Security

Extended public keys (xpubs) you register are encrypted at rest with AES-256-GCM. The encryption key lives in environment config, not in the database. We never see your private keys. They stay in your Electrum wallet.

API keys are stored as SHA-256 hashes, never plaintext. The full key is shown once on creation; after that, even our database can only recognize it via constant-time hash comparison.

Webhook signing secrets are encrypted at rest and rotated by you any time. Rotation preserves the previous secret for 24 hours so you can deploy verification updates without downtime.

Two-factor authentication (TOTP) is required for every vendor before they can register an xpub or generate an API key. The admin panel adds a second gate: email allowlist plus optional IP allowlist.

Every admin mutation writes an immutable row to admin_audit_log inside the same database transaction as the change. There is no code path that mutates vendor state without an audit entry.

Before we mark an invoice as paid on mainnet, we independently cross-check against two block explorers (mempool.space + Blockstream). If the three sources don't agree, we flag the invoice as requires_review rather than firing a paid webhook.

Reorgs are handled: a confirmed payment that vanishes downgrades the invoice status and fires an invoice.payment_reverted webhook. We never silently accept a contradiction.

Email security@satlane.com with details. We'll acknowledge within 24 hours. We don't run a bug-bounty program at this size; we do reward serious findings with fee credits and public credit (with your permission).

Please don't test against live vendors. Use our testnet sandbox.