This article provides insights on our partnership with Strike and how we implemented secure authentication into Cypher Box app.
Cypher Box is an open-source Bitcoin wallet available on iOS and Android. Developed by Cypher Box LLC, a software company, the project focuses on helping new users transition from third-party service providers such as Strike.me to self-custody through an intuitive gamified interface and advanced coin management tools.
You can verify our codebase here https://github.com/CypherBoxLLC/Cypher-Box
Strike API: https://docs.strike.me/api
Strike OAuth2.0 framework and Backend Architecture
The frontend app talks only to CypherBox’s backend, never directly to Strike.
PKCE protects login on mobile
The app creates a “one-time secret code” . Even if someone intercepts your login request, they cannot use it without the secret code.
Backend sends the code + secret keys to Strike and receives a temporary access token and returns a short-lived JWT to the app.
JWT lets the app make authenticated requests without exposing secrets.
All communication is encrypted, and no user data is stored.
HTTPS protects data between app ↔ backend ↔ Strike.
Cypher Box backend cannot move or hold your funds — only Strike does.
If someone compromises Cypher Box backend and steals data, the only things they could get are:
– Temporary access tokens from Strike (short-lived)
– Short-lived JWTs issued to apps
The backend never holds Bitcoin or can sign transactions.
The only thing an attacker could do is impersonate a logged-in session for a short time while the token is valid. He might be able to view balances and transaction history of the victim’s Strike wallet but they cannot drain funds directly, because transactions still need Strike signatures. Once the token expires (short-lived JWT or custodian token), the attacker loses access.