Wallet Security

How we keep your assets safe

How We Connect to Your Wallet

AOX uses Xaman (formerly XUMM) as its sole wallet integration. Xaman is the most trusted and widely used XRPL wallet, built by XRPL Labs.

You Approve Everything
No Private Keys
Xaman Signed

What Happens When You Connect

1
Payload Created

Our backend requests a SignIn payload from the Xaman API

2
QR Code Displayed

A QR code appears in-game for you to scan with the Xaman mobile app

3
You Approve

You review and approve the sign-in request on your phone

4
Address Returned

Xaman returns your public wallet address only

5
Session Saved

We store your public address in your browser's localStorage to keep you logged in

That's it. No transaction is created during sign-in — no funds are moved and no permissions are granted.

Transactions You May Sign

Certain actions in the game require on-chain transactions. Every transaction is presented as a Xaman signing request — you always see the full details and must explicitly approve each one in the Xaman app. We can never sign on your behalf.

Action Transaction Type What Happens
Buy Booster Pack XRP Payment (2 XRP) You send 2 XRP to the game issuer to purchase a pack of 3 random cards
Buy Starter Pack XRP Payment (1 XRP) You send 1 XRP to receive a Commander NFT + faction cards
Claim Card NFTs NFTokenAcceptOffer You accept sell offers for your minted card NFTs (one per card, no cost)
Burn Card for Dust NFTokenBurn You permanently destroy a card NFT to earn Card Dust

Every transaction shows a QR code or deep link. You review the exact amount, destination, and type in Xaman before approving. Nothing happens without your explicit approval.

What We Store

Data Where Purpose
Public wallet address Browser localStorage + Server database Identify your account, load your decks and profile
NFT cache Browser localStorage Avoid re-fetching your NFT collection (5-min expiry)
Game data Server database Decks, game history, wins/losses, level, Card Dust balance
NFT mint records Server database Track which card NFTs were minted and claimed to your wallet
Profile info Server database Display name, bio, avatar selection, banner image (if set)

We do not store your private keys, secret keys, seed phrases, or any signing credentials — anywhere.

What We Can & Cannot Do

What we CAN do

  • Read your public address — to identify you and load your profile
  • Read your NFTs — to display your card collection
  • Request transactions via Xaman — for pack purchases, NFT claims, and card burns. You must approve each one individually in the Xaman app.
  • Mint NFTs to your wallet — we create sell offers for your purchased cards, which you then accept

What we CANNOT do

  • Sign transactions for you — all signing happens in the Xaman app on your device
  • Take funds without approval — every payment requires your explicit sign-off
  • Move your existing NFTs — we cannot transfer or sell NFTs you already own
  • Access private keys — Xaman never exposes them to third parties
  • Act without your consent — every on-chain action requires you to scan a QR code and approve

Authentication Flow

Browser                    Our Backend              Xaman API
   |                           |                       |
   |-- POST /xaman/auth/signin -->                     |
   |                           |-- Create SignIn ------>|
   |                           |<-- QR URL + UUID ------|
   |<-- QR code + deep link ---|                       |
   |                           |                       |
   | (User scans QR in Xaman app and approves)         |
   |                           |                       |
   |-- Poll /xaman/payload/:uuid ->                    |
   |                           |-- Check status ------->|
   |                           |<-- { signed, account } |
   |<-- wallet address --------|                       |
   |                           |                       |
   | localStorage.set('xaman_wallet_address', address) |

Session Management

  • Login saves your public address to localStorage
  • Logout clears your address, selected NFT, and any cached profile data
  • No cookies, no tokens, no server-side sessions — your browser is the only place your session exists
  • Closing the tab or clearing browser data logs you out completely

Open Source

The entire wallet integration code is in src/xaman-auth.ts. You can read every line of code that interacts with your wallet. There are no hidden API calls, no obfuscated logic, and no background processes.

Quick Summary

Can AOX access my private keys?No. Xaman never exposes them.
Can AOX send transactions without my approval?No. Every transaction requires your explicit approval in Xaman.
What transactions will I be asked to sign?Pack purchases (XRP payments), NFT claims (accept offers), and card burns.
Can AOX move my existing XRP or NFTs?No. We can only request transactions that you approve.
What does AOX read?Your public address and your NFT collection.
Where is my data stored?Browser localStorage + our database (wallet address, decks, game stats).
How do I disconnect?Click the disconnect button or clear browser data.

Your keys never leave the Xaman app. Every transaction requires your explicit approval.