YSeed Security Model
YSeed is designed to be useful without becoming another place where a seed phrase can leak. The product refuses unsafe features on purpose.
Security summary
YSeed is a browser-only BIP39 toolkit. It generates and validates seed phrases locally, avoids phrase persistence, and does not include wallet balance checks, private key extraction, or address derivation features.
Default-deny rules
No seed phrase backend
There is no account system, database, wallet lookup endpoint, phrase API, or server-side phrase processing in the public app.
No phrase persistence
Generated phrases are not written to localStorage, sessionStorage, cookies, analytics payloads, or URLs. Only the visual theme preference may be saved.
No balance checks
YSeed does not derive wallet addresses or check balances. A safe generator should not ask you to paste a real phrase into a live website.
No unsafe expansion
The product does not show private keys, xpubs, derivation paths, or wallet addresses. Those features belong in dedicated offline tools.
Runtime boundaries
| Surface | Allowed | Denied |
|---|---|---|
| Randomness | Browser Web Crypto API | Server-generated phrases |
| Validation | Word count, wordlist, checksum | Wallet balance lookup |
| Storage | Theme preference only | Seed phrase persistence |
| Network | Static same-origin assets | Phrase telemetry or third-party phrase APIs |
Recommended private ceremony
- Prepare the environment. Close screen sharing, cloud notes, browser extensions you do not trust, and camera-visible surfaces.
- Load the app once. Open YSeed, then disconnect if your threat model requires offline generation.
- Generate locally. Choose 12, 15, 18, 21, or 24 words and generate the phrase in the browser.
- Write it down. Prefer paper or metal backup. Treat clipboard and screenshots as unsafe.
- Wipe the screen. Use the wipe control and close the tab after verification.
Balance-check tools are outside the trust boundary
YSeed will not add a seed phrase balance checker. A public page that asks for a recovery phrase to check balances is asking for the secret that controls the wallet.
Security playbooks
Use these pages when the question moves from BIP39 structure to operational safety.
Sources and verification
YSeed content and behavior should be checked against primary technical sources, not marketing claims.
Security FAQ
Does YSeed send seed phrases to a server?
No. YSeed is a static browser application. Seed phrase generation, validation, wordlist checks, and checksum checks run in the browser without a phrase API or account backend.
Does YSeed store generated seed phrases?
No. Generated phrases stay in JavaScript memory until the page is refreshed or wiped. YSeed does not write phrases to localStorage, sessionStorage, cookies, or the URL.
Can YSeed check whether a phrase has funds?
No. YSeed intentionally does not derive addresses, query wallets, or check balances. Balance-check tools create unnecessary privacy and security risk.