Secure card tokenization SDK for Stellar with an example rewards dApp
Tychee is a comprehensive card tokenization SDK and rewards platform built on Stellar's Soroban smart contracts. It enables regulations-compliant tokenization of debit/credit cards while providing a gamified rewards experience for users and merchants.
- π Regulations-Compliant Card Tokenization - AES-256-GCM encryption stored on-chain
- βοΈ Stellar Blockchain - Secure, fast, and low-cost transactions
- π Gamified Rewards - Premium points system with tier progression
- πͺ Merchant Discovery - Hyperlocal deals and merchant discovery
- π« Blockchain Vouchers - NFT-like vouchers that can be traded
- π AI-Powered Insights - Spending analytics and recommendations
- π Account Abstraction - Optional gasless transactions and meta-tx support
tychee/
βββ soroban/ # Rust smart contracts
β βββ contracts/
β βββ token_vault/ # Card tokenization contract
β βββ account_abstraction/ # AA contract
βββ sdk/ # TypeScript SDK
β βββ src/
β βββ core/ # SDK engine
β βββ crypto.ts # Encryption utilities
β βββ types.ts # TypeScript definitions
βββ src/ # Next.js frontend
β βββ app/ # App router pages
β β βββ cards/ # Cards Hub
β β βββ spends/ # Spends Hub
β β βββ rewards/ # Rewards
β β βββ store/ # Products/Services Store
β β βββ vouchers/ # Vouchers
β β βββ partners/ # Partners Dashboard
β β βββ api/ # Serverless API routes
β βββ components/ # React components
β βββ lib/ # Utilities
βββ prisma/ # Database schema
- Node.js 18+
- Rust 1.71+ (for Soroban contracts)
- Stellar CLI (Installation)
- Vercel account (for deployment)
- Clone and install dependencies:
git clone <repository-url>
cd tychee
npm install- Set up environment variables:
cp .env.local.example .env.localEdit .env.local with your configuration:
- Stellar network URLs (testnet)
- Soroban contract addresses
- Vercel Postgres credentials
- Build Soroban contracts:
cd soroban
cargo build --target wasm32-unknown-unknown --release- Deploy contracts to Stellar testnet:
stellar contract deploy \
--wasm target/wasm32-unknown-unknown/release/token_vault.wasm \
--source <YOUR_SECRET_KEY> \
--network testnet- Initialize database:
Run the SQL schema in prisma/schema.sql on your Vercel Postgres instance.
- Run development server:
npm run devnpm install @tychee/sdkimport { TycheeSDK, CardData } from '@tychee/sdk';
// Initialize SDK
const sdk = new TycheeSDK({
stellarNetwork: 'testnet',
horizonUrl: 'https://horizon-testnet.stellar.org',
sorobanRpcUrl: 'https://soroban-testnet.stellar.org',
tokenVaultAddress: 'YOUR_CONTRACT_ADDRESS',
useAccountAbstraction: false,
});
// Initialize with user's secret key
await sdk.initialize('SXXX...');
// Tokenize a card
const cardData: CardData = {
pan: '4242424242424242',
cvv: '123',
expiryMonth: '12',
expiryYear: '26',
cardholderName: 'John Doe',
network: 'visa',
};
const tokenMetadata = await sdk.storeCard(cardData);
console.log('Card tokenized:', tokenMetadata);
// Retrieve token
const token = await sdk.retrieveCard();
// Revoke token
await sdk.revokeCard();- Secure card tokenization flow
- Card management interface
- Visual card display with glassmorphism
- Real-time status updates
- Transaction history
- Category-based spending analytics
- AI-powered insights
- Export functionality
- Points balance with tier system (Bronze β Platinum)
- Rewards catalog
- Redemption interface
- 2x points promotions
- Local merchant discovery
- Product catalog with search/filters
- Distance-based sorting
- Discount badges
- Blockchain-verified vouchers
- Copy-to-claim functionality
- Expiry warnings
- Ticket-style UI
- Revenue analytics
- API key management
- Webhook configuration
- Integration guide
- Card-on-File Tokenisation (CoFT) guidelines followed
- No raw card data stored
- Only tokenized references with encrypted payloads
- Complete audit trail via blockchain events
- No Master Keys: Zero server-side master keys - users own their encryption
- Key Derivation: Keys derived from user's Stellar secret key (SHA-256)
- Client-side: libsodium.js for browser key stretching (Argon2)
- Encryption: AES-256-GCM (ring-compatible)
- On-chain: Encrypted payloads stored on Soroban
- Self-Custody: Only user can decrypt their data (true web3)
- User authentication required for all operations
- Permission-based token access
- Revocation support
- Emergency pause functionality
All API routes are serverless functions deployed on Vercel:
POST /api/points- Add/track rewards pointsGET /api/points?userId=- Get user points balanceGET /api/products?category=- List products/servicesGET /api/vouchers?userId=- List available vouchersPUT /api/vouchers- Redeem voucherGET /api/spends?userId=- Get spending analyticsPOST /api/spends- Record transactionGET /api/partners?partnerId=- Partner analyticsPOST /api/research- Generate AI insights
See docs/API.md for full API documentation.
