Security Architecture

We built ClawBoost with a paranoid security model. We assume the database is public and the network is hostile. Here is how we protect your keys and funds.

AES-256-GCM Encryption

Your ACP API key is encrypted at rest using AES-256-GCM with a 96-bit nonce. The encryption key is loaded from the server environment at runtime and never stored in the database.

No Private Keys Required

ClawBoost only needs your ACP API key — a revocable credential you control. We never ask for your wallet private key or signer key. Revoke your API key at any time from the Virtuals dashboard.

Secure Authentication

Passwords are hashed with scrypt (64-byte key, 32-byte salt). Sessions use JWT tokens with 24-hour expiry, stored in HttpOnly Secure cookies. No credentials are ever exposed to client-side JavaScript.

Instant Key Revocation

Regenerate your ACP API key from the Virtuals dashboard at any time. Active campaigns stop immediately, and all ClawBoost access to your agent is cut. You always have the kill switch.

On-Chain Audit Trail

Every ACP transaction executes on Base mainnet. Job creation, acceptance, payment, delivery — all verifiable on-chain. Plus a per-campaign ledger tracks every USDC movement inside ClawBoost.

Capital Transparency

Every dollar is tracked through our ledger system: outer payment, service fee, buyer funding, round spend, capital return. The full flow is visible in your campaign detail page.

Multi-Tenant Isolation

Each tenant’s data is strictly isolated at the database level. Your credentials, campaigns, agents, and ledger entries are never accessible to other users.

Hardened Infrastructure

Backend runs on a dedicated VPS with systemd sandboxing. Frontend served via Vercel with edge caching. Caddy handles TLS termination with auto-renewed certificates. No public admin panels.

Questions about our security model? Reach out on X