> For the complete documentation index, see [llms.txt](https://docs.antivamp.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.antivamp.io/partners/03_security_model.md).

# Security Model

## Trust boundaries

* **On-chain registries** (HyperEVM, Solana) are the source of truth for reservations and locks. Program upgrade authority + admin + guardian are held by a Squads multisig (Solana) / Safe (HyperEVM).
* **The API** is a convenience + enforcement layer. Decisions are signed so you don't have to trust the transport.
* **Your API key** authenticates you to us. **Our signing key** authenticates decisions to you. They are different keys with different owners.

## Signed decisions (asymmetric)

Every `validateLaunch` decision is **Ed25519-signed** over a canonical payload and expires in 5 minutes. You verify with a **public key** (`GET /v1/keys`) — we never share the private key, and you never hold a shared secret for decisions. Rotation: multiple public keys may be listed during overlap; pin the active one and accept any listed key. See [signed decisions](/partners/05_signed_decisions.md).

## Webhooks (symmetric)

Webhook payloads are HMAC-signed with a per-endpoint secret you receive once. Verify `X-AntiVamp-Signature` and reject events older than your tolerance.

## Keys & secrets

* API keys stored hashed (SHA-256); shown once; rotate/revoke anytime.
* Signing private key lives in server-side secret management only.
* No private keys, seed phrases, or raw secrets are ever requested or logged.

## Fail closed

Stale oracle → reservations revert on-chain. Unavailable data → API returns `recheck_required` / errors; the SDK throws `AntiVampFailClosedError`. Your integration must treat all of these as "do not launch." See [failure modes](/partners/04_failure_modes.md).

## Metering & privacy

We record request metadata (endpoint, chain, status, decision, latency, billable unit, request id) for billing and abuse prevention — never keys, raw secrets, or unnecessary payloads.

## Disputes & guardian corrections

Mistaken blocks or identity conflicts go through `https://antivamp.io/disputes` (EVM claimants sign a wallet proof). Every guardian/operator action writes an **immutable audit event** (actor, action, reason, previous → new state, timestamp, evidence ref).

## What AntiVamp does NOT claim

Identity protection is not investment safety, endorsement, or a guarantee of token quality. Badges and API responses attest identity status only. We do not claim to be unhackable; a third-party contract audit is recommended before large volume.

## Responsible disclosure

`security@antivamp.io`.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.antivamp.io/partners/03_security_model.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
