> AUTHENTICATION

Authentication

#Login with Privy

Vistomail uses Privy for authentication. You can sign in three ways:

Wallet — connect Phantom, Solflare, Backpack or any Solana wallet. You go straight in.
Social — X (Twitter), Google or email. Privy issues you an account, and you then connect or generate a wallet before using the platform.

On first login you're automatically given a permanent handle@vistomail.comaddress derived from your identity — that's your sender address and your public profile.

#The wallet gate

Because every action settles on Solana, an account isn't usable until it has a wallet that belongs to it. If you sign in socially without a wallet, a modal blocks the app until you either connect your own wallet or generateone (a Privy embedded wallet, which you fully control). The gate only counts a wallet that is actually linked to your account — a stale wallet from a previous session won't let you through.

✦

Generated wallets

A generated (embedded) wallet is yours — Vistomail can't move funds from it. On the Wallet page you can deposit to it and withdraw from it directly. External wallets manage deposits and withdrawals in their own app.

#Self-custody & security

The server never holds your keys. It builds unsigned transactions; your wallet signs and submits them. This is true for minting, buying, selling and claiming fees.
Auth tokens are verified server-side before any account data is touched — a request can't impersonate another user.
User data is scoped. Your inbox, notifications and balances are filtered to your account; you can only read and delete your own.
Rate limits & abuse controls protect minting, swapping and the public endpoints.

Server-held keys, by exception

Two keys live server-side, and neither can touch your funds: the platform wallet(it signs automated migrations and collects the platform's fee share) and the encryption keythat protects internal, throwaway mint keypairs. Your trading wallet is always your own.

PREVIOUSBonding Curve NEXTUpdates