The frontend implements Jakob Nielsen's usability principles:
- Visibility of system status - Real-time feedback, loading states, progress indicators
- Match system/real world - Familiar card UI, intuitive navigation
- User control - Cancel operations, filter options, undo support
- Consistency - Unified design system, predictable interactions
- Error prevention - Form validation, confirmation dialogs
- Recognition vs recall - Clear labels, persistent navigation
- Flexibility - Keyboard shortcuts, quick actions
- Aesthetic design - Premium glassmorphism with vibrant gradients
- Error recovery - Helpful error messages, retry options
- Help & documentation - Contextual tooltips, security banners
- Connect to Vercel:
npm install -g vercel
vercel login
vercel link-
Set environment variables in Vercel dashboard
-
Deploy:
vercel --prod- Switch network to mainnet in contracts
- Fund your account with XLM
- Deploy contracts to mainnet
- Update frontend environment variables
# SDK tests
cd sdk
npm test
# Soroban contract tests
cd soroban/contracts/token_vault
cargo test
# Frontend E2E tests
npm run test:e2e
# API route tests
npm run test:apiContributions welcome! Please read our contributing guidelines. All contributors must sign our Contributor License Agreement (CLA).
Business Source License 1.1
Project Tychee is licensed under the Business Source License 1.1 (BSL 1.1).
BSL with public code visibility provides transparency without surrendering the SaaS moat. This approach offers several key benefits:
-
Transparency for Regulators: Regulated financial infrastructure (card tokenization) benefits from auditable code. BSL lets regulators see the Soroban contracts + encryption logic while keeping the business logic proprietary.
-
Competitive Protection: Blocks competitors from copying your SaaS service for ~3 years, protecting the core business model while allowing legitimate use cases.
-
Automatic Transition: Unlike pure proprietary licensing, BSL automatically converts to Apache 2.0 post-Series A (or on a fixed date: January 27, 2029). This appeases open-source advocates and fuels community contributions later without re-licensing friction.
-
Public Code Visibility: BSL with public code visibility shows transparency and builds trust, while maintaining business protections.
Licensor: Tychee Labs
License Change Date: January 27, 2029 (3 years)
Change License: Apache License 2.0
You may use the Licensed Work for:
- Internal evaluation and testing
- Non-production development
- Educational and research purposes
- Building on Soroban contracts via Stellar's X-Ray primitives
- Integrating your own SaaS on top (e.g., embedding Tychee's SDK in your fintech)
- Contributing patches (CLA required)
Prohibited without commercial license:
- Offering card tokenization/SaaS competing with Tychee
- Wrapping Tychee as a managed service for end-users
- Modifying and reselling the Soroban contracts
For traditional banks, fintech companies, and enterprises that wish to deploy Tychee in-house (not as SaaS), we offer Commercial Licenses. See LICENSE-COMMERCIAL for details.
Contact: [email protected]
For the full license text, see LICENSE.
Built with β€οΈ using Stellar, Next.js, and Rust