P2Proof
LIVEProduction fintech SaaS for African P2P crypto merchants.
Turns a merchant's read-only exchange keys into permanent, bank-ready proof of legitimate income.
Why it exists.
African P2P merchants move real volume, but exchanges purge order history after 90–180 days and banks freeze accounts demanding proof of source. When the history is gone, the money is stuck. P2Proof turns a panic, a frozen account and lost records, into an email with a PDF.
P2Proof connects a merchant's read-only Bybit and Bitget API keys, permanently stores their P2P order history (exchanges delete it after 90–180 days), computes true profit after fees per currency or in USD, and generates bank-ready records, yearly PDF, CSV, and per-trade evidence, so traders can prove legitimate income and survive bank freezes.
How the pieces fit.
The whole system, one operator. Trace any node to see its role and connections.
Hover or focus any node to trace its role and connections.
Every surface, shipped.
Read-only, encrypted key vault
Only read-only API keys are ever accepted. Secrets are encrypted at rest with AES-256-GCM and support key rotation via trial-decrypt of old + new keys.
Multi-exchange unified ledger
Bybit + Bitget P2P history is synced and unified into one ledger with a per-exchange FIFO cost-basis engine and a pure, idempotent 'Trading Runs' profit model.
Self-healing cron orchestrator
GitHub Actions runs every 30 minutes: snapshots, rate alerts, due-based sync, channel posts, opt-in daily Telegram summaries at each user's local 8pm, and housekeeping.
Bank-ready PDF generation
Yearly trading report, per-trade evidence pack, and a bank-freeze checklist, the documents a bank actually asks for, generated on demand.
Row-level security everywhere
Postgres with RLS on every table; service-role writes are strictly separated from RLS-scoped user reads. Email + Google OAuth via Supabase Auth.
Interactive academy + PWA/TWA
A Duolingo-style learning academy (XP, streaks, locked progression) plus an installable PWA packaged for the Google Play Store as a Trusted Web Activity via Bubblewrap.
The calls that mattered.
Read-only-only security model
problem · Handling exchange API keys is the highest-risk surface in the product.
call · Refuse any key with trade or withdraw scope. Read-only means a leak can never move funds, the whole threat model collapses to 'can read history', which is exactly the feature.
Composite per-user dedup keys
problem · Re-syncing overlapping windows across two exchanges must never double-count an order.
call · Every record carries a composite (user, exchange, order-id) key so sync is idempotent, you can replay any window safely.
GitHub Actions as a self-healing scheduler
problem · A fintech needs reliable periodic work without paying for always-on infra.
call · A single Actions cron every 30 min orchestrates all jobs, is observable in the run log, and self-heals on the next tick if one run fails.
Per-exchange FIFO cost basis
problem · True profit-after-fees differs per exchange and per currency; a naive average lies.
call · A per-exchange FIFO engine computes real cost basis, so profit is honest per currency or rolled up to USD.
A single operator shipped a complete, regulated-adjacent fintech: encrypted key vault, multi-exchange sync, a profit engine, billing, a learning academy, and a Play-Store app, end to end. It exists to answer one bank email with one PDF.