Monyr

§ 00 · Trust document

What we promise. And what we don’t.

Privacy products earn trust by being precise about their guarantees. This page is the precise version — what an outside observer can learn from your handle, what they can’t, and where the seams are.

Read this before you put your handle in a bio. If anything below surprises you, that’s on us — tell us so we can fix the framing.

§ 01Hidden vs. Visible

Privacy is a list. Here is ours.

Two columns, no marketing language. The left column is what we hide. The right column is what remains visible — including the unavoidable kind.

Private · only you

What is hidden

Encrypted on-chain, in browser, or never collected

Encrypted
  1. 01

    Recipient wallet history

    Your handle resolves to a fresh keypair (the vault) generated in your browser at signup. It has no DEX trades, no NFT mints, no airdrop history. There is nothing to scan.

  2. 02

    Payment amounts

    Funds land inside Umbra's Encrypted Token Account. Amounts are encrypted on-chain. Only your viewing key decrypts them. Block explorers show ciphertext.

  3. 03

    Sender → recipient link (private rail)

    On the private rail, the destination vault is AES-encrypted in the UTXO commitment, and the recipient’s claim is signed by Umbra’s relayer rather than by anyone tied to their handle. The deposit and the credit are both visible on-chain, but the link between them is hidden behind the mixer’s anonymity set.

  4. 04

    Memo / context

    Memos are encrypted client-side under your viewing key before any server write. The DB stores opaque ciphertext. Even if our database is dumped publicly, memos remain unreadable.

  5. 05

    Total received

    Your dashboard total is decrypted in your browser only. The server never sees the sum. There is no “Monyr balance” API call that returns dollars.

  6. 06

    Sub-handle linkage

    /@alice/acme and /@alice both target the same vault. The sub-path is metadata for your inbox, never for the chain. Acme can’t see your other clients.

Public · by design

What remains visible

Public by design, by physics, or by trade-off

Visible
  1. 01

    Your Monyr profile is public

    Anyone with the URL can see your handle, display name, bio, avatar, and suggested amounts. That’s the point — it’s a pay-me link.

  2. 02

    An Umbra interaction occurred

    Block explorers show a transaction touched the Umbra program at the moment a payment happened. The fact that something private happened is itself public.

  3. 03

    Quick Pay is a public rail

    Profiles offer a Quick Pay option alongside Private Pay — a plain SPL transfer for users who want speed over privacy. When a payer chooses Quick Pay, the sender wallet, the recipient vault pubkey, and the amount are all visible on-chain. Private Pay routes through Umbra’s mixer instead.

  4. 04

    The payer’s wallet (if they choose)

    Payers sign the deposit with their own wallet. If that wallet has its own public history, the “deposit-to-Umbra” tx is visible on it. We can’t hide a payer’s past from a payer’s past.

  5. 05

    Vault pubkey

    The handle’s receiving pubkey is public by design — payers need a destination. It controls only the encrypted vault, not your main wallet.

  6. 06

    First-time setup signatures

    Claiming a handle takes one main-wallet signature — the message that derives your vault encryption key. Activating private receiving (a separate dashboard step) runs the Umbra registration: a vault signature for the Master Viewing Key plus the registration transactions. First-time payers also register their wallet once before their first private payment; subsequent payments do not.

  7. 07

    Approximate timing

    A passive observer watching the chain can correlate when a tx happened, even without knowing the contents. Monyr does not obscure timestamps.

§ 02Threat model

Who sees what.

The matrix below covers every realistic observer of a Monyr payment. A “yes” on interaction exists is unavoidable; the rest is what the design defends.

  • Block-explorer browser

    Anyone with solscan.io and a wallet pubkey

    AmountNo
    Sender ↔ recipientNo
    MemoNo
    Interaction existsYes

  • Monyr server (us)

    Operator with full database access

    AmountNo
    Sender ↔ recipientNo
    MemoNo
    Interaction existsYes

  • Umbra relayer

    Third-party tx submitter, sponsors gas

    AmountNo
    Sender ↔ recipientNo
    MemoNo
    Interaction existsYes

  • Your accountant (with grant) — planned

    Time-scoped viewing key. Grant primitive is not yet in the shipped build.

