NWC wallet connection secrets are stored in plaintext #57

New Issue

2026-05-01T10:43:53Z

userAdityaa commented

2026-05-01 10:43:53 +00:00

NWC secrets are stored in the tenant table as a plain text column and passed through model/query/command layers without encryption.

Billing consumes the same value directly to execute NWC payment operations.

NWC secrets are stored in the tenant table as a plain text column and passed through model/query/command layers without encryption. Billing consumes the same value directly to execute NWC payment operations.

userAdityaa commented

2026-05-01 16:28:49 +00:00

I believe PR #54 and this issue are the final priority items before launch. Once both are resolved, I’ll do a thorough cleanup and final verification pass.

once #54 is merged, I will move on with the fix for this.

I believe PR #54 and this issue are the final priority items before launch. Once both are resolved, I’ll do a thorough cleanup and final verification pass. once #54 is merged, I will move on with the fix for this.

userAdityaa referenced a pull request that will close this issue

2026-05-02 11:21:52 +00:00

chore: encrypt tenant NWC URL at rest and stop secret exposure in tenant APIs #58

userAdityaa commented

2026-05-02 12:45:51 +00:00

@hodlbod, I’ve pushed the changes for this issue. From my side, this looks like the last launch-critical blocker. It would be great if you could also verify it. After that, I’ll shift my focus back to flotilla to work on my assigned issues.

hodlbod commented

2026-05-02 14:23:20 +00:00

Great, just a few comments. I'll try to test caravel with stripe keys and everything this week

❤️ 1

hodlbod closed this issue

2026-05-05 20:42:12 +00:00

Sign in to join this conversation.

2 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: coracle/caravel#57