Skip to main content

Security

Treat wallet signatures and API keys as secrets. Do not log them, expose them to clients, or store them in analytics.

Authentication model (public surface)

OperationAuthentication
Verification submission (POST /api/v1/verification)Signature over NEUS Standard Signing String
Status by proof receipt ID (GET /api/v1/verification/status/{qHash})Public (no auth required)
Owner-only reads of private proofsAdditional owner signature
The SDK uses these headers for owner-only operations:
  • x-wallet-address
  • x-signature
  • x-signed-timestamp

Do not

  • Do not treat proof signatures as bearer tokens (they are request-bound)
  • Do not embed API keys in browser apps — keep API keys server-side only
  • Do not log or persist:
    • proof signatures
    • API keys
    • third-party auth credentials or provider tokens
{
  privacyLevel: 'private',
  publicDisplay: false,
  storeOriginalContent: false
}
These are separate controls:
ControlPurpose
privacyLevelControls access
publicDisplayControls public discovery
storeOriginalContentControls whether original content is stored
Private proofs can still store original content when you need owner-only access.