Security
Built to fail safe.
Privacy is the product. Security is what makes it real. Below is how XMRgate is built — the controls, the infrastructure, and how to report an issue.
Six pillars
Hashed API keys
Keys are stored as bcrypt hashes. We cannot recover a plaintext key — even with full database access. Lost a key? Revoke and rotate.
HMAC-signed webhooks
Every webhook payload is signed with HMAC-SHA256. Verify the signature before fulfilling an order. Sample code is in every SDK.
Rate limiting per key
Default 100 req/min per API key, scoped independently. Abuse on one key never starves the others.
Private Docker network
Internal services (Postgres, Redis, blockchain nodes) live on a private Docker network. None of them are exposed to the public internet.
Encrypted wallet operations
Platform wallets are operated through locked-down workers. Admin dashboards show addresses and status, not plaintext seed phrases or wallet passwords.
Scoped keys
Create read-only keys for analytics tools and full-access keys for your backend. Each key shows its last-used timestamp.
Infrastructure
EU jurisdiction, minimal surface area, no third-party analytics.
Responsible disclosure
Found a vulnerability? Report it to security@xmrgate.com (PGP key on the contact page). We do not pursue good-faith researchers.
- Use a secure, throwaway email for the report
- Include a clear proof of concept where possible
- Allow 90 days for remediation before public disclosure
- Do not access merchant data beyond what is needed to demonstrate the issue
Out of scope
- · Volumetric DDoS, brute force, or rate-limit testing
- · Reports about missing security headers without impact
- · Self-XSS in third-party password managers
- · Findings in dependencies without a working exploit
We acknowledge reports within 72 hours.
Have a question about our setup?
Enterprise customers get a written security overview on request.
Get in touch