    AmountYes
    Sender ↔ recipient½Scoped
    MemoYes
    Interaction existsYes

  • Attacker with leaked DB

    Worst case: full Postgres dump in the wild

    AmountNo
    Sender ↔ recipientNo
    MemoNo
    Interaction existsYes

  • You, the recipient

    Decrypted client-side with your viewing key

    AmountYes
    Sender ↔ recipientYes
    MemoYes
    Interaction existsYes

“Interaction exists” means an observer can tell somethinghappened on Umbra at a given moment — which is the floor of any privacy system that touches a public chain.

§ 03The hard rules

Six invariants we will not break.

If any of these stop being true in a future version, we owe you a changelog entry. They are load-bearing, not aesthetic.

  1. 01Invariant

    Your main wallet pubkey is never persisted.

    Authentication uses a short-lived session token signed by your main wallet. The server inserts your handle, vault pubkey, and an opaque ciphertext blob — nothing else.

  2. 02Invariant

    The vault private key is encrypted in the browser.

    AES-256-GCM with a key derived from your wallet’s signature on a fixed unlock message. The plaintext key never leaves your tab.

  3. 03Invariant

    Your main wallet never funds the vault directly.

    Doing so would link them on-chain. Registration gas is sponsored. The two identities share no transaction.

  4. 04Invariant

    Memos are encrypted before any network call.

    Encrypted under your viewing key, derived from the vault’s signature. The server stores ciphertext; we couldn’t decrypt them if we tried.

  5. 05Invariant

    Viewing rights are separable from spend rights.

    An accountant grant decrypts amounts in a window. It cannot move funds. A compromised viewing key cannot drain the vault.

  6. 06Invariant

    No analytics, no third-party scripts, no session replay.

    CSP locks outbound connections to Umbra endpoints, Solana RPC, and our own origin. There is no Segment, no Mixpanel, no Sentry without scrubbing.

§ 04The honest caveats

Exits are mixer-routed. Their privacy isn’t infinite.

Withdrawing funds doesn’t draw a line from your handle to your destination wallet — the chain never sees that transfer. But three things still constrain how private an exit really is.

Caution · withdrawal

How withdrawal works — and where its privacy ends.

A withdrawal is two transactions, neither of which is a direct vault-to-wallet transfer. The vault signs a step that creates a UTXO whose destination is AES-encrypted on-chain. The Umbra relayer then signs a separate transaction that credits the destination wallet’s public balance. An on-chain observer can’t draw a line between the two without solving for the mixer’s anonymity set.

  • Anonymity set. The mixer only mixes you with other Umbra users withdrawing in the same window. The create leg is timing-only — the amount stays inside the encrypted balance — but the claim leg has both timing and a public amount. On devnet today and on low-volume mainnet, that anonymity set is small, so an observer can still pair a recent vault-side create event with a public claim by timing alone, plus the claim’s amount as a tiebreaker. Privacy here grows with the network, not with any single transaction.
  • The destination is public. Once funds land in a public wallet, the credit transaction — amount and timing — is visible on that wallet’s history. Withdraw to an address already known to be yours, or move unique amounts on a predictable schedule, and observers can guess which mixer exit was yours.
  • Server-side trust. The handle-to-vault mapping lives in the Monyr database, and encrypted receipt metadata is stored server-side. The mixer doesn’t protect against a Monyr-server adversary or a subpoena — for that, the defenses are the encrypted-vault model and the absence of unencrypted memos.

Practical pattern: keep funds inside the vault and spend through Umbra-aware flows where possible. Withdraw only when you must move to fiat or to a wallet outside Monyr — and prefer a destination that doesn’t already have a public history tied to you.

§ 05  ·  Coda

Privacy is a list, not a slogan.

We’d rather lose an early signup to honest framing than win one on a promise we can’t keep. If something on this page reads softer than the code behind it, that is a bug. Tell us.

See the Umbra integrationClaim your handle

“On-chain, your handle should be your identity; your ledger should be your business.”