Wallet security
userThe signed-session model: what HISS stores (address + timestamps), what it never asks for, and how to revoke.
The session model
- Proof of ownership, nothing more. Sign-in is one signature over a plain-text EIP-4361 message with a server-issued one-time nonce. A signature proves you control the address — it moves nothing and approves nothing.
- HttpOnly signed cookie. The session is a jose-signed JWT in an HttpOnly, SameSite=Lax cookie (Secure in production), valid seven days. Client JavaScript cannot read it.
- Server-side revocation. Logout revokes the database session row and clears the cookie. Sessions also carry hard expiries.
- EOA verification. Signatures are verified by local recovery — HISS makes no RPC call with your data and holds no provider-side account information.
What HISS stores
Your lowercase wallet address, chain ID, and session timestamps. Receipts you compile while signed in reference your user ID. No balances, no positions, no brokerage data, no keys — the schema has no columns for them (see Database).
Boundaries that never move
- Wallet connection is not Robinhood authorization. The two systems never touch: your Robinhood Agentic Account is configured on Robinhood's side and HISS stores no Robinhood credentials.
- A wallet signature never places a trade. HISS compiles instructions and receipts; live order placement, if you enable it, happens only through your own Robinhood MCP connection.
- No private wallet provider data lands in receipts or share cards — receipts carry hashes, fuse settings, and mode labels only.
If something looks wrong
Disconnect (revokes the session), review /api/me/receipts for artifacts attached to your address, and rotate nothing — there is nothing HISS holds that could need rotating. See Connect a wallet for the normal flow.