Platform / Module

Sigil

Identity without an account. How the apps know you are entitled without knowing who you are.

Sigil is the identity layer for our consumer apps. The design goal is a simple one: we should be able to verify that you have paid for a tier without learning anything else about you. No email address is required. No username. No password. The thing that authenticates you is a subscription token, and the app is the only party that holds it.

How it works

When you subscribe through the App Store or the Play Store, the store sends a receipt to our control plane. The control plane verifies the receipt against the store's servers, records the entitlement (which tier, which expiry), and issues a subscription token — an opaque secret string bound to that entitlement. The token is delivered back to the app over a TLS connection and stored in the device keychain.

From then on, whenever an app makes a privileged API call — provisioning a WireGuard peer, pulling an encrypted manifest, fetching a presigned storage URL — it sends the token as a bearer credential. Our server hashes the token and looks up the entitlement row. If the row exists and has not expired, the call is authorized.

We do not store the token itself on our side. We store a hash of the token, the tier, the expiry, and a usage counter for quota enforcement. If the token is ever compromised, rotating it is local to the device.

What the store knows

The App Store or Play Store knows that your Apple ID or Google account purchased a Katafract product. That is unavoidable for a paid app on either platform. We receive a store-issued transaction identifier that lets us verify the receipt — we do not receive your Apple ID or Google account identity.

We can map a store-issued transaction ID back to "some paying customer of this tier." We cannot map it to a name, an email, or any other identifier that the platform did not give us — because it did not give us those.

The admin side

Katafract's internal admin dashboard and operator tooling do use a conventional, self-hosted OIDC identity provider, because our staff needs real accounts with roles and audit trails. Consumer-facing apps never touch it. It is the control plane's own internal identity system, and the only people with accounts on it are Katafract employees and authorized operators.

A small number of apps that need cross-device login (for example, a web portal that reads your subscription status from a browser) use that OIDC provider with a federated sign-in. This is called out explicitly in each app's privacy policy. The consumer apps on iOS and Android do not require it.

What Katafract can see

The token hash and its entitlement — "this hash belongs to an Enclave subscriber whose subscription runs until December."
The store transaction identifier — used once at purchase time to verify the receipt with Apple or Google. Retained so we can respond to refund events.
Aggregate usage counters tied to the token hash — storage bytes used, peers provisioned, API call volume. These are used to enforce per-tier limits.

What Katafract cannot see

Your email address or real name — never collected by the consumer apps. If you email us for support, we see your email because email requires it — not because the product does.
A link between your token and another customer's token — tokens are independent per subscription. We have no mechanism to join them.
Device identifiers — we do not collect advertising IDs, IDFVs, Firebase install IDs, or similar. The token identifies a subscription, not a device.

What this means for you

If you pay through the App Store for Enclave, the App Store knows you bought it and we know someone did. We do not learn which human is which. That is not a side effect of our privacy preferences — it is the result of designing the identity layer to collect only what is needed to verify a subscription is paid and active.

Back to all modules.