> ## Documentation Index
> Fetch the complete documentation index at: https://x402.easy-node.xyz/llms.txt
> Use this file to discover all available pages before exploring further.

# Security

## Local Server - Private Key Storage

When using the `setup` wizard, your private key is saved to `~/.easy-node/.env` with file permissions set to `600` (owner read/write only).

**Recommendations:**

* Never commit `.env` files to version control
* Use a dedicated wallet for MCP purchases — do not use your main wallet
* Fund the wallet with only the USDC you plan to spend

## Remote Server Security

When using the remote server at `https://mcp-x402.easy-node.xyz/mcp`:

* **Header-based auth** — Your private key is sent via the `X-Easynode-Private-Key` HTTPS header, encrypted in transit. It never appears in URLs, query strings, or server logs.
* **Stateless server** — The key is used only for that single request's EIP-3009 signing. It is never stored, cached, or logged on the server.
* **HTTPS only** — All communication is TLS-encrypted end-to-end.
* **Dedicated wallet** — Always use a separate wallet funded with only the USDC you intend to spend.

## Max Payment Protection

The `EASYNODE_MAX_PAYMENT` environment variable (default: 100 USDC) caps the maximum amount per transaction. If a product costs more than this limit, the purchase is rejected before any signature is created.

To increase the limit:

```bash theme={null}
# In ~/.easy-node/.env
EASYNODE_MAX_PAYMENT=500
```

Or via environment variable:

```json theme={null}
{
  "env": {
    "EASYNODE_MAX_PAYMENT": "500"
  }
}
```

## What Gets Signed

Your wallet only signs **EIP-3009 TransferWithAuthorization** messages for USDC transfers. The MCP server never:

* Signs arbitrary transactions
* Approves token spending
* Interacts with smart contracts beyond USDC transfer
* Sends ETH or other tokens

## Instance Secrets Encryption

Connection details (IP, SSH credentials) are encrypted server-side using ECIES (Elliptic Curve Integrated Encryption Scheme) with your wallet's public key. Decryption happens locally — secrets never travel in plaintext.
