Skip to content

Security & Trust at Openfort

At Openfort, safeguarding the data and digital resources of your users is our utmost concern. We understand the crucial role we play in supporting our customers' applications and deeply value the trust placed in us.

Our system's design and infrastructure have been rigorously evaluated through multiple security assessments, audits, and penetration tests. Recognizing security as an ever-evolving challenge, we continually subject our systems to these evaluations to identify and remedy emerging vulnerabilities.

The process of embedding, maintaining, and testing security measures within your application is a significant endeavor. We dedicate ourselves to implementing industry-leading practices to protect your users' data and digital assets.

Highlighted below are key practices we employ:

Authentication methods

Openfort facilitates a variety of authentication techniques to confirm the identities of your users, including:

  • Email verification using password-based verification.
  • Social account verification (Google, Apple, Twitter, Discord) through OAuth2.0.
  • Ethereum wallet ownership verification using Sign In With Ethereum (SIWE).
  • Custom authentication methods to match your specific needs (Farcaster, etc.)

Token Issuance & Session Management

After authentication, Openfort issues an app Access Token (JWT):

  • Signed per application; 1-hour expiry for rapid revocation.

Data Encryption & Backup

  • Encryption at Rest: All databases encrypted using AES-256.
  • Regular Backups: Full daily snapshots; transaction log backups every 5 minutes; 7-day retention.

Network & API Security

  • TLS Everywhere: TLS 1.2+ with HTTPS enforcement for all traffic.
  • API Secrets: Each application has a unique API secret for server-to-server communication.
  • Rate Limiting & WAF: Protect against brute-force and automated attacks.

Wallet Configurations

Openfort offers three wallet types to meet diverse use cases:

  1. Embedded Wallet
  2. Global wallet
  3. Backend Wallet

1. Embedded Wallet

Documentation → Embedded Wallet Integration

Users retain full control of their private key, which is generated and used entirely in a secure, isolated environment in the application's domain.

Architecture & Workflow

  1. Key Generation:
    • 128-bit entropy seed generated in an isolated iframe, converted to BIP-39 mnemonic, and used to derive the keypair.
  2. Private Key Handling:
    • Private key remains in memory within the iframe and is never persisted to any database.
  3. Shamir Secret Sharing (SSS):
    • Splits the private key into three shares:
      • Device Share: Stored in iframe's local storage.
      • Auth Share: Encrypted by Openfort; fetched via SDK on login.
      • Recovery Share: Encrypted with user password or Shield service.
Non-custodial-key-generation

2. Global wallet

Documentation → Global wallet Setup

A wallet used across multiple applications within the same ecosystem. Functionally identical to the embedded non-custodial wallet, but scoped for interoperability.

  • Hosting Domain: Iframe served from the ecosystem's subdomain.
  • Use Cases: Shared user identity and assets across games, dApps, or partner applications.
Ecosystem signer

3. Backend Wallet

Documentation → Server-Side Wallets

Backend wallets managed by Openfort's Key Management Service (KMS) for automated and internal transactions.

Architecture & Workflow

  • Key Generation & Storage: Google Cloud KMS generates and stores private keys securely.
  • Usage: Automated game transactions, escrow, contract deployments, and gasless ERC-2771 compatible actions.
Custodial-key-generation

Open source Key Management & Recovery

This setup ensures that the full private key is reconstructed only in memory and never persists, requiring at least two of the three shares for reconstitution.

player-sign-flow
using-private-key
key-regeneration
  • Reconstruction: Any two shares restore the private key in memory only.
  • Off-chain Recovery: Combine Auth + Recovery or Device + Recovery.
wallet-recovery
  • On-chain Social Recovery: Use Guardians and smart-contract-based recovery for self-custody accounts.
Custodial-key-generation

Smart Contract Accounts

Programmable wallets at the smart contract layer; custodian status depends on the underlying wallet type (non-custodial, cross-app, or custodial).

Third-Party Reviews & Audits

  • Open-Source Libraries: Cryptographic libraries under GitHub.
  • Security Audits: Comprehensive audits for SSS, smart contracts, and paymasters (latest reports available upon request).

Reporting Vulnerabilities

If you discover a security issue, please contact our security team at security@openfort.io. We welcome responsible disclosure and reward impactful findings.