Security

How we protect your keys, your funds, and your agents.

Non-Custodial Design

IndieGent stores encrypted private keys for convenience, but we are not a custodian. We never move funds without your explicit instruction. You can export your private key at any time and use it independently — import it into MetaMask, use it in your own code, move funds without IndieGent.

This is the same model used by Privy, Magic, Web3Auth, and other modern key management services.

Encryption

Private Keys

Agent wallet private keys are encrypted at rest using AES-256-GCM — the same standard used by banks, governments, and enterprise security systems.

  • Each key has a unique initialization vector (IV)
  • The encryption key is stored as an environment secret (not in the database)
  • Keys are only decrypted when you explicitly request them (reveal key, export env, drain)

Passwords

Email/password accounts use PBKDF2-SHA256 with 100,000 iterations. This makes brute-force attacks computationally expensive.

API Keys

API keys are hashed with SHA-256 before storage. The raw key is shown exactly once when created and never stored. We only store the hash for verification.

Authentication

JWT Tokens

  • Signed with HS256
  • 7-day expiry
  • Contains only user ID and wallet address

Constant-Time Comparison

Password verification uses constant-time comparison to prevent timing attacks. An attacker cannot determine how many characters of a password are correct based on response time.

API Key Verification

API keys are prefixed with ig_live_ (production) or ig_test_ (testnet). The prefix is stored in plaintext for routing; the rest is hashed with SHA-256.

Infrastructure

Edge-Hosted Serverless

The API runs on a serverless edge platform with built-in DDoS protection, automatic TLS, and edge-level security. There are no servers to patch, no ports to close, no operating systems to harden.

Database Isolation

Data is stored in an isolated database with no public endpoint. Access is restricted to the API layer only — there is no direct database connection available externally.

Secrets Management

Sensitive configuration (encryption keys, JWT secrets, gas sponsor keys) are stored as encrypted environment secrets — encrypted at rest, injected at runtime, never exposed in logs or code.

Spending Controls

  • Spending caps — Set a maximum balance for each agent wallet
  • Wallet isolation — Each agent has its own wallet. A compromised agent can only spend what's in its wallet.
  • Instant drain — Pull all funds back to your wallet at any time
  • Deactivation — Soft-delete an agent to auto-drain and disable

What We Don't Do

  • We don't store raw private keys — only AES-256-GCM encrypted ciphertext
  • We don't store raw API keys — only SHA-256 hashes
  • We don't store raw passwords — only PBKDF2 hashes
  • We don't initiate transactions without your instruction
  • We don't have a “master key” that bypasses wallet isolation
  • We don't log sensitive data (keys, passwords, tokens)

Reporting Vulnerabilities

If you discover a security vulnerability, please email security@indiegent.com. We take all reports seriously and will respond within 24 hours.

IndieGentIndieGent — Independent wallets for independent agents

npm install -g @indiegent/cli