Trust comes from removing the things you have to trust.

Tab wallets are generated in your browser. The private key is sealed with AES-256-GCM under a PIN-derived key (PBKDF2, 600k iterations) and only the encrypted blob is ever sent over the wire. With a passkey-backed wallet, the WebAuthn PRF extension does the sealing — your hardware authenticator is the only thing that can unlock it.

We can't reset your password because we don't have one. If you lose your PIN and your backup, Tab can't recover your wallet. That's the trade-off for the custody story.

Deep dive: key encryption.

Every Tab on-chain action goes through one of four contracts: TabRouter (single payments), TabBotRouter (bot-driven flows + campaign grants), TabEscrowRouter (OpenTab escrow), TabSubscriptionRouter (recurring billing). All four are minimal — under 250 lines of Solidity each, no upgrade proxies, no admin override on user funds, hard caps on the protocol fee (5% max).

The contracts ship with 77 Foundry test cases, 100% line coverage on the router math, and fuzz tests on the fee and nonce paths. Third-party audit underway before mainnet deploys.

Contract docs: overview, TabRouter, TabEscrowRouter, TabSubscriptionRouter.

Every privileged API path runs through a single guard: API key auth, scope check, rate-limit consumption, body-size cap, and idempotency replay handling — all before any handler code touches the request. One place to audit, one place to harden.

Deep dive: gatekeeper pattern.

Every event is signed with HMAC-SHA256 against your subscription secret, with a Stripe-style timestamp to prevent replay. The server resolves every outbound URL through a DNS guard that rejects localhost, RFC 1918 ranges, link-local, cloud-metadata IPs, and anything pointing at a private IP via hostname — before the first byte goes out.

Webhook reference: /docs/api/webhooks.

Every request hits a token-bucket limiter scoped per API key (or per IP for unauthed paths). Three tiers — read, payment, registration — with different budgets so a busy webhook replayer can't starve a checkout flow. Bodies over 32 KB (configurable per route) are rejected before JSON parsing starts.

Limits and tiers: /docs/security/rate-limiting.

Off-chain we store: your handle, your wallet address (public), orders + escrows + subscriptions you own, webhook deliveries, and (if you opt in) your email for receipts. We don't collect KYC, browsing telemetry, or device fingerprints. The full data model lives in our privacy notice.

Found a vulnerability? Email security@thetab.bar with reproduction steps — we triage security reports ahead of everything else. The Immunefi bug bounty pays up to $250,000 for critical findings.