The wallet displays the requesting site based on document.referrer and validates incoming messages using postMessage event.origin. Query parameters are ignored for origin verification.

Users should verify the domain shown in the wallet before approving any request. This is the primary trust signal in the open origin model.

If you do not recognise the requesting domain, reject the request.

Xyra defaults to sign-only behavior. Transactions are never submitted unless both the developer explicitly sets submit: true in the request AND the user approves the submission in the approval UI. Xyra clearly displays whether a transaction will be submitted, with prominent warnings for sign+submit requests. This separation ensures users have full control over when transactions are broadcast.

Signing happens in the approval UI and always requires explicit user approval. Apps receive only the signed output, never the seed. Xyra will not accept messages from unexpected origins.