Security
Private Key Handling
The SDK never touches private keys. All transaction signing happens inside the user's wallet (MetaMask, Phantom, WalletConnect-compatible wallets, etc.) through the IWalletAdapter interface. The SDK constructs transaction parameters and passes them to the wallet for signing — it never has access to signing keys.
Data Sent to the API
The SDK only sends publicly available information to the configured API endpoint:
| Data | Purpose |
|---|---|
| Wallet address | Query balances, submit deposits, track orders |
| Token identifiers | Request quotes for specific token pairs |
| Amounts | Calculate swap routes and fees |
| Recipient address (optional) | Route cross-chain delivery to a specific destination |
| Transaction hash | Submit signed transactions for order tracking |
No private or sensitive data is transmitted. No IP-based user identification, no session tokens, no cookies.
Communication Security
- All requests are sent over HTTPS to the configured
apiEndpoint - Streaming quotes use EventSource (SSE) for real-time updates; order tracking uses HTTP polling. No WebSocket connections are made
Cross-Chain Settlement
Swaps are settled through an intent settlement protocol. The protocol:
- Uses on-chain smart contracts for trustless settlement
- Supports multiple bridge providers
- Does not require trust in any single intermediary
No Telemetry
The SDK has zero telemetry:
- No analytics tracking
- No cookies
localStoragemay be used for token metadata caching- No
sessionStorageusage - No third-party scripts loaded
- No beacon/pixel requests
- No fingerprinting
The widget's network requests are to the configured API endpoint (swap operations), chain icon URLs, and token logo URLs returned by the API (logoURI).
Dependency Security
The SDK has a minimal dependency footprint:
- Solid.js — UI rendering
- solid-element — Web Component registration
- TanStack Solid Query — API request caching and deduplication
- ky — HTTP client
- valibot — Schema validation
- lucide-solid — Icon components
All dependencies are regularly updated and audited.
Content Security Policy
The SDK supports CSP-restricted environments via the csp-nonce attribute. See CSP Guide for configuration details.
Reporting Vulnerabilities
If you discover a security vulnerability, please report it responsibly. Do not open a public issue — contact the team directly via the channels listed on the npm package page or documentation site.