Viaclave is built on Cloudflare's global edge network. Keys are encrypted at rest, balances are enforced atomically, and every access path is locked down by default.
Every wallet private key is encrypted at rest with AES-256-GCM using HKDF-SHA256 derived keys. Raw key material never exists unencrypted outside of a single signing operation.
Agents never hold private keys. Transactions are signed inside Cloudflare Workers with sub-second lifetime decryption. The decrypted key exists only in ephemeral memory.
Plaintext key export requires both your account password and the recovery_share returned exactly once at wallet creation. A stolen password alone cannot extract a key — the API has no path to plaintext without your share.
Every signing op and every recovery export writes a row to key_access_log: which wallet, which payment, success or failure, request IP. The audit trail survives forensic review.
Each wallet's balance is managed by a dedicated Cloudflare Durable Object with single-threaded, serialized access. Double-spends are structurally impossible.
Every debit is keyed by a unique payment ID. Replaying the same request returns the original result, with no duplicate charges.
Every balance change writes to an append-only ledger_events table. The full history of credits, debits, fees, and refunds is permanently recorded.
Per-transaction and daily caps are checked atomically at the Durable Object before any funds move. Limits cannot be bypassed.
API keys use a visible prefix (vc_live_ or vc_test_) for easy identification, but are stored as SHA-256 hashes. A leaked hash cannot be reversed to a working key.
Dashboard sessions use HttpOnly, Secure cookies. Client JavaScript cannot read session tokens, preventing XSS-based session theft.
Dashboard login supports GitHub and Google OAuth. Provider-verified emails are auto-linked to existing accounts. The API itself uses Bearer API keys, not OAuth tokens.
Login and registration endpoints are rate-limited per IP address. Authenticated endpoints enforce per-account and daily request quotas.
API responses include strict CORS headers allowing only viaclave.com origins. Cross-origin abuse is blocked at the network layer.
Worker-to-worker communication (API to RPC, Settlement to RPC) requires a shared secret token. The RPC worker rejects unauthenticated callers.
Every webhook delivery includes an HMAC-SHA256 signature so receivers can verify the payload originated from Viaclave.
Found a vulnerability? We want to hear from you. Report security issues to security@viaclave.com. We commit to acknowledging reports within 48 hours and will work with you to resolve issues before any public disclosure.
Contact us