Skip to main content
Security is a shared responsibility. Follow these best practices when using the WalletSuite SDK.

Key Management

Never commit mnemonics or private keys to source control.
  • Use KMS or HSM solutions for server-side key storage
  • On mobile devices, use secure storage mechanisms
  • Avoid exposing keys in frontend applications

Logging & Monitoring

Never log private keys, mnemonics, or API keys.
  • Log only minimal diagnostic information
  • Sanitize error outputs before persisting logs
  • Prefer executing sensitive operations from backend services
  • If browser access is required, use a backend proxy and/or request CORS allowlisting
  • Treat frontend applications as request initiators only
  • Enforce server-side authentication for all API requests

API Key Protection

Keep your WalletSuite API key on the backend only. Call WalletSuite from server-side services and expose only minimal, controlled endpoints to the frontend.
If browser access is required:
  • Be aware that secrets in browser bundles can be discovered
  • Prefer a backend proxy (browser → backend → WalletSuite)
  • Apply authentication, rate limiting, and logging on the proxy
  • CORS allowlisting can be enabled if direct calls are unavoidable

Storage Recommendations

  • Backend: use a secrets manager (AWS / GCP / Azure) or CI/CD secrets
  • Mobile: use platform-secure storage (Keychain / Secure Enclave)
  • Browser: avoid; if unavoidable, minimize scope and actively monitor usage