Zero Secret Exposure
y0 never asks for, receives, stores, or has access to any wallet secret — ever. This is not a policy. This is the architecture. It cannot be turned off, bypassed, or misconfigured.
The Core Promise
The #1 barrier to AI-controlled crypto is trust: "What if the AI steals my money?" Most projects solve this by saying "trust us." y0 solves it architecturally — there is nothing to steal.
Non-Custodial by Design
y0 builds unsigned transactions and sends them to the y0 app (app.y0.exchange or mobile) for your review. You approve — and the app calls your wallet (MetaMask, Phantom) to sign. y0 physically cannot move your funds.
AI Agent Never Sees Your Keys
The AI agent (Claude, GPT, Cursor) only has a y0 API key. It doesn't know your wallet address, private key, or seed phrase. The API key resolves to a session on y0's server — not to your wallet.
AI Agent Doesn't Even Know Your Address
The API key maps to a session which contains your wallet address server-side. The AI only knows "swap USDC to ETH" — not where the funds are or who you are.
Open-Source & Auditable
The MCP server and signing UI are MIT-licensed. Every line of code that touches your transaction is publicly auditable. Verify yourself that no secrets flow through it.
You Approve Everything
Every transaction requires your explicit review and approval. No auto-execution, no shortcuts. You see every detail before anything is signed.
Revoke Access Anytime
Disconnect your wallet, revoke API keys — all with one tap. No lock-in, no penalties, no data retention.
What We Know vs What We Never Know
🖥️y0 Servers
- ✓Wallet public address (public on blockchain anyway)
- ✓What you want to do (intent)
- ✓Unsigned transaction data
- ✓Transaction status (pending/done)
- ✓Token balances (public on-chain data)
- ✗y0 API key (resolves to session, not wallet)
- ✓Tool results (balances, prices, quotes)
- ✗Private keys
- ✗Seed phrases / mnemonics
- ✗Wallet passwords
- ✗MPC key shards
- ✗Signing credentials
- ✗Your identity
- ✗Other wallets you own
🤖AI Agent (Claude / GPT)
- ✗Wallet public address (public on blockchain anyway)
- ✓What you want to do (intent)
- ✗Unsigned transaction data
- ✓Transaction status (pending/done)
- ✓Token balances (public on-chain data)
- ✓y0 API key (resolves to session, not wallet)
- ✓Tool results (balances, prices, quotes)
- ✗Private keys
- ✗Seed phrases / mnemonics
- ✗Wallet passwords
- ✗MPC key shards
- ✗Signing credentials
- ✗Your identity
- ✗Other wallets you own
Attack Surface Comparison
What happens when things go wrong? Compare y0's architecture to autonomous AI agents and custodial platforms.
| Attack Scenario | Autonomous Agents | Custodial Platforms | y0 | |
|---|---|---|---|---|
| Server compromised | — | All private keys stolen. All funds lost. | Platform keys stolen. All funds at risk. | Only public addresses leak (already public on blockchain). |
| AI hallucination / bug | — | Agent sends all funds to wrong address autonomously. | Agent acts with full wallet access. | Agent proposes bad tx. User sees it. User rejects. |
| Prompt injection | — | Attacker hijacks agent, drains wallets. | Attacker hijacks agent, uses wallet. | Attacker creates unsigned tx. User sees and rejects. |
| Insider threat | — | Employee has access to private keys. | Employee has access to infrastructure keys. | No keys on server. Nothing to steal. |
| Man-in-the-middle | — | Intercepted signed tx can be replayed. | Intercepted signed tx can be replayed. | Only unsigned data intercepted — useless without private key. |
| Supply chain attack | — | Compromised dependency gets key access. | Compromised dependency gets key access. | MCP server is MIT open-source. No keys flow through it. |
Data Flow
AI Agent y0 MCP Server Signing Service y0 App Your Wallet
(Claude, GPT) (open-source) (approval queue) (app.y0.exchange (MetaMask,
or mobile app) Phantom…)
┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐
│ "Swap │──intent──▶│ Build │──unsigned─▶│ Queue tx │───push───▶│ Review │──approve──▶│ Sign │
│ USDC │ │ unsigned │ │ Wait for │ │ tx │ │ Broadcast│
│ to ETH" │ │ tx │ │ approval │◀─confirm──│ details │ │ to chain │
└──────────┘ └──────────┘ └──────────┘ └──────────┘ └──────────┘
│
Keys: NEVER Keys: NEVER Keys: NEVER Keys: NEVER Keys: HERE
has access has access has access has access (your device)
│
▼
BlockchainSecrets never leave your wallet. y0 only handles unsigned transaction data.
Full Review Approval
Notification
Your AI proposes a transaction. You receive a push notification or see it in the approval queue — instantly.
Review
See every detail: token, amount, recipient, gas estimate, risk level. Take your time. Understand what you are signing.
Approve or Reject
Approve to sign in your wallet, or reject to discard. No transaction is ever executed without your explicit confirmation.
Regulatory Advantage
Non-custodial architecture means lighter regulatory requirements across jurisdictions.
| Requirement | Custodial Services | y0 (Non-Custodial) | |
|---|---|---|---|
| Money transmitter license | — | Required in most jurisdictions | Not required — never controls funds |
| MiCA (EU) custody | — | Full CASP registration + capital requirements | Lighter compliance — no custody |
| BaFin (Germany) | — | Kryptoverwahrgeschäft license required | Not applicable — no Verwahrung |
| Asset insurance | — | Must insure custodied assets | No assets to insure |
| Key security audit | — | Must prove key storage controls | No keys = no key audit needed |
Found a vulnerability?
We take security seriously. Please report vulnerabilities responsibly.