Trust Boundaries
- Verification logic lives on the server, not in the client.
- Billing and payer attribution are server-derived, not client-controlled.
- Public status and gate checks should expose the minimum data needed for the product action.
- Private proof reads require owner-authenticated access or explicit sharing semantics.
Privacy Defaults
Use private proofs by default unless you explicitly want public discovery and reuse.| Setting | Effect |
|---|---|
privacyLevel: 'private' | Owner-scoped visibility |
publicDisplay: false | Prevent public proof pages from being used as a discovery surface |
storeOriginalContent: false | Minimize retained content when the product does not need it |
What Should Never Be Exposed Publicly
- Raw signatures
- Internal payer details
- Owner-only proof payloads
- Private proof enumeration