Zero custody. By design.
Incog Swap is an aggregator, not an exchange. All provider API calls happen inside secure server functions. Your assets route provider → destination wallet.
┌────────────────┐ ┌─────────────────────┐
│ Incog Swap UI │ HTTPS/RPC │ Server Functions │
│ (browser) │ ─────────────▶ │ get-quotes │
│ │ │ create-swap-order │
└─────┬──────────┘ │ check-order-status │
│ │ provider-health │
│ └────────┬────────────┘
│ │ (API keys live here only)
│ ▼
│ ┌─────────────────────────────────┐
│ │ Privacy Provider APIs │
│ │ FixedFloat · LetsExchange · │
│ │ SideShift · StealthEX · ... │
│ └────────────┬────────────────────┘
│ │ deposit address
▼ ▼
┌──────────────┐ ┌──────────────────────┐
│ Your wallet │ ─── send ───▶ │ Provider deposit │
└──────────────┘ │ Provider sends ───▶ │ ─▶ Destination wallet
└──────────────────────┘
▸ No private keys
Incog Swap never sees, stores, or requests a private key or seed phrase.
▸ No custody
Funds move directly from your wallet to the provider's deposit address, then to your destination.
▸ API keys server-side
All provider credentials live in encrypted environment variables. Never sent to the browser.
▸ Rate limited
Quote endpoints are rate-limited per session to prevent abuse and protect provider quotas.
▸ No KYC
Default routing prefers no-KYC providers. KYC-optional providers are clearly labelled in the matrix.
▸ Demo by default
Until provider API keys are configured, the app runs in clearly-labelled demo mode.