HlOne
HLOne/ Security
← Back to terminal

Keys & Encryption

HLOne may store two types of keys in your browser:

  • HL agent wallets — generated locally on first trade. Stored in plaintext the same way HyperLiquid's official frontend stores them. HL agents cannot withdraw — that permission is locked to your main wallet by the HL protocol.
  • Derive session keysonly stored if you explicitly import one via the Derive options UI. Generated by you on derive.xyz, copy/pasted in. If you don't use Derive options, no Derive key is ever stored.

Plaintext browser storage is industry standard for trading frontends (fast UX, limited blast radius for HL agents). Password protection below wraps them in AES-GCM encryption for extra defense against XSS and malicious browser extensions.

Password protection
Disabled
Derive session keys
0
HL agent wallets
0

Clear all stored keys

Removes ALL stored Derive session keys and HL agent wallets from this browser. Use this if your device is compromised, you're switching computers, or you want to start fresh.

This does NOT revoke the keys on-chain. Do that separately on derive.xyz / HL. After clearing, you'll need to re-import your Derive session key from derive.xyz and re-approve your HL agent.

Security model

  • HLOne never has custody of your funds. You sign every trade with your own wallet or locally-stored session keys.
  • Keys are stored only in your browser — never sent to our servers.
  • With password protection enabled, stored keys are AES-GCM encrypted with PBKDF2 (100k iterations).
  • Open source — inspect the code on GitHub.
  • !Vibe coded, unaudited. .