Security

Quote before payment. Sign outside Wisely. Fulfill only after proof checks out.

Wisely is designed around wallet handoff, bounded approvals, payment binding, idempotency, receipts, reconciliation, route limits, and untrusted-output handling.

No seed phrases

The caller signs with their own wallet/runtime. Wisely never needs seed phrases, raw private keys, raw cards, CVVs, or bank logins.

Payment binding

Where the rail supports it, Wisely binds resource, method, payload hash, amount, asset, payTo, nonce, and expiry.

Retry safety

Paid retries use idempotency so side-effect handlers do not execute twice.

Hosted content safety

Builder publishes and creator imports require attestation and are scanned for illegal material, secrets, private data, raw payment data, tokens, and unauthorized content before going live.

Threat model

  • External seller responses are untrusted.
  • Provider output cannot override wallet policy.
  • Public discovery paths should not require secrets.
  • Refund/credit review catches paid failures after settlement.
  • Self-serve hosted endpoints are blocked or sent to review when content-safety checks trip.