YesAllofUs
← Home

Safety: Wallet Connection Guide

Two options. Both secure. Different trade-offs.

XamanXamanMobile app

How it works

When an order completes, YesAllofUs sends a push notification to your phone. You open Xaman, review the payment details, and approve or reject.

Nothing happens without your explicit approval. Every. Single. Time.

Pros

  • ✓ Maximum control
  • ✓ Review every payment before it sends
  • ✓ No auto-signing = no risk of unauthorized payments
  • ✓ Works on mobile

Cons

  • ○ Manual approval needed for each payout
  • ○ Affiliates wait until you approve
  • ○ Not ideal if you have high volume

Best for

Low volume stores. People who want maximum control. Anyone uncomfortable with auto-signing.

CrossmarkCrossmarkBrowser extension

How it works

You add YesAllofUs as a "signer" on your wallet with specific limits. When an order completes, YesAllofUs automatically triggers the payment — no manual approval needed.

Payments are instant. Affiliates get paid in ~4 seconds.

Pros

  • ✓ Fully automatic payouts
  • ✓ Affiliates paid instantly
  • ✓ Set your own daily limits
  • ✓ Revoke access anytime

Cons

  • ○ Requires trusting YesAllofUs as a signer
  • ○ Desktop only (browser extension)

Best for

Higher volume stores. Anyone who wants true instant payouts. People comfortable with XRPL SignerLists.

XRPLWallet security

YesAllofUs never holds your private keys

Your keys stay in your wallet (Xaman or Crossmark). YesAllofUs only has permission to request transactions — never to access your keys directly.

Daily limits protect you (Crossmark)

You set the maximum single payout and daily total. Even if something went wrong, payouts are capped at your limits.

Revoke anytime

With Crossmark, you can remove YesAllofUs as a signer at any time from your wallet settings. Instant. No questions asked.

100% transparent

Every payment is recorded on the XRP Ledger. You, your affiliates, and anyone else can verify every transaction publicly.

⚠️Honest risks

With Crossmark auto-signing

  • If YesAllofUs were compromised: An attacker could trigger payments up to your daily limit. Mitigation: set conservative limits, monitor your wallet, revoke immediately if suspicious.
  • If you set limits too high: A bug or attack could drain more than intended. Mitigation: start with low limits, increase as you build trust.

What an attacker would need to breach:

  1. 1. Bypass Cloudflare DDoS protection
  2. 2. Penetrate UFW firewall (only SSH/HTTP/HTTPS open)
  3. 3. Crack SSH with 2FA + key-only auth on non-standard port
  4. 4. Evade Fail2Ban auto-banning
  5. 5. Bypass API rate limiting (60 req/min per IP)
  6. 6. Forge valid API authentication
  7. 7. Pass input validation and sanitization
  8. 8. Then they'd still be limited by your daily cap

Each layer must be breached in sequence. Your daily limit is the final failsafe.

With Xaman manual approval

Minimal risk. Nothing happens without your explicit approval. The only downside is speed — affiliates wait for you to approve.

🛡️Server security

What we do

  • ✓ API hosted on DigitalOcean (NYC) with firewall
  • ✓ HTTPS everywhere — all traffic encrypted
  • ✓ Rate limiting — 60 requests/min per IP, 10 payouts/min per store
  • ✓ Input validation on all endpoints
  • ✓ Redis locks prevent duplicate payments
  • ✓ No passwords stored — wallet-based auth only
  • ✓ API secrets hashed, never logged
  • ✓ Balance checks before every payout
  • ✓ Daily limits enforced server-side

What we don't do (yet)

  • ○ SOC2 certification — we're a solo operation
  • ○ Penetration testing by third party
  • ○ Multi-region failover
  • ○ 24/7 monitoring team

Honest assessment

This is indie software built by one developer. It's not bank-grade. I've built in sensible protections, but I'm not pretending to be enterprise security.

If you're doing $10k+/month in payouts, you should:

  • • Set conservative daily limits
  • • Monitor your wallet regularly
  • • Keep only working capital in your connected wallet
  • • Understand you're trusting me and my code

I'm building in public. The code works. But "trust" takes time to earn.

MarkMy recommendation

Start with Xaman if you're new to this. Get comfortable with how payouts work. See the transactions on the ledger.

Switch to Crossmark when you want instant payouts and you trust the system. Set conservative limits at first.

Ready to connect?

Get started