Your MetaMask Account

Which are the benefits to login on Metamask Portfolio?

To improve your experience:

• Receiving notifications on your wallet activity
• Syncing your user configurations and settings among the different devices where you have MetaMask installed. Over time we will start to backup and cross-sync your address book, transactions history, imported tokens and watched addresses
• Backing up your configurations for when you change or reset your browser

How does this respect my privacy as a MetaMask user?

Your settings are synced without compromising the confidentiality of your MetaMask activity. Instead of Web2-like architectures, where service providers host user data, we use a privacy-first approach where your information is encrypted on the client, and the server acts as storage and relayer of encrypted data. MetaMask is therefore not aware of which users or addresses are using this service, and how.

How does the login work?

MetaMask will ask you to sign a message with your address to prove that you own it, and then you are logged in with that address.

We use a standard Sign with Ethereum flow. Our server receives the signed message and your address, checks the signature, hash the address together with a salt to generate your AccountID then forget the address. The server signs your AccountID and emits a JWT that the client can use to access MetaMask services, like the User configurations storage or Notifications.

Since the address is not stored and the AccountID hash is not reversible, MetaMask doesn’t know who and which addresses have logged in.

Where and how do you store user configurations?

We store them on MetaMask servers, encrypted with a key only the user owns. Nobody other than the user can read the configurations.

When you login, we create a client-side key, deterministically derived from your wallet (in the current version it’s a signature of a given message), and we use this key to perform client-side encryption of all your user configurations before sending them to MetaMask servers.

MetaMask acts as a mere storage, and cannot read who is using the service, nor the content of the configurations, since everything is encrypted client-side. When needed, the encrypted information can be decrypted on another client when the same person logins to their MetaMask from another device.

We are also actively working with the ecosystem to explore opportunities to decentralize the user configuration storage in the future.

Which user configurations do you store?

We store settings and configurations, which can include your public addresses. We don’t store, transfer or backup your private key or seed phrase.

How do wallet activity notifications work?

We watch blockchains for you and send you push notifications when something relevant happens to your addresses, like receiving tokens, NFTs or finalizing unstaking.

Differently from the users configuration service, which hosts only data encrypted client-side, the notifications service needs to save on the server an unencrypted version of the addresses to be monitored.

To protect the information that multiple addresses are owned by the same person, our servers save the notifications tasks “untied” to the users they belong to. This means that the relation between the AccountID and the addresses is stored only client-side.