Appearance

Security checklist

Privy is a powerful library that enables you to provision powerful non-custodial embedded wallets in order to create delightful user experiences. Privy protects your users’ accounts and wallets via secure account verification, session management, and key sharding cryptography. See the architecture security documentation for more information.

Before deploying Privy in production, there are several important security configurations to consider. Beyond this, security is a comprehensive topic that touches every part of your stack.

Secure your client environment

Because your application client provides the context in which users access their accounts, it is an essential environment to keep secure. Follow client-side security best practices, including limiting what is able to inject Javascript into your site. You should make sure only the code you intend runs in your app.

Web integrations

If you use Privy in your web application, including mobile web, we recommend configuring the following security settings.

Restrict allowed domains

Configure your allowed domains to prevent unauthorized access to your Privy integration.

  • Add your production domain in the Settings page of the Privy Dashboard.
  • Remove any test or development domains

INFO

Using domains not configured in your allowed domains list will cause your integration to fail. This is an important security measure that protects your users.

Configure HttpOnly cookies

To enable HttpOnly cookies for enhanced security, you can verify your domain ownership through a simple setup process in the Privy dashboard.

Security headers

Configure proper security headers:

  • Implement a strict Content Security Policy
  • Configure appropriate CORS settings
  • Set secure cookie attributes when using HttpOnly cookies

Mobile integrations

If you use Privy in your native mobile application, we recommend configuring the following security settings.

Restrict allowed native app IDs

Set your mobile project's bundle identifier as the required native app identifier.

Set up authentication

If you have integrated user authentication with Privy wallet infrastructure, we recommend the following authentication settings. Authentication security starts with choosing appropriate methods for your application. Consider your users' needs and security requirements when configuring these settings. Read more about our authentication architecture.

Login methods

For high-value applications, we recommend that you:

  • Disable SMS-based authentication to prevent SIM-swapping attacks
  • Enable strong MFA options like authenticator apps or passkeys
  • Configure appropriate session duration. The default is 30 days.

INFO

These security settings can be configured in your Privy dashboard. The defaults are chosen to balance security and user experience, but you may want to adjust them based on your specific needs.

OAuth configuration

If using social login, ensure proper configuration:

  • Set up allowed OAuth redirect URLs
  • Review OAuth scopes and permissions
  • Enable only necessary social providers
  • Monitor OAuth token security

Protect your wallets

Wallet security requires careful consideration of your specific use case and threat model. Learn more about our wallet security architecture.

Embedded wallets

For wallets that users interact with directly through your application, we recommend enabling increasingly strict security settings as account value increases.

High-value assets

When protecting significant value, implement multiple security layers:

  • Require MFA for all sensitive operations
  • Enable user-managed recovery through password or cloud backup
  • Set up emergency contacts and procedures

Standard use cases

For typical wallet usage:

  • Enable users to optionally configure MFA
  • Configure automatic recovery with appropriate login methods
  • Implement user education about security best practices

Secure wallet authorization keys

If your application directly secures wallet authorization keys, implement key management controls:

  • Store API keys and secrets in a secure secrets manager
  • Rotate secrets regularly and maintain proper access controls
  • Monitor API usage and implement rate limiting
  • Set up alerts for unusual activity
  • Use separate development and production credentials
  • Implement proper logging and audit trails