$ attesso security --info

Cryptographic Proof
of Intent.

Attesso replaces shared secrets with passkey-backed signatures. Every transaction is cryptographically bound to a specific mandate and scope.

security-model

$attesso.security.overview()

✓ Passkey-backed biometric auth (Secure Enclave/TPM)

✓ Zero credit card exposure to AI agents

✓ Enforced spending limits at API level

✓ PCI-DSS Level 1 compliant payments

✓ End-to-end encryption (TLS 1.3 + AES-256)

$ attesso security --features

Security Architecture

Multiple layers of protection ensure your transactions are secure at every step.

01_passkey_auth

passkey_backed_authentication

All spending mandates require passkey authentication (FaceID/TouchID). Private keys are generated and stored in the device's Secure Enclave (iOS) or StrongBox (Android), ensuring they never leave your device.

Algorithm: ECDSA P-256 (secp256r1) • Keys: Non-exportable • Auth: Biometric-gated

02_zero_card_exposure

credential_isolation

Agents interact with mandate IDs, not PANs. Credential isolation is enforced at the protocol level. Time-bounded authorization with deterministic scope constraints.

Bot receives: mandate_abc123 • Bot never sees: 4242-****-****-4242

03_scope_enforcement

enforced_spending_limits

Every mandate includes deterministic scope constraints enforced at the API level:

• spending_limit
• allowed_mccs / blocked_mccs
• ttl_seconds on cards
• instant_revocation

04_pci_compliance

pci_dss_compliant_payments

All payment processing is handled through Stripe, a PCI-DSS Level 1 certified provider. We never store, process, or transmit card numbers on our servers.

Provider: Stripe • Compliance: PCI-DSS Level 1 • Encryption: TLS 1.3

$ attesso security --attestation

Passkey-Enforced Authorization

Standardizing authorization on passkeys eliminates token leakage risk.

non_exportable_keys

Private keys never leave the Secure Enclave. Biometric assertion required for each signature.

1:1_attribution

Every mandate is cryptographically bound to human intent. Deterministic scope enforcement.

replay_prevention

Counter validation and domain binding prevent credential reuse across contexts.

$ attesso infra --security

Infrastructure Security

Our infrastructure is designed with security at every layer. From encrypted data storage to automatic key rotation, we protect your data at rest and in transit.

• All data encrypted at rest (AES-256)
• All data encrypted in transit (TLS 1.3)
• API authentication via API keys
• Automatic key rotation
• Rate limiting and DDoS protection
• Regular security audits
• SOC 2 Type II compliance (in progress)

infra-status

$attesso.infra.status()

ACTIVE encryption_at_rest: AES-256

ACTIVE encryption_in_transit: TLS 1.3

ACTIVE ddos_protection: enabled

ACTIVE rate_limiting: enabled

ACTIVE api_key_rotation: auto

PENDING soc2_type_ii: in_progress

security-contact

Report a Vulnerability

We take security seriously and appreciate responsible disclosure. If you discover a security vulnerability, please report it to our security team.

info@attesso.com

Cryptographic Proofof Intent.