Skip to content
work/p2proof

P2Proof

LIVE

Production fintech SaaS for African P2P crypto merchants.

Turns a merchant's read-only exchange keys into permanent, bank-ready proof of legitimate income.

Visit P2ProofSolo, architecture, backend, frontend, infra, billing, mobile.
2
Exchanges unified
6+1
Countries + USD
AES-256-GCM
Encryption
30 min
Cron cadence
The problem

Why it exists.

African P2P merchants move real volume, but exchanges purge order history after 90–180 days and banks freeze accounts demanding proof of source. When the history is gone, the money is stuck. P2Proof turns a panic, a frozen account and lost records, into an email with a PDF.

P2Proof connects a merchant's read-only Bybit and Bitget API keys, permanently stores their P2P order history (exchanges delete it after 90–180 days), computes true profit after fees per currency or in USD, and generates bank-ready records, yearly PDF, CSV, and per-trade evidence, so traders can prove legitimate income and survive bank freezes.

Architecture

How the pieces fit.

The whole system, one operator. Trace any node to see its role and connections.

architecture --interactive
Client
Edge / API
Data
External
Jobs

Hover or focus any node to trace its role and connections.

What's inside

Every surface, shipped.

01

Read-only, encrypted key vault

Only read-only API keys are ever accepted. Secrets are encrypted at rest with AES-256-GCM and support key rotation via trial-decrypt of old + new keys.

02

Multi-exchange unified ledger

Bybit + Bitget P2P history is synced and unified into one ledger with a per-exchange FIFO cost-basis engine and a pure, idempotent 'Trading Runs' profit model.

03

Self-healing cron orchestrator

GitHub Actions runs every 30 minutes: snapshots, rate alerts, due-based sync, channel posts, opt-in daily Telegram summaries at each user's local 8pm, and housekeeping.

04

Bank-ready PDF generation

Yearly trading report, per-trade evidence pack, and a bank-freeze checklist, the documents a bank actually asks for, generated on demand.

05

Row-level security everywhere

Postgres with RLS on every table; service-role writes are strictly separated from RLS-scoped user reads. Email + Google OAuth via Supabase Auth.

06

Interactive academy + PWA/TWA

A Duolingo-style learning academy (XP, streaks, locked progression) plus an installable PWA packaged for the Google Play Store as a Trusted Web Activity via Bubblewrap.

Hard decisions

The calls that mattered.

01

Read-only-only security model

problem · Handling exchange API keys is the highest-risk surface in the product.

call · Refuse any key with trade or withdraw scope. Read-only means a leak can never move funds, the whole threat model collapses to 'can read history', which is exactly the feature.

02

Composite per-user dedup keys

problem · Re-syncing overlapping windows across two exchanges must never double-count an order.

call · Every record carries a composite (user, exchange, order-id) key so sync is idempotent, you can replay any window safely.

03

GitHub Actions as a self-healing scheduler

problem · A fintech needs reliable periodic work without paying for always-on infra.

call · A single Actions cron every 30 min orchestrates all jobs, is observable in the run log, and self-heals on the next tick if one run fails.

04

Per-exchange FIFO cost basis

problem · True profit-after-fees differs per exchange and per currency; a naive average lies.

call · A per-exchange FIFO engine computes real cost basis, so profit is honest per currency or rolled up to USD.

Stack
Next.js 14 App RouterTypeScript (strict)Supabase / Postgres + RLSAES-256-GCMVercel (fra1)GitHub ActionsPaystackTelegram Bot APIBubblewrap / TWA
Outcome

A single operator shipped a complete, regulated-adjacent fintech: encrypted key vault, multi-exchange sync, a profit engine, billing, a learning academy, and a Play-Store app, end to end. It exists to answer one bank email with one PDF.

Next case study

WhatBiz

open
Available now

Want one of these for your product?