DocsSecurity

Security

Role-based access control, wallet authentication, and permission models.

Security is foundational to Wolvo. We use non-custodial wallet authentication, role-based access control, and comprehensive audit logging to keep your data and automations secure.

Zero Trust: Wolvo never stores private keys. All authentication happens through cryptographic signatures.

Access Control

Wolvo uses role-based access control (RBAC) to manage permissions:

Owner

Full access. Can manage team, billing, and all resources.

Admin

Can create/edit workflows, modules, and manage team members.

Developer

Can create/edit workflows and modules. Cannot manage team.

Viewer

Read-only access to dashboards and logs.

Manage Team Roles
// Invite team member
await client.team.invite({
  wallet: 'ABC123...xyz',
  role: 'developer',
  permissions: ['workflows:write', 'modules:write']
})

// Update role
await client.team.updateRole('ABC123...xyz', 'admin')

// Remove member
await client.team.remove('ABC123...xyz')

Granular Permissions

Fine-grained permissions for advanced access control:

PermissionDescription
workflows:readView workflows
workflows:writeCreate/edit workflows
workflows:deleteDelete workflows
modules:readView modules
modules:writeInstall/create modules
signals:readView signals and logs
api_keys:manageCreate/revoke API keys
team:manageInvite/remove team members
billing:manageAccess billing settings

Audit Logs

All actions are logged for compliance and debugging:

Query Audit Logs
// Get recent audit logs
const logs = await client.audit.list({
  limit: 100,
  filter: {
    action: 'workflow.created',
    actor: 'ABC123...xyz',
    since: '2024-01-01'
  }
})

// Each log entry contains:
// - timestamp
// - actor (wallet address)
// - action
// - resource
// - details
// - ip_address
// - user_agent

Logged Events

user.loginuser.logoutworkflow.createdworkflow.updatedworkflow.deletedmodule.installedapi_key.createdapi_key.revokedteam.member_addedteam.member_removedsettings.updated

Security Best Practices

Rotate API keys regularly

Set expiration dates and rotate keys every 90 days.

Use minimal permissions

Grant only the permissions each team member needs.

Enable webhook signatures

Always verify webhook signatures to prevent spoofing.

Monitor audit logs

Set up alerts for suspicious activity patterns.

Use hardware wallets

For production systems, use hardware wallet authentication.

Review team access

Regularly audit team member access and remove inactive users.