transaction Status APIs
    • Wallet Services APIs
      • Asset Listings By Wallet Holders API
      • Transfer API
      • Spending Authorization (Allowance) API
      • Algorand Opt In
    • Blockchain Specific APIs
      • Algorand Only APIs
      • EVM Only APIs
    • Error Codes
  • Wallet Administration
    • Admin Applications
      • Admin Authentication
      • Admin Security
      • Programmatically Listing Assets with the SDK
      • Programmatically Listing Assets as a Business
    • Admin Portal
      • Asset Listings By Your Business
        • Manually List Assets
        • Automate Listing Assets
Powered by GitBook
On this page
  • Wallet Private Key Security
  • Secure Access to Wallaby
  • Wallaby API Keys
  • Device Auth Key
  • Wallaby Access Token
  • User Access Token
  • Infrastructure Security
  • Audits
  • Wallaby Transport Keys
  1. Introduction
  2. Security Overview

Wallaby System Security

This page covers details about how the Wallaby system itself ensures security.

Wallet Private Key Security

The Wallaby system uses confidential computing as a key component of its core infrastructure. This means that data is encrypted while at rest, in transit, and in use which enables us to provide full service & secure wallet operations.

Data Generation and Processing within the Secure Enclave

In order to keep wallets secure, we focused on a strategy that keep wallet private keys protected at all times. At the core of our security is the secure enclave where wallet generation, wallet recovery, and transaction signing occur. This is a confidential computing environment where data is protected when generated and while processing.

Data Storage within the Secure Enclave

Wallaby itself does not store wallet private keys, even in an encrypted format. We generate them on demand when provided with the seed phrase. The seed phrase is also not stored on our servers. Instead the system is designed to store the seed phrase in an encrypted format on the client's device. This design is more resilient to large scale attacks since it eliminates a honeypot/single point of attack.

{image of the infra}

Secure Access to Wallaby

Wallaby API Keys

Purpose: In order to restrict Wallaby system access to authorized applications.

More info: To register an application, you will need to generate an API key associated with your business and application. These API keys can be generated and configured within our enterprise portal. With access to our portal, will be able to generate new keys, retire unused keys, and configure which domains are given access with each key.

Device Auth Key

Purpose: In order to restrict Wallaby system access to authorized devices.

More info: Wallaby utilizes the SRP (secure remote password) for system authentication. This means that the device specific key is the main identifier for the wallet holder. It is used to create a new account or sign in to an existing account. Unlike the Wallaby Access Token below, you can use this key after an expired session to regain access to the Wallaby account associated with this device. Read more about how to keep this key secure in Securing Device Auth Key.

This key also has a secondary purpose since is also used to encrypt sensitive data before transport. Read more about this in Securing the Seed Phrase.

Wallaby Access Token

Purpose: In order to limit the window of access from a particular device should an active session with the application get stolen.

More info: To ensure continued access to Wallaby, you will need to provide a Wallaby access token from Wallaby as the authorization in the header. This access token is generated after signing in with Wallaby and expires after 30 minutes. It can be refreshed before expiration as needed.

User Access Token

Purpose: In order to restrict Wallaby system access to a particular user of your system and limit the window of access for that user should an active session get stolen

More info: To ensure continued access to Wallaby, you will need to provide a user access token from Wallaby as a custom header value called x-client-jwt. This access token is generated by your application and signed after logging in with your system.

Infrastructure Security

WAF

Backups

Cloudflare

Access Policy

Audits

Prior to launch, the entire wallaby infrastructure system underwent rigorous scrutiny through multiple audits conducted by leading industry firms. This commitment to independent evaluation ensures our system's security, reliability, and compliance with industry standards, giving you peace of mind when doing integration with it.

Wallaby Transport Keys

Purpose: In order to ensure sensitive information was prepared by an authorized device.

More info: After creating an account or logging in, you will gain access to the public key and are expected to use it to encrypt the seed phrase before transporting to Wallaby. Wallaby will then decrypt it in order to generate your wallet private keys in order to complete a tx with your wallet.

PreviousSecurity OverviewNextSecuring User Access Token

Last updated 10 months ago