Overview
Every Dfns API request passes through multiple security layers before a blockchain transaction is signed:Layer 1: Authentication
Every API request must prove identity through two mechanisms:API Token
TheAuthorization: Bearer <token> header identifies who is making the request:
- User tokens: Short-lived, obtained through login flow
- Service account tokens: Long-lived, for server-to-server communication
- Personal access tokens: Long-lived user tokens for development
User Action Signature
For state-changing operations (POST, PUT, DELETE), theX-DFNS-USERACTION header proves the caller controls a registered credential:
- Client requests a challenge from Dfns
- Client signs the challenge with their credential (passkey or asymmetric key)
- Dfns verifies the signature matches a registered credential
Layer 2: Authorization (Permissions)
After authentication, Dfns checks if the user has permission to perform the requested action. Permissions follow a whitelist model - users can only perform actions explicitly granted: Example: A user withWallets:Read can view wallets but cannot transfer assets (requires Wallets:Sign).
See Permissions for the full list.
Layer 3: Policy Engine
Even with valid authentication and permissions, the Policy Engine can add additional controls:| Policy action | Effect |
|---|---|
Block | Transaction is rejected |
RequestApproval | Transaction held until humans approve |
NoAction | Transaction proceeds (used with Chainalysis for logging) |
- Transaction amount limits
- Velocity limits (amount or count over time)
- Recipient whitelisting
- Chainalysis screening
Layer 4: MPC Signing
Once a transaction passes all checks, the MPC signing ceremony begins: Key properties:- No complete key: The private key never exists in one place
- Threshold security: Requires k-of-n shares to sign (not all shares needed)
- Geographic distribution: Nodes are in different data centers/regions
- Audit trail: Every signing ceremony is logged
Layer 5: Broadcast
The signed transaction is broadcast to the blockchain network. Dfns monitors for confirmation and updates transaction status.Security model summary
| Layer | What it protects against |
|---|---|
| Authentication | Unauthorized access |
| User action signing | Token theft, replay attacks |
| Permissions | Privilege escalation |
| Policies | Unauthorized transactions, fraud |
| MPC | Key theft, single point of compromise |
Separation of concerns
A critical security property: credentials and keys are completely separate.| Credential (Authentication) | Key (Signing) |
|---|---|
| Proves identity | Signs transactions |
| Stored on user device (passkey) or server (service account) | Stored in MPC network |
| Can be revoked/rotated | Key shares are immutable |
| Compromised credential ≠ stolen assets | Protected by all layers above |
- User action signing requirements
- Permission checks
- Policy enforcement
- MPC threshold requirements