Home · Library · Checklist

Wallet integration safety checklist

Foundational · 6 min read

Guardrails for wallet integrations with no custody, no keys, and strict prompt hygiene.

Educational only. Not legal advice. No custody, trading, or securities products.

No-key policy

Never ask users for seed phrases, private keys, or keystore files. Never store signing material on your servers. If a flow needs a signature, use a standard wallet connect pattern where the user signs in their own wallet.

Prefer read-only public identifiers when a wallet is only used as an account handle.

Permission scopes

Request the minimum capability: message sign for login, not unlimited spend. Document exactly what the dApp can and cannot do. Timeout sessions and re-prompt on sensitive actions.

Prompt sanitization (agents)

Treat wallet addresses, tx hex, and user paste as untrusted text. Do not let model output invoke tools with raw user strings without validation. Separate system instructions from user content.

Consent record

Log what the user agreed to (purpose, network, visibility) and when. Keep logs free of secrets. Offer a revoke / disconnect path.

Checklist

Next steps