Cards402 is a small team running financial infrastructure. Everything below is a design choice, not a marketing bullet — we picked these specifically so a single compromise of any one component never exposes customer funds or credentials.
Agents pay the Soroban receiver contract directly. Cards402 never holds funds — we observe on-chain events and broker fulfilment. If Cards402 disappeared tomorrow, nothing is trapped in our custody, because nothing is in our custody.
API keys are bcrypt-hashed with per-key salt before they touch the database. We can verify a key against the hash on request; we cannot recover the plaintext. A short key prefix is stored alongside the hash as an O(1) lookup index, so auth stays constant-time under load. Keys are scoped to USDC spend limits and can be revoked in one click from the dashboard.
The cards402 dashboard mints single-use claim codes so operators never paste API keys into LLM context. The agent redeems the code for a key on its own machine, over TLS, and the code is invalidated after use. No credential lives in the transcript.
Outgoing webhooks carry X-Cards402-Signature (HMAC-SHA256 over timestamp + body) and X-Cards402-Timestamp. The documented client reference rejects anything older than five minutes. Webhook secrets rotate automatically on key revocation.
The fulfilment pipeline has a three-strike circuit breaker. After three consecutive upstream failures we freeze new orders and return 503 until an operator manually unfreezes. This stops cascading failures from draining agent wallets against a broken pipe.
SSH keys are hardware-backed. The database is SQLite in WAL journal mode for crash-consistent durability, and snapshot backups are taken on a scheduled cadence. Every root-shell session is recorded and reviewed.
Cards402 operates a responsible-disclosure programme. If you find a vulnerability, email security@cards402.com with reproduction steps. We acknowledge within 24 hours, triage within 72, and publish a postmortem to /changelog once the fix is live.
Out of scope: social engineering, volumetric DoS, physical attacks, anything requiring root access to our treasury wallet. Public disclosure is embargoed until a fix ships.