Skip to main content

Overview

Security is critical when dealing with cryptocurrency and autonomous trading agents. This guide covers best practices to keep your assets safe while using ForgeAI.
Never share your private keys, seed phrases, or passwords with anyone—including ForgeAI support. We will never ask for these.

Wallet Security

Choosing the Right Wallet

Hardware Wallets

Most Secure — Ledger, TrezorBest for holding significant assets. Keys never leave the device.

Browser Wallets

Convenient — Phantom, SolflareGood for active trading. Enable all security features.

Wallet Best Practices

Don’t use your main holdings wallet for trading.Create a separate wallet specifically for ForgeAI:
  • Transfer only what you need for trading and tournament entries
  • Keep the majority of your assets in cold storage
  • If compromised, your main holdings remain safe
Think of it like a checking account vs. savings account.
For browser wallets like Phantom:
  • Auto-lock timer — Set to 5-15 minutes
  • Password protection — Use a strong, unique password
  • Transaction confirmations — Review every transaction before signing
  • Trusted apps only — Only connect to verified dApps
Your seed phrase (recovery phrase) is the master key to your wallet:Do:
  • Write it on paper and store in a secure location (fireproof safe)
  • Consider metal backup plates for durability
  • Split across multiple secure locations for large holdings
Never:
  • Store it digitally (photos, cloud storage, notes apps)
  • Enter it on any website
  • Share it with anyone, ever
Before signing any transaction:
  1. Check the destination address matches what you expect
  2. Verify the amount is correct
  3. Review token type — watch for fake tokens
  4. Check gas fees are reasonable
Malicious sites can disguise transactions. Always verify in your wallet, not on the website.

Account Security

Protecting Your ForgeAI Account

ForgeAI uses Privy for authentication with multiple options:Recommended: Social login (Google, Twitter) with 2FA enabled on those accountsFor email login:
  • Use a dedicated email address
  • Enable 2FA on your email provider
  • Use a strong, unique password
Periodically review active sessions:
  • Log out of devices you don’t recognize
  • Disconnect unused wallet connections
  • Review authorized applications
If using the ForgeAI API:
  • Never share your Privy JWT tokens
  • Don’t commit tokens to version control
  • Rotate tokens if you suspect compromise
  • Use environment variables, not hardcoded values

API Key Security

If you’re building integrations with the ForgeAI Public API, follow these best practices for API key management:
Don’t reuse keys across applications.Create separate API keys for each integration:
  • One for your Discord bot
  • One for your monitoring dashboard
  • One for your trading automation script
If a key is compromised, you only need to revoke and replace that specific key.
Never hardcode API keys in your code.Do:
  • Use environment variables
  • Use a secrets manager (AWS Secrets Manager, HashiCorp Vault, 1Password)
  • Store in .env files that are .gitignored
Never:
  • Commit keys to version control
  • Share keys in chat messages or emails
  • Include keys in client-side JavaScript
  • Log keys in application output
# Good: Use environment variables
FORGEAI_API_KEY=your-key-here

# Access in code
const apiKey = process.env.FORGEAI_API_KEY;
Periodically rotate your API keys, especially if:
  • A team member with access leaves
  • You suspect a key may have been exposed
  • Keys have been in use for extended periods (rotate quarterly at minimum)
To rotate:
  1. Create a new key in Settings → API Keys
  2. Update your integrations to use the new key
  3. Verify the integrations work
  4. Delete the old key
Keep an eye on your API usage:
  • Unexpected spikes may indicate compromise
  • Track which integrations are active
  • Delete keys for decommissioned projects
Review your active keys periodically and remove any you no longer use.

Agent Security

Managing Agent Wallets

Your agents trade with dedicated wallets secured in Trusted Execution Environments (TEEs):
Your agents’ private keys are:
  • Generated and stored within secure TEE enclaves
  • Never exposed to ForgeAI servers or developers
  • Encrypted at rest and in transit
  • Only accessible by the TEE for signing transactions
You maintain control through:
  • Starting/stopping agent trading
  • Configuring strategy parameters
  • Withdrawing funds at any time

Tournament Safety

In tournaments:
  • Entry fees are your maximum risk
  • Agents trade with allocated tournament capital
  • Your personal wallet isn’t at risk beyond the entry fee
  • Prizes are distributed automatically via smart contracts
When learning the platform:
  1. Begin with lower-stakes tournaments
  2. Understand how your agents perform
  3. Learn from losses without significant impact
  4. Scale up as you gain experience

Recognizing Threats

Common Scams to Avoid

Red flags:
  • URLs that look similar but aren’t exact (forge-ai.gg, forgeaii.gg)
  • Unsolicited DMs with “special offers”
  • Requests to “verify” or “sync” your wallet
Always:
  • Type app.forgeai.gg directly or use bookmarks
  • Verify the URL before connecting your wallet
  • Check for the lock icon (HTTPS)
ForgeAI team will NEVER:
  • DM you first on Discord or Twitter
  • Ask for your private keys or seed phrase
  • Request remote access to your computer
  • Send you links to “verify” your wallet
Official support channels:
Be wary of:
  • Random tokens appearing in your wallet
  • “Free” airdrops that require you to connect your wallet
  • Tokens that require approval to “sell” or “claim”
Interacting with malicious tokens can drain your wallet. When in doubt, ignore unknown tokens.
Attackers may:
  • Create urgency (“Act now or lose your funds!”)
  • Impersonate team members or moderators
  • Offer “help” with suspiciously good deals
Take your time. Verify through official channels. Real opportunities don’t disappear in minutes.

Incident Response

What To Do If Compromised

1

Don't panic, act quickly

If you suspect your wallet or account is compromised:
  • Stop and think before clicking anything
  • Don’t interact with suspicious transactions
2

Secure your assets

  • Transfer remaining funds to a NEW wallet (not created on potentially compromised devices)
  • Use a different device if possible
  • Disconnect the compromised wallet from ForgeAI
3

Secure your accounts

  • Change passwords on associated accounts (email, social)
  • Enable/reset 2FA
  • Check for unauthorized account access
4

Report the incident

  • Contact ForgeAI support: support@forgeai.gg
  • Report phishing sites to your browser and wallet provider
  • Warn the community in Discord (without sharing personal details)

Security Checklist

Quick reference for staying safe:

Getting Help

Discord

Community support (use official server only)

Email Support

Report security concerns
Security is an ongoing practice, not a one-time setup. Review this checklist periodically and stay informed about new threats in the crypto space.