Inside Vaultr's Security Architecture: Passkeys, 42 Workflows, and Defense in Depth
Inside Vaultr's defense in depth: WebAuthn passkeys, 16 microservices, a Saga orchestrator running 42 workflows, distributed locks, and an immutable audit trail.
The short version: Vaultr is built as 16 independent microservices, each with its own database and its own authentication, coordinated by a Saga orchestrator that runs 42 multi-step workflows with automatic rollback. On top of that sits real defense in depth: WebAuthn/FIDO2 passkeys, on-device face authentication that only ever stores a SHA-256 hash, distributed locks that prevent duplicate transactions, and an immutable audit trail. And none of it is custodial — the architecture protects your keys, it never holds them.
What does “defense in depth” actually mean at Vaultr?
Defense in depth means there is no single wall to climb. Instead, security is layered so that compromising one control doesn’t compromise the system.
Vaultr applies this at every level: how you authenticate, how services trust each other, how multi-step operations either complete or cleanly undo themselves, and how every action is permanently recorded. The goal is simple — make sure that one mistake, one bug, or one stolen credential is never enough.
How does the microservice architecture improve security?
Vaultr runs as 16 microservices, each with its own database and its own authentication. This isn’t just an engineering preference; it’s a security boundary.
When each service owns its own data store and authenticates independently, a breach is contained. There is no monolithic database holding everything, and no single auth layer whose compromise unlocks the whole platform. The blast radius of any incident shrinks dramatically.
Traffic into this fleet is managed by an API gateway that provides:
- Longest-prefix routing — requests deterministically reach the correct service
- Per-service circuit breakers — a failing service is isolated instead of dragging down the rest
- Request tracing — every request can be followed end-to-end for forensics and debugging
What is the Saga orchestrator, and why does it matter?
Self-custody operations are rarely a single step. Recovering an account, migrating a device, or settling an escrow payment can touch several services in sequence. If one step fails halfway, you do not want a half-completed state with funds or access stuck in limbo.
That’s what the Saga orchestrator prevents. It runs 42 multi-step workflows, and every one of them supports automatic compensating rollback. If step four of a workflow fails, the orchestrator runs the compensating actions to cleanly unwind steps one through three.
The result is consistency under failure: operations are atomic from your perspective, even though they span many independent services behind the scenes.
How does Vaultr stop duplicate or replayed transactions?
Two mechanisms work together here:
- Redis distributed locks ensure that a given operation can’t be executed twice concurrently — no duplicate transactions slipping through a race condition
- Idempotency keys mean that retrying a request (because a network blipped, say) produces the same single result instead of a second charge or a second transfer
In a system that moves money, exactly once is the only acceptable guarantee, and these two controls deliver it.
How do passkeys and face authentication protect my account?
Vaultr’s front line is passwordless and phishing-resistant. It supports WebAuthn/FIDO2 passkeys, the modern standard that replaces passwords with cryptographic keys bound to your device — there’s no shared secret for an attacker to phish or a database breach to leak.
Face authentication is built to be private by design. Vaultr computes a 128-dimension face descriptor on your device, paired with a liveness check to defeat photos and replays. What gets stored is only a SHA-256 hash — never your raw biometric data. Your face never leaves your device in a form anyone could reconstruct.
For flows that still use one-time codes, OTP is delivered via SendGrid email and Twilio SMS with progressive cooldowns that throttle brute-force attempts.
How is the wallet itself locked down with 2FA?
Sensitive wallet actions are gated by a purpose-built two-factor challenge flow:
- A 64-byte one-time challenge with a 30-second TTL in Redis — narrow window, single use
- Verification by OTP (a 6-digit, timing-safe code, limited to 5 attempts before a 30-minute lockout) or a biometric HMAC
- A one-time JWT that is consumed atomically, so it can never be replayed
Every piece of this — short TTLs, attempt limits, timing-safe comparison, atomic consumption — exists to make the credential useless the instant after it’s legitimately used.
What about an audit trail?
Every meaningful action writes to an immutable audit trail. Recovery requests, device migrations, and security-sensitive operations are all permanently recorded. Immutability matters: a tamper-proof log means you (and Vaultr) can always reconstruct exactly what happened and when, which is the bedrock of trust in a self-custody system.
Does any of this make Vaultr custodial?
No. This is the critical point. All of this architecture exists to protect your keys and your access — it never holds them. Vaultr is non-custodial by design. The 16 services, the 42 workflows, the passkeys, the locks, and the audit trail are there so that you keep control safely, not so that someone else can take it.
FAQ
Does Vaultr store my biometric data?
No. Face authentication runs on your device, computing a 128-dimension descriptor with a liveness check. Only a SHA-256 hash is ever stored — never your raw face data.
What happens if a multi-step operation fails partway through?
The Saga orchestrator runs compensating rollback. Any completed steps are cleanly undone, so you’re never left in a half-finished state. This covers all 42 of Vaultr’s multi-step workflows.
How does Vaultr prevent duplicate transactions?
Redis distributed locks prevent concurrent execution of the same operation, and idempotency keys ensure that retried requests resolve to a single result.
Are passkeys safer than passwords?
Yes. WebAuthn/FIDO2 passkeys use device-bound cryptographic keys with no shared secret, making them resistant to phishing and immune to password-database breaches.
Want to go deeper on how your keys stay yours? Explore Vaultr security.