security
How Flap Bundle handles private keys, authentication, and data protection.
Private Key Handling
Deployer Key
Your deployer private key is used to:
Fund bundle wallets (batch BNB distribution)
Sign the deploy transaction
Sign the BNB platform fee transaction
The key is transmitted to the backend for server-side signing but is never stored. It exists in memory only during the bundle execution and is discarded afterward.
Always use HTTPS in production to encrypt the key during transmission.
Bundle Wallet Keys
Bundle wallet private keys are:
Generated client-side in your browser
Sent to the backend for buy transaction signing
Encrypted with AES-256-GCM before storage in the database
Decrypted only when you (the authenticated owner) access them
The encryption key is set via the WALLET_ENCRYPTION_KEY environment variable and should be a strong random hex string.
Authentication
Flap Bundle uses Sign-In with Ethereum (SIWE):
Your wallet signs a message containing a nonce and timestamp
The backend verifies the signature
A JWT token is issued and stored in your browser's localStorage
The JWT is used for subsequent authenticated requests
No passwords, no emails — only your wallet signature.
Data Ownership
Your launch data is tied to your wallet address
Only you (the authenticated wallet owner) can view your launches and decrypted wallet keys
Other users cannot access your launch history
Rate Limiting
All API endpoints are rate-limited to prevent abuse:
General endpoints: standard rate limits
Launch/bundle execution: stricter rate limits
Best Practices
Use HTTPS — especially when transmitting private keys
Back up wallet CSV — download and store securely after generating wallets
Use testnet first — test your configuration before mainnet
Strong encryption key — use the following to generate WALLET_ENCRYPTION_KEY:
Secure database — use a managed PostgreSQL instance with strong credentials