SIWS + 2FA

Operator login is a wallet signature (Sign-In With Solana) over a server nonce, plus optional TOTP 2FA.

For public deployments, operator access to the hub and gateway is authenticated by Sign-In With Solana: the operator's wallet signs a server-issued nonce, proving ownership without any password or custodied credential. On top of that, TOTP 2FA and single-use backup codes protect the session — on both hub and gateway.

  • No passwords anywhere — the wallet key is the identity, and the nonce prevents replay; there is nothing server-side to phish or leak.
  • Per-wallet TOTP enrollment is persisted in hub state, so 2FA survives restarts along with slots and bindings.
  • Backup codes are single-use — each one is consumed on login, for recovery when the authenticator device is unavailable.
  • Scope honestly stated — bare hub and RPC ports are designed for trusted host / LAN / VPN; SIWS + 2FA is the layer that makes *public* domains safe to expose.