Mintos.Pro Logo
Mintos Pro

Browse

Help CenterContactLog In / Sign Up

Security & Authentication

Security is foundational to Mintos.Pro. We implement multiple layers of protection including JWT tokens, AES-256-GCM encryption, Cloudflare bot protection, and blockchain verification. User data is protected according to GDPR requirements.

Two-Tier Profile System

Tier 1 (Web2) requires username, name, and password — unlocking playlists, comments, subscriptions, and ARThash. Tier 2 (Web3) adds wallet, phone, address, ID, and banking info — unlocking NFT creation and marketplace features. This progressive approach reduces onboarding friction.

Dual-Auth Contract Signing

Legal contracts can be signed two ways: Wallet Signature uses Ed25519 cryptographic signing from Solana wallets, Password Verification uses bcrypt-hashed credential checking. Both methods are legally valid and create immutable records.

JWT Token Management

Access tokens expire in 15 minutes, refresh tokens in 7 days. Both stored in HttpOnly, Secure, SameSite cookies. Tokens contain userId, pubkey, username, role, and profileCompleted status. Automatic refresh on expiry.

Data Encryption

Sensitive data uses AES-256-GCM encryption with unique IVs. Encrypted fields include IBAN numbers, delegate wallet private keys, and API secrets. Master encryption keys are stored in Kubernetes Secrets, never in code.

Bot Protection

Cloudflare Turnstile provides invisible bot protection on every request. Verification runs automatically in the background with 24-hour cookie validity. Legitimate users see no interruption; bots are blocked.

GDPR Compliance

User data is handled per EU GDPR: soft delete preserves audit trails, data export available on request, right to be forgotten process implemented. All data transfers use TLS 1.2+ encryption.

Password Recovery

Secure password reset via email with SHA-256 hashed tokens (1-hour expiry). Rate limiting prevents abuse (5-minute cooldown). Password strength requirements: minimum 8 characters with letters and numbers.

Blockchain Security

UpdateDelegate plugin allows platform-paid minting without compromising user ownership. TransferDelegate enables marketplace operations while users retain full control. Private keys never leave user wallets.

Was this page helpful?