Security
Basic safety rules for users and operators.
Private key
Export a private key only when you need a backup. Store it safely and never send it in a public chat.
Signing service
The signing service derives wallets, signs transactions, and handles imported keys. In production, keep it private and allow access only from the bot backend.
Environment variables
Manage BOT_TOKEN, WEBHOOK_SECRET, DATABASE_URL, REDIS_URL, MASTER_SEED, and SIGNING_SERVICE_URL as secrets.
Production checklist
- Expose only the webhook server to the internet.
- Do not expose the signing service publicly.
- Use HTTPS for the webhook.
- Back up the database with controlled access.
- Rotate secrets if exposure is suspected.