At InstantPay, we operate on a strict "Trust, but Verify" philosophy. This document provides a transparent technical deep-dive into our infrastructure, proving our non-custodial nature and security standards without compromising operational security.
Code Transparency: While our full repository remains private to protect commercial IP, we document our critical security paths and transaction logic below.
The most critical aspect of InstantPay is that we never touch your funds. Transactions occur directly between the sender's wallet and the receiver's wallet on the Solana blockchain. Our platform acts purely as an interface and verification layer.
Here is the exact logic executed when a user clicks "Pay" on an InstantPay page. Note that the `SystemProgram.transfer` instruction points directly to the destination wallet, not an intermediary contract.
// Core Transaction Logic (Simplified)
import { SystemProgram, Transaction, PublicKey } from '@solana/web3.js';
export async function createTransferTransaction(
sender: PublicKey,
recipient: PublicKey, // This is the CREATOR'S wallet, not InstantPay's
amountSol: number
) {
// 1. Create a direct transfer instruction
const transferIx = SystemProgram.transfer({
fromPubkey: sender,
toPubkey: recipient, // Direct P2P transfer
lamports: amountSol * 1_000_000_000 // Convert to lamports
});
// 2. Construct transaction
const transaction = new Transaction().add(transferIx);
// 3. Get latest blockhash for validity
const { blockhash } = await connection.getLatestBlockhash();
transaction.recentBlockhash = blockhash;
transaction.feePayer = sender;
return transaction;
}Verification: You can verify this behavior by inspecting any transaction generated by InstantPay on a Solana Explorer (like Solscan). Look for the "Instruction" section; you will see a direct `System Program: Transfer` from your wallet to the creator's wallet.
We utilize the Sign In With Solana (SIWS) standard (CAIP-122) for authentication. This ensures we never store passwords and cannot access your private keys.
// Message Signing Structure
const message = new SiwsMessage({
domain: window.location.host,
address: publicKey.toBase58(),
statement: "Sign in to InstantPay to manage your profile.",
uri: window.location.origin,
version: "1",
chainId: "solana:mainnet",
nonce: randomNonce,
issuedAt: new Date().toISOString(),
});Our infrastructure is built on a serverless architecture designed for security and scalability.
We use Supabase (PostgreSQL) with strict Row Level Security (RLS) policies enabled on all tables. This means database access rules are enforced at the database engine level, not just the application level.
Profiles, products, and public links are readable by everyone but writable ONLY by the owner.
Settings, emails, and analytics are strictly isolated. Users can only query their own rows.
Digital products are stored in private buckets. Direct access is blocked. Download links are generated using Signed URLs that:
To bridge the gap between the blockchain and our database (for analytics and digital delivery), we use a robust verification system powered by Helius RPC nodes.
We do not trust client-side signals alone. When a payment is reported:
InstantPay does NOT use a custom smart contract for payments.
We utilize the native Solana System Program for SOL transfers. This eliminates "smart contract risk" (bugs in custom contract code) entirely for the payment flow. You are relying on the security of the Solana blockchain itself, which audits verify regularly.
Our Token Contract (for INSTANT token) is publicly verified.
5kdZWuGjUW6SWLdKkZHNqt7ioUMfr16JFKjFK86rpump