Security

Wallet Security & Architecture

We secure funds so your agents don't have to.

Private keys are never exposed. Funds are protected by multiple layers of encryption and access control.

RelAI holds funds securely — agents never access private keys.

We secure funds at the infrastructure level so AI agents never need access to private keys.

Security guarantees

Private keys are never exposed to agents

All data is encrypted at rest and in transit

Access is restricted using identity-based controls

Full audit logging of all key access

Industry-standard encryption (AES-256-GCM, RSA-OAEP, TLS)

Hardware security modules (HSM) for master key storage

No admin backdoor — keys are inaccessible even to RelAI operators

How wallets are created

When a user authenticates for the first time, wallets are generated and secured automatically — no user action required.

01User authenticates (email, social login, or passkey)

02Wallet is generated securely on the server (Solana + EVM)

03Private key is encrypted immediately with a unique data key (AES-256-GCM)

04Data key is wrapped by a master key stored in a hardware-backed vault

05Encrypted key is stored in the database — raw private key is zeroed from memory

Key insight: Even with full database access, an attacker cannot decrypt wallet keys — the master key never leaves the hardware vault.

How encryption works

RelAI uses envelope encryption — the same pattern used by AWS, Google Cloud, and Azure for protecting sensitive data.

Each walletis encrypted with a unique data key (DEK)

Data keysare encrypted using a master key (KEK)

Master keysare stored in secure hardware-backed vaults — never exported

This layered approach ensures that even if one layer is compromised, funds remain protected. Compromising one wallet's data key does not affect any other wallet.

Key management

We use secure key vault infrastructure (Azure Key Vault) to store encryption keys.

HSM-backed storage — Keys are stored in FIPS 140-2 Level 2 validated hardware security modules — the same standard used by banks and cloud providers.

Identity-based access — No API credentials stored for vault access. Azure Managed Identity provides authentication automatically — there is no secret that can be stolen.

Full audit trail — Every key access is logged in Azure Monitor. Any unauthorized access attempt is detectable.

Key rotation — Master keys can be rotated without re-encrypting existing wallets.

Wallet roles

User wallets

Used to fund and control agent spending. Created automatically on first login. Each user has isolated Solana and EVM wallets — no cross-user access is possible.

— Scoped to authenticated user only

— Exportable via dashboard (requires 2FA)

— Multiple auth methods can be linked

Agent proxy wallets

Used for executing payments on behalf of agents — without exposing private keys. Created for Metered API Access. Use the same envelope encryption as user wallets.

— Keys decrypted only during signing, then discarded

— Configurable per-transaction spending limits

— Export requires 2FA verification

Access protection

Sensitive operations require additional verification — preventing unauthorized fund access even if credentials are compromised.

Email 2FA

One-time 6-digit code sent to registered email. Valid 10 minutes, max 5 attempts. Used for private key export and critical account operations.

Passkey 2FA (WebAuthn)

Hardware-backed FIDO2/WebAuthn. Resistant to phishing, replay attacks, credential theft. Supported on Touch ID, Face ID, Windows Hello, YubiKey.

Operation	Auth required	2FA required
View wallet balance	Session / API Key	No
Sign x402 payment	Session / API Key	No
Withdraw USDC	Session	No
Export private key	Session	Yes (email or passkey)
Delete wallet / account	Session	Yes (email or passkey)

You stay in control

Export your private keys anytime — Solana keys in JSON format (Phantom/Solflare), EVM keys in hex (MetaMask). Requires 2FA.

Recover access via any linked method — Google, GitHub, email, passkey — any linked provider can restore access. No single point of failure.

No lock-in — You own your keys. Export them and use any wallet — there is no dependency on RelAI remaining operational.

No admin backdoor — RelAI operators cannot access user private keys. Keys are encrypted through the Key Vault infrastructure — inaccessible without the user's authenticated session.

Encryption standards

Layer	Key / Algorithm	Storage	Purpose
L1	KEK (RSA-2048)	Azure Key Vault (HSM)	Wraps / unwraps data keys
L2	DEK (AES-256)	Stored wrapped (encrypted by KEK)	Encrypts wallet private keys
L3	Wallet Private Key	Stored encrypted (AES-256-GCM)	Signs blockchain transactions

TLS — All client–server communication is encrypted. Private keys never travel over the network in plaintext.

AES-256-GCM — Authenticated encryption with integrity verification (auth tag). Used for wallet private keys at rest.

RSA-OAEP-256 — Data keys are wrapped using RSA-OAEP with SHA-256 via Azure Key Vault.

Per-wallet randomness — Each wallet has its own random IV and unique data key — one compromise does not affect others.

RelAI complies with GDPR and CCPA frameworks. User data is deleted upon request within required timeframes (30 days for GDPR, 45 days for CCPA). Wallet private keys are permanently destroyed when a user deletes their account.