Trezor Bridge — Secure Key Gateway

Bridge hardware keys to applications — elegant UX, secure-by-design

A modern gateway for hardware-backed keys

Trezor Bridge helps you integrate Trezor hardware keys into web and native applications while preserving end-user security. Harbor focuses on transport security, human verification, and clear UX patterns that prevent common mistakes.

Human verification
Show clear, minimal details to users on-device before signing.
Transport safety
Use challenge-response and nonce binding to prevent replay.
Developer SDKs
Lightweight SDKs for browsers and servers.

Onboarding guide

This quick guide helps users unbox, initialize, and connect their Trezor device to Harbor. It covers common pitfalls and recovery advice.

Unbox & inspect

Check for tamper-evident seals. If packaging is opened, contact the vendor. Do not initialize a device that looks tampered.

Create a seed

Generate the mnemonic on-device. Record it on paper or metal. Do not photograph or store the seed digitally. Consider Shamir backups for distributed recovery.

Connect to Bridge

Visit the application’s onboarding page, choose "Connect device," and follow the prompts. Bridge will verify the device attestation and firmware signature before allowing account enumeration.

Signing best practices

Always verify the amount and recipient on the device screen. Harbor displays a condensed summary; the device shows the full details. If any detail differs, reject the signature request.

Developer notes

Harbor exposes a small, secure API for applications. The core ideas: keep the host untrusted, require human confirmation, and bind rich context into signatures.

Example flow (conceptual)

// Host constructs payload
const payload = { network:'bitcoin', amount:100000, recipient:'1A2b...Z9', nonce:Math.random().toString(36) };
// Host -> device: SIGN_REQUEST(payload)
// Device displays payload summary; user approves
// Device -> host: SIGN_RESPONSE(signature)

Security checklist for developers

  • Validate device attestation before exposing advanced features.
  • Bind network and nonce into signatures to prevent cross-chain replay.
  • Rate-limit signing requests and require re-authentication for bulk operations.

FAQ

Can Bridge read my seed?
No. Harbor never has access to private keys. All signing operations happen on the device.
What transports are supported?
USB/HID, WebUSB, and QR/SD for air-gapped workflows are supported depending on device capabilities.
How do I verify firmware?
Devices provide a signed manifest and attestation. Harbor verifies signatures against pinned public keys before enabling features.