TxnShield
SecurityNo fabricated certifications

Security and trust

TxnShield is built to help SaaS teams evaluate sensitive transactions after login. This page explains the current posture honestly, including what TxnShield does and does not claim.

What TxnShield Does

TxnShield evaluates sensitive business actions such as exporting records, reading customer PII, changing payment details, changing permissions, and approving financial actions. It records transaction evidence, policy decisions, audit history, alerts, and webhook deliveries.

The product is designed to complement authentication and authorization. Your application still owns identity, permissions, user experience, and final enforcement behavior.

What TxnShield Does Not Do

  • It does not replace your identity provider, session management, RBAC, or application authorization.
  • It does not guarantee fraud prevention, account takeover prevention, or regulatory compliance by itself.
  • It does not make browser-side signals authoritative. Client and device signals are useful context, but they are probabilistic.
  • It does not require customers to send complete records or raw secrets to evaluate a transaction.

Secrets and Keys

Publishable keys may be used in browser-visible contexts. Secret keys are server-side credentials and should never be shipped to client code. TxnShield displays raw secret values only at creation time and stores hashed or encrypted material according to the credential type.

Customers should rotate keys before production launch, after personnel changes, after CI/CD changes, and after suspected exposure.

AI BYOK

AI BYOK is intended for server-side advisory workflows. Customers provide their own provider credentials. AI output should assist review and tuning; policies remain the source of enforcement behavior. At least for now ;)

Production Rollout

Start with a small number of high-value operations, observe event and decision logs, test step-up and deny flows, enable alerts, and configure webhooks only after validating signature handling. Production environments should use separate keys from development and staging.

For implementation guidance, read the production rollout guide and go-live checklist.

Reporting Security Issues

Use the contact page for security reports during early launch. Include a clear description, affected surface, reproduction steps, and whether you believe account data or secret material is involved.