visitor@x402card:~$ security
Security model
The wallet is the account. x402card uses short-lived signed challenges for ownership, scoped sessions for authenticated actions, durable idempotency for money movement, and an explicit fresh-signature step before revealing card credentials.
Architecture last verified: 2026-07-12.
Wallet authentication
Challenges bind the domain, address, nonce, issue time, expiry, and scope. The backend verifies the signature and issues a short-lived x402card session.
Card credentials
x402card stores provider card identifiers and masked metadata, not PAN or CVV. Full credentials are fetched on demand after a fresh wallet proof and cleared from the UI.
Money integrity
Settlement evidence, ledger entries, funding jobs, provider mutations, and reconciliation use explicit identifiers and guarded state transitions.
Ambiguous outcomes
Timeouts and uncertain provider results are parked for operator review. The system does not silently mark them successful or blindly repeat money-moving calls.
What users and agents must verify
- Domain is exactly
https://x402card.organd API calls go tohttps://api.x402card.org. - Wallet prompts contain the expected domain, address, and action.
- x402 payment requirements match the intended Base network, USDC asset, amount, recipient, and expiry.
- No one asks for a seed phrase or private key. x402card only asks the wallet to sign explicit messages or payments.
Report a vulnerability
Send sensitive reports to security@x402card.org. Do not publish credentials, card data, exploitable money-path details, or user information. The machine-readable disclosure policy is at /.well-known/security.txt.