Web3 FAQ

Wallet & Web3Auth
frequently asked questions

Common questions about the ESPL wallet (Web3Auth), answered. Reading the Web3 page overview first makes this easier to follow.

Web3 and wallet FAQ

  • Can I use ESPL without thinking about the wallet?

    Yes. For day-to-day step tracking and joining challenges, you don't need to think about the wallet.

    It's created automatically at signup and quietly supports the sponsorship and reward flow in the background. The full picture is on the Web3 page.

  • Is personal information stored on the blockchain?

    No. Names, addresses, step counts, email addresses — none of it goes on-chain.

    What's on-chain is limited to the movement of the sponsorship (JPYC) and the factual outcome of each challenge (success or miss).

  • Does the operator hold the private key?

    No. Web3Auth uses MPC (multi-party computation): the wallet's private key is split into three pieces (shares) and stored in separate places.

    Specifically: a share extracted via social login, a share held on your device, and a share held by Web3Auth's distributed node network.

    The ESPL operator cannot reconstruct the private key on its own.

  • If I lose my device, can I recover the wallet?

    Yes. If you've set up MFA (multi-factor authentication) from the account dashboard, you can recover from another device.

    Three recovery methods are available, and combining up to three is recommended:

    Authenticator app (Google Authenticator and similar)
    Recovery phrase (a secret word list)
    Passkey (device biometrics, etc.)

    If you register multiple methods, you can still recover if you lose one of them.

  • Do I stay logged in forever? How long does a session last?

    After a set time, you'll need to log in again.

    The exact duration is configurable on the app side, anywhere from minutes up to 30 days (typical values: 30 minutes, 4 hours, 1 day, 7 days, 14 days, 30 days).

    Session data is kept in an OS-provided protected area — localStorage in a browser, Keystore on Android, Keychain on iOS.

  • If Web3Auth itself goes down, can I still use the wallet?

    Yes.

    Web3Auth splits the private key into three shares, so even without the Web3Auth network, you can reconstruct it from the other two (device + social login).

    You can also export the private key from the settings and move to MetaMask or another wallet (see the Q&A below). Your access to the wallet is preserved even in a worst-case scenario.

  • Can I export the private key from Web3Auth and use it in MetaMask?

    Yes. You can export it from the account settings. Import the exported key into MetaMask or similar and you'll be using the same wallet from outside ESPL.

    ⚠ Important: never show the exported private key to anyone else. Screenshotting it to social media or emailing it will result in losing the full contents of the wallet.

  • Is the ID token used for login verified securely?

    Yes — strictly.

    The ID token (JWT) is verified every time against issuer (iss), audience (aud), expiry, signature algorithm (ES256), and nonce, with the signing key matched against the JWKS (public-key set). Impersonation isn't technically possible.

    Full specs are published in the MetaMask Embedded Wallets documentation.

  • Is Web3Auth a trustworthy operator?

    Web3Auth is part of ConsenSys (which provides MetaMask) and now runs as MetaMask Embedded Wallets.

    SOC 2 / GDPR / CCPA / CPRA compliance status is published at the Web3Auth Trust Center. Part of the code is open source on GitHub, and third-party audits have been carried out.

    The primary technical reference is the MetaMask Embedded Wallets documentation.

  • Have there been security incidents in the past?

    In 2023, Dfns reported a vulnerability in an old login method called “magic link”. Web3Auth has since addressed it and now uses stronger methods such as OTP / 2FA / passkeys.

    ESPL uses only the current, safer authentication methods.

For anything not covered here, please reach out via the contact form.