On your device
A visual security guide
See what happens to your information.
Stax Pass is built so your private information is locked on your device before protected records are synced. This page shows the path, the limits, and what you need to keep safe.
No hype. No “trust us” language. Just how the protection is designed to work.
The vault journey
Readable for you. Protected before it travels.
When you save something, the app is designed to protect it locally first. The service can then carry and sync the protected record without needing the readable content inside.
Stax Pass service
It carries a protected record
Your other approved device
You unlock it locally
Two different kinds of security
Your account entrance is not your vault key.
It is important not to mix these up. Email and device checks help stop strangers from entering your account. Your password and recovery phrase are what unlock your vault.
Account entrance
Email verification and device approval
These checks help confirm an email inbox and approve a new device. A six-digit email code is short-lived and should stay private.
It cannot decrypt your vault.Vault unlock
Your password or recovery phrase
These secrets are used locally to unlock protected key material. They are not interchangeable with an email code or a support request.
These are the paths into your vault.How the keys fit together
One unlock opens the next layer—not everything at once.
This is a simplified map of the local key structure. Select a layer to see its job.
Private sign-in proof
How can the service verify you without keeping your password?
Stax Pass uses a password and recovery authentication system called OPAQUE. In plain English: your app and the service perform a protected proof. The service can confirm the proof without receiving the raw password or recovery words as a reusable secret.
stays here
Approved
The service sees the protected authentication exchange—not a customer-support list of raw passwords or recovery phrases.
Recovery, without fine print
Know your path back in before you need it.
Your 12- or 24-word phrase is an alternate way to unlock your User Root Key. It is not a customer-service reset code. Choose a situation below.
You still have your recovery phrase
You have a recovery path.
Use the recovery phrase on a new device to prove access and set a new password. Afterward, store the password and phrase separately and securely.
Support does not need to see the phrase to help the recovery flow work.The non-negotiable part: if both your password and recovery phrase are gone, and you no longer have an unlocked device, the vault cannot be decrypted. Stax Pass cannot rebuild the key, reset the vault open, or use an administrator backdoor—because we do not keep one.
Technical reference
The names behind the protection.
These are public, reviewed cryptographic tools—not secret algorithms. The important part is what each one does for you.
XChaCha20-Poly1305
Vault encryption and tamper detection
Acts as the lock and tamper seal on a protected vault record. It is designed to keep contents unreadable without the right key and reject a record that was modified.
Does not protect an already unlocked device.Argon2id
Password-derived unlock material
Deliberately makes deriving unlock material from a password expensive. That makes large-scale guessing harder and slower for an attacker.
Does not turn a weak or reused password into a safe one.RFC 9807 OPAQUE
Password and recovery authentication
Lets the app prove your password or recovery phrase during sign-in without giving the API the raw words as a reusable secret.
Does not eliminate the need to protect your email and devices.HPKE · X25519 · HKDF-SHA256
Recipient-specific secure sharing
When sharing is used, these tools make a protected copy for the intended recipient instead of exposing a shared vault key as readable data.
Sharing still depends on choosing and trusting the right recipient.The local crypto core is designed to use secure operating-system randomness and fail closed: damaged or unauthenticated protected data should be rejected, not quietly accepted.
Your part matters
Protect your two paths in.
Use a strong, unique password. Keep your recovery phrase private and offline. Never share a verification code, password, or recovery phrase with anyone who contacts you.