Security
Security
How we protect your identity, contacts and funds.
Your keys never leave your device
Stellar wallets are non-custodial: keys are generated in your browser, encrypted with your passcode, and stored only on your device. Our servers physically cannot move your funds.
Encrypted contact details
Phone numbers and emails are stored encrypted (AES-256-GCM with per-record keys). Even a full database leak does not expose them.
Server-side privacy enforcement
Privacy levels are enforced on our servers on every request — never in the browser, where they could be bypassed.
Passkeys and step-up auth
Sign in with passkeys. Sensitive actions — sending money, exporting data, viewing recovery codes — demand a fresh strong re-authentication.
Hardened payment pipeline
Transactions are validated server-side, signed on your device, then re-validated against the original intent before broadcast. Idempotency keys prevent duplicates.
Full audit trail
Logins, reveals, connections, payments and key events are written to an audit log you can review under Security settings.
Found a vulnerability? Please report it privately — see SECURITY.md in the repository.