Skip to main content

Security

Private Key Storage (Local Server)

When using the setup wizard, your private key is saved to ~/.easy-node/.env with file permissions set to 600 (owner read/write only). Recommendations:
  • Never commit .env files to version control
  • Use a dedicated wallet for MCP purchases — do not use your main wallet
  • Fund the wallet with only the USDC you plan to spend

Remote Server Security

When using the remote server at https://mcp-x402.easy-node.xyz/mcp:
  • Header-based auth — Your private key is sent via the X-Easynode-Private-Key HTTPS header, encrypted in transit. It never appears in URLs, query strings, or server logs.
  • Stateless server — The key is used only for that single request’s EIP-3009 signing. It is never stored, cached, or logged on the server.
  • HTTPS only — All communication is TLS-encrypted end-to-end.
  • Dedicated wallet — Always use a separate wallet funded with only the USDC you intend to spend.

Max Payment Protection

The EASYNODE_MAX_PAYMENT environment variable (default: 100 USDC) caps the maximum amount per transaction. If a product costs more than this limit, the purchase is rejected before any signature is created. To increase the limit: 
# In ~/.easy-node/.env
EASYNODE_MAX_PAYMENT=500
Or via environment variable: 
{
  "env": {
    "EASYNODE_MAX_PAYMENT": "500"
  }
}

What Gets Signed

Your wallet only signs EIP-3009 TransferWithAuthorization messages for USDC transfers. The MCP server never:
  • Signs arbitrary transactions
  • Approves token spending
  • Interacts with smart contracts beyond USDC transfer
  • Sends ETH or other tokens

Instance Secrets Encryption

Connection details (IP, SSH credentials) are encrypted server-side using ECIES (Elliptic Curve Integrated Encryption Scheme) with your wallet’s public key. Decryption happens locally — secrets never travel in plaintext.