Monipay Security Architecture

Client-side AES-256-GCM key encryption, Argon2id PIN hashing, RLS on all DB tables, HMAC-SHA256 signed APIs, rate limiting.

Security architecture

Monipay's security is built on a multi-layered approach that prioritizes user self-custody and data integrity.

Core Pillars

  • Non-Custodial Keys: Private keys are generated and encrypted locally (AES-256-GCM). Monipay never sees them.
  • PIN Hashing: We use Argon2id to ensure PINs are resistant to brute-force attacks.
  • On-Chain Truth: The blockchain is the final source of truth for all balances and transactions.
  • API Security: All merchant APIs are signed with HMAC-SHA256.

Database Security

Monipay uses Supabase with Row Level Security (RLS) enabled on all tables. This ensures that users can only access their own data.

Rate Limiting

We enforce strict rate limits on the relay-payment endpoint (5 requests per wallet/min and 10 per IP/min) to prevent abuse of our gas sponsorship infrastructure.

Read next

Related Pages

Reserved Usernames
Walkaway Test
Security Architecture
Resources: Roadmap