Security & the Non-Custodial Model

Tessen can never touch your funds. Here is exactly why.

Non-custodial, enforced in code

Your money never moves to Tessen. Agents trade on your own exchange accountthrough an API key you create — and Tessen refuses, at connect time, any key that has withdrawal permission. This isn't a policy promise; the check runs against the exchange's own permission API before a key can be saved, and withdrawal-enabled keys are rejected with an error. The worst case of a total platform compromise is unwanted trades — never funds leaving your account.

How keys are stored

  • Validated live against the exchange first: the permission map is read and a signed read call must succeed.
  • Encrypted at the application layer with AES-256-GCM before touching the database — never stored in plaintext, even transiently.
  • The encryption master key lives outside the database and outside the code repository.
  • Your key is never sent to your browser and never displayed again — the UI shows a masked preview only.
  • Decryption happens only at order-execution time, inside the execution engine.
  • Disconnect deletes the encrypted record. We recommend also revoking the key on the exchange side.

What we ask you to do

  • Create a dedicated API key for Tessen — never reuse a key from another service.
  • Leave withdrawals disabled (Tessen rejects the key otherwise).
  • Enable IP restriction on the key if your exchange supports it.
  • Fund the account only with what the agent should trade. Account-level isolation is the strongest guardrail that exists.

Sign-in

Studio accounts use Clerk for authentication. Tessen never sees or stores your password, and all Studio API routes require a live session — there are no shared credentials anywhere in the product.