Security & custody

Your keys, your funds.
Non-custodial by design.

Zap.Tips is a bring-your-own-key wallet. We cannot see your funds and we cannot move them, because your key never reaches us. Here is exactly how that works.

BYOK PBKDF2 210k AES-GCM Key stays on device
How BYOK works

Four steps, one guarantee.

1

You bring your own key

Zap.Tips does not issue keys or hold accounts. You paste your own BitcoinVN API key into the app once.

2

Encrypted on your device

The key is run through PBKDF2 with 210,000 iterations, then sealed with AES-GCM using a passphrase only you know. This happens in your browser.

3

Only ciphertext is stored

The encrypted blob lives in your browser localStorage. The plaintext key is held in memory for the session only and is gone when you close the tab.

4

Money moves browser-direct

Every exchange call goes straight from your browser to BitcoinVN. Lightning runs client-side over NWC (Nostr Wallet Connect). Your key never touches a Zap.Tips server.

What to keep safe

Two things, and only you hold them: your BitcoinVN API key, and the passphrase that encrypts it. If you lose the passphrase, the stored ciphertext cannot be opened and you will need to re-enter your key. Keep both somewhere private.

What we can and cannot do

We cannot see your key, read your balance, or move your money. We serve the app and proxy public exchange data. Everything that touches funds runs in your browser, direct to BitcoinVN over your own credentials.


Non-custodial, plainly.

A custodial option may come later for people who want it. For now, you are the only one who can spend your balance. That is the point.

Open the app Read the FAQ