Security Best Practices
Bankr has two layers of safety controls: wallet-level (configured at bankr.bot → Security; applies to every surface) and per-API-key (configured at bankr.bot/api-keys; applies to one key). Both run independently — a transaction must satisfy both to broadcast.
Pick a layer
| You are… | Read |
|---|---|
| Using Bankr through chat at bankr.bot | Bankr Terminal |
| Building an agent or integration with the API | Developer API |
| Doing both | Both — controls compose |
For the full reference of API-key flags and error responses, see Agent API → Access Control.
Where each control lives
| Control | Configured at | Layer |
|---|---|---|
| Pause all transactions | bankr.bot → Security | Wallet |
| Daily USD limit | bankr.bot → Security | Wallet |
| Per-transaction USD limit | bankr.bot → Security | Wallet |
| Permitted recipients (with cooldown) | bankr.bot → Security | Wallet |
| Disable arbitrary contract calls | bankr.bot → Security | Wallet |
| Read-only mode | bankr.bot/api-keys | API key |
| IP allowlist | bankr.bot/api-keys | API key |
| Recipient allowlist | bankr.bot/api-keys | API key |
Stay Safe: How Bankr Will (and Won't) Contact You
Most account losses come from social engineering, not protocol bugs. Hold these rules:
- Bankr will never DM you first. Unsolicited DMs on X, Telegram, Discord, or Farcaster claiming to be "Bankr Support" are scams — even if the handle looks right. Real support flows through email (support@bankr.bot), the Discord support channel where you open the ticket, or in-app.
- Bankr will never ask for your seed phrase, private key, or password. Privy embedded wallets are non-exportable by design — there is no seed phrase to share. Anyone asking is an attacker.
- Bankr will never ask you to "verify" by signing a transaction or visiting a link. Verification happens server-side; you don't need to sign anything to prove ownership of your account.
- Bankr will never use a different domain. The terminal is
bankr.bot, API isapi.bankr.bot, docs aredocs.bankr.bot. Anything else (bankrbot.io,bankr-claim.xyz,bankr.bot.fun, etc.) is fake. - A token appearing in the launch feed is not an endorsement. Failed launches are routinely spoofed by scammers who deploy fake tokens with the same name. Verify the contract address from the creator's official channels before buying. See Token Launching FAQ for more.
If someone reaches out claiming to be Bankr, close the conversation and open your own ticket through the channels above.