Security & Trust at Openfort
At Openfort, safeguarding the data and digital resources of your users is our utmost concern. We understand the crucial role we play in supporting our customers' applications and deeply value the trust placed in us.
Our system's design and infrastructure have been rigorously evaluated through multiple security assessments, audits, and penetration tests. Recognizing security as an ever-evolving challenge, we continually subject our systems to these evaluations to identify and remedy emerging vulnerabilities.
The process of embedding, maintaining, and testing security measures within your application is a significant endeavor. We dedicate ourselves to implementing industry-leading practices to protect your users' data and digital assets.
Authentication methods
Openfort facilitates a variety of authentication techniques to confirm the identities of your users, including:
- Email verification using password-based verification.
- Social account verification (Google, Apple, Twitter, Discord) through OAuth2.0.
- Ethereum wallet ownership verification using Sign In With Ethereum (SIWE).
- Custom authentication methods to match your specific needs (Farcaster, etc.)
Token Issuance & Session Management
After authentication, Openfort issues an app Access Token (JWT):
- Signed per application; 1-hour expiry for rapid revocation.
Data Encryption & Backup
- Encryption at Rest: All databases encrypted using AES-256.
- Regular Backups: Full daily snapshots; transaction log backups every 5 minutes; 7-day retention.
Network & API Security
- TLS Everywhere: TLS 1.2+ with HTTPS enforcement for all traffic.
- API Secrets: Each application has a unique API secret for server-to-server communication.
- Rate Limiting & WAF: Protect against brute-force and automated attacks.
Wallet Configurations
Openfort offers three wallet types to meet diverse use cases:
- Embedded Wallet
- Global wallet
- Backend Wallet
1. Embedded Wallet
An account is generated using OpenSigner or onchain passkeys. Supports multiple account recovery methods like passwords or passkeys. Learn more.
2. Global wallet
A wallet that can be used across multiple applications. Uses the embedded wallet functionality above for key management.
3. Backend Wallet
Documentation → Server-Side Wallets
Backend wallets managed by Openfort's Key Management Service (KMS) for automated and internal transactions.
Open source Key Management & Recovery
This setup ensures that the full private key is reconstructed only in memory and never persists, requiring at least two of the three shares for reconstitution.
- Reconstruction: Any two shares restore the private key in memory only.
- Off-chain Recovery: Combine Auth + Recovery or Device + Recovery.
- On-chain Social Recovery: Use Guardians and smart-contract-based recovery for self-custody accounts.
Smart Contract Accounts
Programmable wallets at the smart contract layer; custodian status depends on the underlying wallet type (non-custodial, cross-app, or custodial).
Third-Party Reviews & Audits
- Open-Source Libraries: Cryptographic libraries under GitHub.
- Security Audits: Comprehensive audits for SSS, smart contracts, and paymasters (latest reports available upon request).
Reporting Vulnerabilities
If you discover a security issue, please contact our security team at security@openfort.io. We welcome responsible disclosure and reward impactful findings.