Notifications and user storage privacy approach
Information on the new authentication, notifications, and user configurations storage features available on MetaMask Web.
What are the benefits of logging in on MetaMask Web?
Logging into MetaMask Web improves your experience by enabling you to:
Receive notifications about your wallet activity
Sync your user configurations and settings across the different devices where you have MetaMask installed. Over time we will start to backup and cross-sync your address book, transaction history, imported tokens, and watched addresses
Back up your configurations for when you change or reset your browser
How does this respect my privacy as a MetaMask user?
Your settings are synced without compromising the confidentiality of your MetaMask activity. Instead of web2-like architectures, where service providers host user data, we use a privacy-first approach where your information is encrypted on the client-side (i.e. locally, on your device), and the server acts as storage and relayer of encrypted data. MetaMask, therefore, has zero visibility of which users or addresses are using this service, and how.
How does the login work?
When you attempt to sign into MetaMask Web, your MetaMask wallet will ask you to sign a message with your address to prove that you own that account. After signing, you will be logged into MetaMask Web with that account address.
We use a standard Sign-In with Ethereum flow. Our server receives the signed message and your address, checks the signature, hashes the address together with a salt (a random value) to generate your AccountID, and then forgets the address. The server signs your AccountID and emits a JSON web token (JWT) that the client can use to access MetaMask services, like the user configurations storage or notifications. Since the address is not stored and the AccountID hash is not reversible, MetaMask doesn’t know who and which addresses have logged in.
Where and how do you store user configurations?
User configurations are stored on MetaMask servers, encrypted with a specially generated key only the user owns. Nobody other than the user can read the configurations. When you login, we create a client-side key by getting the hash that results from applying your account's signature to a given message. This means the key is deterministic: that is, the result of this signature will always be the same when the same account signs the same message. We use this key to perform client-side encryption of all your user configurations before sending them to MetaMask servers.
In this context, MetaMask is merely storage, and cannot read who is using the service, nor the content of the configurations, since everything is encrypted client-side. When needed, the encrypted information can be decrypted on another client when the same person logs into their MetaMask from another device. We are also actively working with the ecosystem to explore opportunities to decentralize the user configuration storage in the future.
Which user configurations do you store?
We store preferences and configurations, which can include, for example, your public address, currency, favorite tokens, interface settings, or address book. We don’t store, transfer, or backup your private key or Secret Recovery Phrase, both of which are only accessible to you.
How do wallet activity notifications work?
We monitor blockchains for you and send you push notifications when something relevant happens to your addresses, like receiving tokens, NFTs, or unstaking.
Different from the user configuration service, which only hosts data encrypted client-side, the notifications service needs to save unencrypted versions of the monitored addresses on the server side. To ensure that multiple addresses cannot be attributed to the same person, our servers save the notifications tasks “untied” to the users they belong to. This means that the link between the AccountIDs and the addresses is only stored client-side.