Skip to content
Handbook

Architecture Overview

A high-level look at how Xiru works under the hood.

Platform Components

Section titled “Platform Components”
┌──────────────────────────────────────┐
│         Xiru Frontend                 │
│         (shiru.io)                    │
│         Next.js 16 (App Router)       │
│                                      │
│  ┌──────────┐  ┌──────────┐         │
│  │  Public   │  │  Admin   │         │
│  │  Routes   │  │  Routes  │         │
│  └──────────┘  └──────────┘         │
└──────────────┬───────────────────────┘
               
       ┌───────▼──────────┐     ┌─────────────────┐
       │   Xiru API       │────▶│   Database       │
       │   (REST)         │     │   PostgreSQL     │
       └───────┬──────────┘     └─────────────────┘
               
       ┌───────▼──────────┐     ┌─────────────────┐
       │  Blockchain RPCs  │     │  Sumsub (KYC)   │
       │  (6 EVM chains)   │     │  Verification   │
       └──────────────────┘     └─────────────────┘

The admin panel is part of the same Next.js application — it uses a separate route group (/admin) protected by role-based access control.

Authentication

Section titled “Authentication”

Email Flow

Section titled “Email Flow”
Email + Password → API verifies → 6-digit PIN sent → User enters PIN (30-min expiry) → JWT issued

Wallet Flow (SIWE)

Section titled “Wallet Flow (SIWE)”
Connect Wallet → Request nonce → Sign message (free) → API verifies signature → JWT issued

Both methods produce a JWT stored in localStorage that authenticates all subsequent requests. Tokens refresh automatically in the background.

Security

Section titled “Security”
MeasureDetail
HTTPSAll communication encrypted in transit
JWT tokensAuto-expire, cleared on logout or 401
SIWEIndustry-standard wallet auth (EIP-4361)
Input validationFrontend and backend validation on all inputs
No key accessXiru never has access to your wallet’s private keys
Role-based accessAdmin features restricted to authorized users
Token refreshProactive (30s before expiry) + reactive (on 401)

Supported Chains

Section titled “Supported Chains”
ChainChain IDType
Ethereum1L1 Mainnet
Arbitrum42161L2 Optimistic Rollup
Polygon137Sidechain
Optimism10L2 Optimistic Rollup
Base8453L2 Optimistic Rollup
BNB Chain56L1

Data Privacy

Section titled “Data Privacy”
  • User data encrypted at rest in PostgreSQL
  • KYC documents handled per regulatory requirements
  • Wallet addresses are public blockchain data — not private
  • Account deletion removes all stored personal data
  • No tracking cookies beyond essential session management