https://bitcointalk.org/index.php?topic=309785.0
BitcoinTalk.org includes Baron in its security bounty program because it intends on using it within its own infrastructure. If you find a way to break it you can earn some serious money.
As best I can tell, it does not do any key management. No reference to terms like "Key" or "HierarchicalKey" at all. My guess is that you have to give it the addresses you own, and it detects if payment has been made to them. Since it does not use "HierarchicalKey", bitcore's term for BIP32 extended keys, it probably requires that you constantly refill the address pool so it doesn't run out. Or it reuses them.
edit: I also just realized it depends on "bitcoin". It may rely on a running bitcoin core full node to handle the private keys.
That's correct. Currently it requires private keys on the Baron server, which means the wallet must be encrypted and backed up often. Encrypted means the keypool must be refilled periodically.
If there is sufficient demand it would be theoretically possible to include watch-only support so the Baron server need not have private keys online. Ideally this would work with a Hierarchical Deterministic wallet where the server does not need to be periodically refilled with unused addresses.
Hypothetically this could be done today with a javascript library that generates the public addresses as needed. I am not sure if such a library exists at the moment?
