Security

Key facts

  • Non-custodial — we never hold your private keys
  • Wallet-signed transactions only
  • Vanity generator runs client-side in your browser
  • Atomic platform fees — pay only on successful on-chain actions
  • Known limitations documented below

Vanity Tool


  • **Browser-side by default.** Vanity address generation runs in Web Workers on your device.
  • **Private keys are never sent to the backend.** MakeMeACoin does not receive, log, or store generated keypairs.
  • **Download and store safely.** Export the Solana keypair JSON and keep it in a secure location.
  • **Do not share keypair JSON files.** Anyone with the file can control the associated accounts.

    • Launch Tool


  • Token creation uses wallet-signed transactions (e.g. Phantom). Your wallet approves each step.
  • **Minting is free** ($0 MMAC platform fee). You only pay Solana network gas.
  • **Paid trust actions** (revoke mint/freeze, burn) happen **after mint** from Token Control. Fee and on-chain action are bundled in **one atomic transaction** — you do not pay before the action runs.

    • Environment variables (required in production)


    | Variable | App | Purpose |

    |----------|-----|---------|

    | `NEXT_PUBLIC_SOLANA_RPC_URL` | web | Solana RPC (Helius or other). No hardcoded API keys in client bundle. |

    | `NEXT_PUBLIC_PLATFORM_WALLET` | web | Treasury for atomic paid trust actions |

    | `DATABASE_URL` | web, api | PostgreSQL — score snapshots, mint history, users |

    | `JWT_SECRET` | api, web | Auth tokens + founder owner API — must be strong |

    | `CRON_SECRET` / `SCORE_CRON_SECRET` | web | Score refresh cron auth |

    | `WEB_URL` | worker | Base URL for worker → cron ping |

    | `ENABLE_ADMIN_ROUTES=true` | web | Gate `/admin-secret` (default: blocked in production) |

    | `ENABLE_INTERNAL_ROUTES=true` | web | Gate `/benchmark`, `/market-lab` (default: blocked in production) |


    **Rotate immediately** if any private key or API secret was ever committed to the repo or shared.


    Analytics


  • Client events go through `sanitizeAnalyticsPayload()` before send — drops `privateKey`, `secret`, `seed`, `mnemonic`, `jwt`, `email`, `telegram`, intake data, signed transactions.
  • Server route validates event names against `ALLOWED_ANALYTICS_EVENTS` and re-sanitizes.
  • `data/analytics-events.jsonl` is **not durable** on Vercel/serverless — do not rely on it for compliance or billing.
  • Recommended production backends: PostHog, Plausible, or a dedicated DB events table.

    • Market Lab


  • Research preview only — **not financial advice**.
  • No profit guarantees. Past benchmark or paper results do not predict future outcomes.
  • Market Lab does not execute live trades on your behalf.
  • Route is **gated in production** unless `ENABLE_INTERNAL_ROUTES=true`.

    • General


  • Never paste private keys or seed phrases into any website form.
  • Review authority settings (mint, freeze) before and after launch.
  • Launch Score reflects on-chain readiness signals — not a safety or investment guarantee.
  • Use official explorer links to verify on-chain state.

    • Transaction transparency

    Before signing, review what each flow displays: on-chain action, MMAC fee, network fee, destination wallet, and irreversible warnings for revoke and burn.

    Disclaimer →Methodology →