Trust
Security
How we handle your keys, your data, and your sessions.
Key encryption
Private keys for custodial and imported wallets are encrypted with AES-256-GCMbefore storage. The encryption key is derived server-side and never leaves the backend. Even if the database leaked, raw keys would be unreadable.
Transport
- TLS everywhere — every connection is encrypted in transit
- HSTS — forces HTTPS, prevents downgrade attacks
- Security headers — CSP, X-Frame-Options, X-Content-Type-Options all set
Authentication
Sessions use JWT tokens via NextAuth v5. Google OAuth for sign-in, plus wallet signature verification via EIP-712 typed data signing for linking browser wallets. Every order includes a nonce to prevent replay attacks.
Rate limiting
Four tiers based on sensitivity:
| Endpoint | Limit |
|---|---|
| General API | 100 req/min |
| Order placement | 50 req/min |
| Wallet operations | 20 req/min |
| Key reveal | 10 req/min |
Smart contracts
All trades settle through Polymarket's audited smart contracts on Polygon. The Conditional Token Framework (CTF) and Exchange contracts are public and verified. Hexio never holds your funds — the contracts do.
Infrastructure
- RPC failover — multiple Polygon RPC endpoints with automatic switching
- WebSocket heartbeats — stale connections detected and recycled
- Database encryption — sensitive fields encrypted at rest