Are you an LLM? Read llms.txt for a summary of the docs, or llms-full.txt for the full context.
Skip to content

Account

A Pampalo account is one recovery phrase that derives three on-chain identities — with the phrase itself encrypted on your device by a passkey. Pampalo's servers never hold anything they could use to spend, link, or impersonate you.

One recovery phrase → three identitiesrecoveryphrasePoseidon identifierOwns your private notesProven in zero-knowledgeUnlinkable to your EVM addressEVM addressPays gas, holds public balancesYour cleartext on-chain handleThe only identity seen in the openEnvelope keyReceives notes others encrypt to youA secp256k1 public keyOnly you hold the key to decrypt

One phrase, three identities

When you create an account, your device generates a 12-word recovery phrase (a BIP-39 mnemonic). From it, Pampalo deterministically derives three identities, each with a distinct job:

  • EVM address — your public Ethereum address: the cleartext, on-chain handle that pays gas and holds public balances. The only identity anyone sees in the clear.
  • Poseidon identifier — the unlinkable owner of your private notes. It proves ownership inside a zero-knowledge proof without revealing your EVM address, so private activity can't be traced back to you.
  • Envelope key — a secp256k1 key others encrypt to when they send you a private note, so only you can read the note's secret off-chain.

Your passkey holds the keys

Your recovery phrase never leaves your device in the clear. It's encrypted once under a random data key (AES-256-GCM). Each passkey you register — stored on your device or in your password manager — produces a stable secret via the WebAuthn PRF extension; that secret derives a wrapping key that seals the data key. A passkey without PRF can't create or unlock a Pampalo account.

To sign in or authorise a transaction, your passkey re-derives the wrapping key, unwraps the data key, and decrypts the recovery phrase — all on your device. The server is only ever handed:

  • your encrypted recovery phrase (ciphertext), and
  • the public WebAuthn material needed to verify a passkey ceremony,

stored against an opaque credential id that isn't traceable to you or your device. Only your passkey can decrypt the stored secret (at time of writing, pre-quantum).

Why this matters

If Pampalo's database leaks or a server is compromised, all an attacker gets is ciphertext encrypted under keys you control — no recovery phrases, no spendable secrets, and no link between an account and an EVM address.

This doesn't remove every attack vector, but Pampalo is client-side first by design: it pushes power back to its users and removes the "honey pots" of plaintext user data that traditional web apps accumulate.