visitor@x402card:~$ security

Security model

The wallet is the account. x402card uses short-lived signed challenges for ownership, scoped sessions for authenticated actions, durable idempotency for money movement, and an explicit fresh-signature step before revealing card credentials.

Architecture last verified: 2026-07-12.

Wallet authentication

Challenges bind the domain, address, nonce, issue time, expiry, and scope. The backend verifies the signature and issues a short-lived x402card session.

Card credentials

x402card stores provider card identifiers and masked metadata, not PAN or CVV. Full credentials are fetched on demand after a fresh wallet proof and cleared from the UI.

Money integrity

Settlement evidence, ledger entries, funding jobs, provider mutations, and reconciliation use explicit identifiers and guarded state transitions.

Ambiguous outcomes

Timeouts and uncertain provider results are parked for operator review. The system does not silently mark them successful or blindly repeat money-moving calls.

What users and agents must verify

Report a vulnerability

Send sensitive reports to security@x402card.org. Do not publish credentials, card data, exploitable money-path details, or user information. The machine-readable disclosure policy is at /.well-known/security.txt.