Skip to Content
4. Security

Security

1) Product Mapping is the security boundary

In v0.1 (Phase 1), the game can only pass productId and cannot pass token / amount / payee directly:

  • Prevents client tampering (changing amount/token/chain)
  • Centralizes pricing and chain info, reducing integration mistakes

2) Phase 1: local entitlements can be tampered with

Phase 1 entitlements are stored locally by default:

  • Written locally after confirmation
  • Restored after refresh or restart
  • ⚠️ Can be tampered with locally, only suitable for low-risk scenarios (offline / light backend / low-value consumables)

For high-value assets or strong anti-fraud, upgrade to:

  • Server-side validation of on-chain transfers
  • On-chain / server-side entitlements
  • Native secure storage (host capability)

3) Recommendations for integrators

  • Grant critical entitlements after status === "CONFIRMED"
  • Keep chainId/token/payee/amount explicit per productId, and use a release process for changes
  • Avoid exposing unnecessary internal implementation details in public docs (adapter / resolver, etc.)
3.1 Sample Repo5. FAQ