NoKYCSwap
Launch app
Transparency · Updated April 2026

How this actually works

Specifics about the architecture, the data, the flagging policy. If you care whether "no logs" is a slogan or a description, this page is for you.

Architecture

NoKYCSwap is a PHP 8.2 frontend over a third-party liquidity aggregator. There is no database — no users table, no orders table, nothing relational. Ephemeral order state lives as flat JSON files on the filesystem, purged on settlement. The only persistent store beyond that is a filesystem cache for rate quotes (60-second TTL) and currency lists (5-minute TTL).

Every order is a capability: the order ID plus a token returned by the backend. You hold the URL with those embedded; we hold the matching deposit address plus a timestamp. Nothing else.

What we record

  • A random CSRF session cookie (nsw) for the duration of your browser session, used only to gate the API endpoints that create orders. No identifier inside.
  • The order record: pair, amount, deposit address, payout address, type (float/fixed), created-at timestamp. Purged on settlement or after 30 days.
  • Per-IP anti-abuse counters for rate limiting. Reset every minute. Never linked to personal data.
  • Nginx access logs (method, path, status, user-agent). Rotated every 24 hours.

What we never record

  • Name, email, phone, ID, date of birth, nationality — there is no form on this site that asks.
  • Any third-party analytics tag. No Google Analytics, no Hotjar, no Segment, no Facebook Pixel, nothing.
  • Tracking cookies. The only cookie we set is the session cookie described above.
  • Long-term IP logs. Access logs rotate within 24 hours.
  • Device or browser fingerprints.

Flagging policy

The upstream router screens deposit addresses against sanctions lists and known-illicit-flow feeds. When an order is flagged:

  • The order page enters an Emergency state.
  • You are offered two actions: refund to an address you provide, or accept the current market rate and continue.
  • We never ask for identity documents at this stage. Ever.
  • If both actions are rejected, the deposit is returned to the sender address visible on-chain.

Third parties

  • Cloudflare serves static assets (CSS, JS, the favicon). TLS is terminated at Cloudflare; we receive the real client IP via CF-Connecting-IP for rate-limiting only.
  • fonts.bunny.net serves the Inter and JetBrains Mono webfonts. This is a privacy-preserving mirror of Google Fonts that does not log IPs.
  • ff.io is our liquidity router. They receive the swap request metadata necessary to execute the trade — pair, amount, destination, optional refund address.

Security posture

  • HTTPS-only with HSTS preload-eligible configuration.
  • Strict Content-Security-Policy; no inline scripts beyond JSON payloads.
  • X-Frame-Options SAMEORIGIN · X-Content-Type-Options nosniff · strict Referrer-Policy.
  • Permissions-Policy restricts geolocation, microphone, camera, payment to "none" for this origin.
  • CSRF tokens on all state-changing API endpoints.
  • All sensitive configuration (API keys, secrets) live outside the webroot and are never exposed to HTTP.

Contact

Security reports: [email protected]. See also security.txt.

No marketing

Just self-custody plumbing, honestly described.

Open the widget