Wallets Service Security
Table of Contents
- Understanding Admin Passkeys
- Understanding API Secrets
- Differences Between Admin Passkeys and API Secrets
- Authority and Security Measures
Understanding Admin Passkeys
What are Admin Passkeys?
Admin Passkeys are cryptographic key pairs generated on your device, serving as the ultimate proof of ownership of digital wallets. In simpler terms, think of them as advanced passwords that provide a high level of security for associated private keys.
- Why passkeys?:
- Security: Access to your digital wallet is protected with OS-level biometrics, such as FaceID and TouchID. This means you'll need to scan your face or fingerprint to gain access.
- Phishing-Resistant: Passkeys are domain-specific, meaning they only work on certain websites or services, which adds an extra layer of security against phishing attacks.
- Hardware Key Support: Passkeys can be stored in hardware devices like Yubikeys for added security.
Google has a great high-level introduction to passkeys at https://developers.google.com/identity/passkeys, and Apple has its own version here: https://developer.apple.com/passkeys
Authority and Responsibility
The Admin Passkey holds a high level of authority, enabling actions such as disabling an API secret or generating a new one. Losing it may result in a loss of control over your digital assets. To store it securely, use a hardware security key or a secure digital vault.
Understanding API Secrets
What are API Secrets?
API Secrets are unique P-256 key pairs used for authenticating requests to our Wallet Service, particularly for daily interactions like transferring assets.
Understanding P-256 Key Pairs
A P-256 key pair consists of a public key, which is like an open mailbox where people can send you encrypted messages, and a private key, which is like the unique key to that mailbox that only you have. The term "P-256" refers to the specific mathematical rules used to create these keys, ensuring they are secure and efficient.
Using API Secrets
Creating a new API Secret
Key pairs for API Secrets can be generated either manually using libraries like openssl or through this web tool.
Secure Endpoints
To interact with secure wallet endpoints, include the header x-wallets-secret with the private key.
Authority and Control
API secrets can be deactivated and replaced. For these actions, you will require your Admin Passkey for authentication.
Differences Between Admin Passkeys and API Secrets
- Admin Passkeys: Used in the dashboard for high-level tasks like disabling an API Secret or creating a new one.
- API Secrets: Used for routine actions like transferring assets or creating new wallets through direct API interactions
🛡 Security is paramount
🔐 How We Use Your Private Key
Your private key is used solely for the purposes of creating, parsing, and signing transactions you request. All these actions are encrypted and require Admin Passkey authentication.
🏦 Security Assurance
Our multi-layered security measures ensure that no one, not even Toket employees, have access to your secrets. This is achieved through advanced encryption methods and secure servers.
📝 Auditable Code (Coming Soon)
Our code handling these secrets is open for auditing, adding another layer of trust.