Security

Security at SwapRoute

How SwapRoute keeps routing non-custodial, protects users before signing, and keeps aggregator credentials server-side.

Last updated: July 2026

Non-custodial by design

SwapRoute is a routing interface. It does not custody funds, manage private keys, or create accounts for users. You connect your own wallet and sign transactions directly from that wallet.

Before signing, review the source token, destination token, destination chain, recipient address, estimated output, minimum received, and any approval spender shown by your wallet.

Server-side routing

Aggregator requests run through SwapRoute API routes so provider keys, fee configuration, and upstream routing details are not exposed in browser code.

Quote responses are normalized before they reach the app, and executable calldata is only returned when a connected taker address is supplied.

Token safety checks

The token picker combines a curated registry with live token lookup and on-chain metadata. Long-tail tokens can still be spoofed, so users should verify contract addresses against official project sources before signing.

Cross-chain transfers can be difficult or impossible to reverse. Always double-check recipient addresses, especially when sending to a different wallet.

Reporting issues

If you find a vulnerability or unsafe route behavior, report it privately to the SwapRoute team before public disclosure. Include the chain, token addresses, transaction hash if available, wallet used, and exact reproduction steps.

Ready to compare a route?

Go back to the swap app, enter an amount, and review route details before signing.

Open SwapRoute