Security
Should you read this?
Read this page before shipping a production payment or deposit flow. It explains what the SDK can and cannot access.
If your main question is payment proof, read Backend Verification too.
Security model in one minute
- The SDK never sees private keys.
- Wallets sign transactions through a wallet adapter.
- The API receives public routing data: tokens, amounts, addresses, and transaction hashes.
- The SDK does not include analytics, cookies, beacons, or fingerprinting.
Private Key Handling
The SDK never touches private keys. All transaction signing happens inside the user's wallet (MetaMask, Phantom, WalletConnect-compatible wallets, etc.) through the IWalletAdapter interface. The SDK constructs transaction parameters and passes them to the wallet for signing — it never has access to signing keys.
Data Sent to the API
The SDK only sends publicly available information to the configured API endpoint:
| Data | Purpose |
|---|---|
| Wallet address | Query balances, submit deposits, track orders |
| Token identifiers | Request quotes for specific token pairs |
| Amounts | Calculate swap routes and fees |
| Recipient address (optional) | Route cross-chain delivery to a specific destination |
| Transaction hash | Submit signed transactions for order tracking |
No private keys, app session tokens, or cookies are sent by the SDK. Wallet addresses, token amounts, recipients, and transaction hashes are public payment metadata and can still be sensitive for your users. Treat them as payment data in your own privacy review.
Communication Security
- All requests are sent over HTTPS to the configured
apiEndpoint - Streaming quotes use EventSource (SSE) for real-time updates; order tracking uses HTTP polling. No WebSocket connections are made
Cross-Chain Settlement
Swaps are settled through an intent settlement protocol. The protocol:
- Uses on-chain smart contracts for settlement
- Supports multiple bridge providers
- Does not require trust in any single intermediary
Telemetry
The SDK does not include its own telemetry layer:
- No analytics tracking
- No cookies
localStoragemay be used for token metadata caching- No
sessionStorageusage - No third-party scripts loaded
- No beacon/pixel requests
- No fingerprinting
The widget's network requests are to the configured API endpoint (swap operations), chain icon URLs, and token logo URLs returned by the API (logoURI). Token logo URLs can point to third-party image CDNs.
Dependency Security
The SDK has a minimal dependency footprint:
- Solid.js — UI rendering
- solid-element — Web Component registration
- TanStack Solid Query — API request caching and deduplication
- ky — HTTP client
- valibot — Schema validation
- lucide-solid — Icon components
Review dependency updates and audit results as part of your own release process.
Content Security Policy
The SDK supports CSP-restricted environments via the csp-nonce attribute. See CSP Guide for configuration details.
Reporting Vulnerabilities
If you discover a security vulnerability, please report it responsibly. Do not open a public issue — contact the team directly via the channels listed on the npm package page or documentation site.
Next step
- Need strict headers? Read Content Security Policy.
- Need payment verification? Read Backend Verification.