Documentation Index
Fetch the complete documentation index at: https://docs.prudra.dev/llms.txt
Use this file to discover all available pages before exploring further.
Security overview
Prudra is designed around the principle that private keys never exist in plaintext outside of KMS hardware. Every critical security property is enforced at the database level, not the application level.Security layers
Key custody
Managed wallet private keys use envelope encryption:- Each wallet has a private key (DEK)
- The DEK is encrypted with the Key Encryption Key (KEK)
- The KEK lives in KMS hardware — never in application memory beyond the signing window
- Only the encrypted ciphertext is stored in Postgres
Payment security
- Replay protection: ERC-3009 nonces and on-chain transaction hashes use
@@uniqueconstraints at the database level - Challenge harvesting: Rate limited at 20 challenges per IP per 60 seconds
- Signature verification: HMAC-SHA256 and on-chain signature verification for every payment
Webhook security
All webhook deliveries are signed with HMAC-SHA256. The signature covers the raw body and timestamp to prevent replay attacks.Sub-pages
Key custody
Envelope encryption, KMS hardware, and key rotation.
Audit logs
Payment logs, key usage logs, and compliance exports.
Related
- Managed wallets — how it works — envelope encryption detail
- Key rotation — 90-day KEK rotation
- Payment security — replay — replay protection