Common questions.

Not by an independent third party yet. We're pre-1.0 — the codebase is open source and auditable by anyone, with ~99% backend test coverage on security-sensitive paths. The watch-only guarantee is verifiable directly: a grep across the server for privateKey, seed, or mnemonic returns zero matches. See the security page for the architectural details, and start small while you get comfortable.

Treat it as experimental. Useful on testnet/signet and for getting comfortable with the workflow; acceptable on mainnet for small amounts where you're comfortable with the risks. Not appropriate as the sole interface to your main stack. The watch-only architecture limits blast radius — the worst a bug can do is present a bad transaction for your device to sign — but "limited" isn't "zero". Verify on the device.

Ledger (Nano S / S+ / X / Stax / Flex), Trezor (Model One / T / Safe 3 / 5 / 7), BitBox02, Blockstream Jade, ColdCard, ColdCard Q, Keystone, and Passport. USB-connected devices (Ledger, Trezor, BitBox02, Jade) require HTTPS and a browser that implements WebUSB / WebHID / WebSerial (Chrome, Edge, or Brave). Air-gapped devices work over QR code or MicroSD file. See the compatibility table.

BitBox02 and Blockstream Jade are implemented but not yet verified on hardware — please report results on Codeberg if you try one.

No. Sanctuary defaults to public Electrum servers. For privacy though, running your own Electrum-compatible server is a big upgrade — it means no one else sees which addresses belong to your wallet. Supported servers include Fulcrum, electrs, and ElectrumX. Point Sanctuary at them via ELECTRUM_HOST in .env.

Yes. Sanctuary supports role-based access with three levels: Owner (full control), Signer (view + build transactions + edit labels), and Viewer (read-only). Groups let you apply the same permissions to several users at once. An Owner can disable public registration so only invited users get accounts. See role-based access.

Yes, via a community app — but with limits. Umbrel serves apps over HTTP, and browsers only grant WebUSB / WebHID / WebSerial and camera access over HTTPS. So on Umbrel you can import descriptors, view balances, and create PSBTs for air-gapped signing (via MicroSD upload) — but you can't use WebUSB hardware wallets or QR camera scanning. Full functionality lives on the standard install. See Umbrel install.

Sensitive secrets are: Electrum server passwords and 2FA shared secrets are encrypted at rest using the ENCRYPTION_KEY and ENCRYPTION_SALT generated at install time. User passwords are bcrypt-hashed. Wallet xpubs and transaction history are stored in plaintext (they are public data by design — xpubs only reveal your addresses, not your keys). See Security.

Yes. Start Sanctuary with ./start.sh --with-tor to route traffic through Tor. Combine with your own Electrum server for a setup where no third party can correlate your queries with your IP address.

Yes. Use Administration → Backup & Restore to export a JSON snapshot containing wallets, users, 2FA settings, labels, groups, sharing permissions, and audit logs. To migrate onto a different server, also copy ENCRYPTION_KEY and ENCRYPTION_SALT from .env — that preserves the encrypted fields. Without them, node passwords and 2FA secrets are cleared (with a clear warning) and users re-enroll. See backup & restore.

Re-run the installer: cd ~/sanctuary && ./install.sh. It fetches the latest release tag, rebuilds, and restarts. Do not use git pull — installs check out a release tag, which puts Git in detached-HEAD state; ./install.sh handles this correctly.

Regular bugs: open a Codeberg issue. Include OS, browser, Sanctuary version (git describe --tags --always in the install dir), and what you expected vs. what happened.

Diagnostic bundles: for harder-to-reproduce issues, Administration → System Settings → Support Package generates a diagnostic archive that downloads directly to your machine. Nothing is ever transmitted automatically or to Sanctuary — the bundle only leaves your computer if you attach it to an issue yourself. It contains service health, sync status, queue/cache metrics, error logs, server version, and your config with secrets redacted (database / Redis URLs, encryption keys, passwords). Wallet entries are anonymised — no xpubs, no addresses, no labels, just type / network / counts / last-sync status. User IDs and wallet IDs are replaced with deterministic aliases (e.g. wallet-a3f2c1d8). Inspect the JSON before sharing; treat it like any other log export.

Security vulnerabilities: please don't post exploit details publicly. Open a brief Codeberg issue asking for a private disclosure channel.

The web UI is responsive and works in mobile browsers. Separately, Sanctuary includes an optional mobile API gateway (port 4000) that exposes a whitelisted set of endpoints to future iOS / Android companion apps with push notifications (FCM / APNs), JWT auth, and rate limiting. The gateway runs automatically with ./start.sh.