How does near protocol handle security with near wallet?

Question

After login with near wallet URL, a user can make any number of transactions to the blockchain without being asked permission every time (it's not like using metamask). What if the app makes unauthorized transactions without the permission of the user like hacking all money of the user? How does near protocol solve this problem?

Answer 1

The way it works is that when an app first request access from the wallet it adds an access key to the user's account that only allows interaction with that app. The app keeps the private key to send transactions on user's behalf. Two things to note here:

1. Access key has an allowance limit for gas and it decreases every time a transaction is sent. Therefore this access key cannot be used indefinitely to drain funds of the user's account.
2. For transactions that involve token transfer, users still have to confirm it through the wallet.

More info on access key https://docs.near.org/docs/roles/integrator/integrating#access-keys