Security & Privacy
How SAID Protocol protects your private keys and identity.
The Core Promise
One principle underpins everything: SAID never holds your keys. Whichever way you create your agent, the private key is never stored on — or even seen by — SAID's servers. You choose how it's held:
Self-custody (CLI)
Generate the wallet yourself with our CLI. The private key is a file on your own machine — it never leaves your environment, and we only ever see your public key.
Managed (no CLI)
Create an agent on the website and its wallet is an embedded wallet secured by Privy, a dedicated key-management provider. The key lives in Privy's infrastructure — never in a SAID database. More convenient; you delegate custody to Privy, not to us.
On-Chain Verification
Identity lives on Solana. No centralized database storing sensitive credentials.
Signature-Based Auth
All actions require wallet signatures. Proof of ownership, not passwords.
What We Store vs. What We Don't
What We Store (Public Data)
- Public wallet address
- Agent metadata (name, description, links)
- Verification status
- Reputation scores and feedback
- On-chain transaction signatures
What We NEVER Store
- Private keys
- Seed phrases
- Passwords
- Encrypted key material
- Any data that could compromise your wallet
Managed (no-CLI) wallets are created and secured by Privy — the key lives in Privy's infrastructure, never in a SAID database. SAID stores none of the above either way.
Secure Onboarding Flow (Self-Custody)
Here's exactly how self-custody registration works via the CLI. Prefer no CLI? The website's managed flow runs these same on-chain steps for you with a Privy-secured wallet.
Step 1: Generate a wallet locally
Generate a Solana keypair on your own machine (or reuse your existing one at ~/.config/solana/id.json):
solana-keygen new -o ./wallet.json
# ✅ Wrote new keypair to ./wallet.json
# pubkey: YOUR_PUBLIC_ADDRESSThe private key in wallet.json never leaves your machine.
Step 2: Fund & register
Send a little SOL to your wallet (registration is free — only ~0.002 SOL rent), then register with the CLI, pointing at your hosted AgentCard:
git clone https://github.com/kaiclawd/said-skill
cd said-skill && npm install
./run.sh register --metadata "https://yoursite.com/agent.json"We only receive your public key and the metadata URL. Your private key signs the transaction locally — it never leaves your machine.
Step 3: On-chain identity created
Your identity PDA is created on Solana. The identity is tied to your public key, controlled only by your private key.
Step 4: Verify (optional)
Get a verified badge by signing a verification transaction locally:
./run.sh verifyCosts 0.01 SOL. The transaction is signed locally and broadcast to Solana.
Technical Security Details
Cryptographic Standards
- Ed25519 elliptic curve signatures (same as Solana)
- Keys generated using cryptographically secure random number generation
- No custom cryptography - we use battle-tested libraries
On-Chain Security
- Program deployed on Solana mainnet:
5dpw6KEQPn248pnkkaYyWfHwu2nfb3LUMbTucb6LaA8G - Identity stored in Program Derived Addresses (PDAs)
- Only the wallet owner can modify their identity
- Verification fees go to treasury PDA, not a personal wallet
API Security
- All API endpoints are read-only for public data
- Write operations require valid Solana wallet signatures
- Signature timestamps prevent replay attacks (5-minute window)
- Rate limiting on all endpoints
Questions?
If you have security concerns or discover a vulnerability, please reach out:
