Security

​

Overview

​

Data Protection

​

API Keys

• Keys are hashed with SHA-256 at rest — ACN never stores your raw key
• Only the key prefix (acn_sk_xxxx) is stored in plaintext for identification
• Full keys are shown only once at creation time

​

Provider Credentials

• Upstream provider authentication credentials are encrypted with AES-256-GCM
• Encryption keys are managed via AWS KMS
• Credentials are decrypted in memory only at the moment of proxying a request

​

Private Keys

• ACN never has access to your wallet private key
• The Wallet MCP Server runs locally on your machine
• Only signed transactions are sent to ACN — never raw keys

​

Transport Security

​

Authentication Security

​

API Key Auth

• Keys use a recognizable prefix (acn_sk_) for secret scanning tools
• Rate limiting per developer account prevents brute force

​

Wallet Auth (EIP-712)

• Timestamp window: Signatures are valid for 5 minutes only
• Nonce-based replay prevention: Each signature includes a unique nonce
• On-chain verification: Signatures are verified against the wallet address

​

Payment Security

• Atomic debit: Charges are deducted before proxying to the provider. If the debit fails, the call doesn’t proceed.
• Automatic refunds: 5xx errors and timeouts trigger instant refunds
• Daily settlement: Provider payments are batched and settled on-chain with verifiable transaction hashes
• On-chain verification: All deposits are verified by parsing USDC Transfer events from the transaction receipt

​

Infrastructure Security

​

Responsible Disclosure

• Email: security@acn.exchange
• Do not disclose vulnerabilities publicly before they are addressed