What to protect, what's safe to share, and the mistakes that cost people real money
Turn what you learned into a concrete stack decision.
01DeFi Dev StarterEverything you need to build DeFi appsWant the shortlist in your inbox?
Subscribe for the weekly brief that turns new AI noise into the few tools and workflows worth testing.
Curated bundles that help you move from this guide into a working stack.
A curated collection of essential tools for DeFi development. From smart contract frameworks to Web3 libraries, this pack covers the full stack for building decentralized finance applications on Ethereum and EVM chains.
Open pack →A complete starter kit for Solana development. This pack combines Web3 libraries, AI agent SDKs for Solana, trading bots, and learning resources to get you from zero to mainnet deployment fast.
Open pack →Guide
Your First Win: 5 Projects to Build with AI
Concrete, achievable projects that build confidence — from portfolio site to AI agent
Guide
Terminal Basics for AI Users
The 20 commands that unlock every AI coding tool
Guide
20 GitHub Repos Every AI Builder Should Star
The curated shortlist of repos that power AI agents, MCP servers, and Web3 tools
If a string of text can grant access to your money, your accounts, or your infrastructure — it's a secret and must never be shared, committed to git, or pasted into a public chat.
Everything else is probably fine.
That's the whole mental model. The rest of this guide teaches you to recognize secrets and handle them properly.
These are the things that, if leaked, can cost you real money or compromise your accounts:
sk-abc123def456ghi789jklmnop # OpenAI
sk-ant-api03-abc123... # Anthropic / Claude
AIzaSyD-abc123... # Google
API keys let anyone make requests on your account — and run up your bill. One leaked OpenAI key on GitHub can rack up thousands of dollars in hours.
[43,168,77,234,12,...] # Solana keypair (JSON array)
0xabc123def456... # Ethereum/EVM private key
abandon ability able about above... # 12-24 word seed phrase
This is the big one. Private keys control wallets. If someone gets your private key, they can drain every token instantly and irreversibly. There is no customer support, no chargebacks, no recovery.
postgresql://<username>:<password>@host:5432/dbname
mongodb+srv://<username>:<password>@cluster.mongodb.net
Database connection strings contain usernames and passwords. A leaked connection string means someone can read, modify, or delete all your data.
ghp_abc123... # GitHub personal access token
xoxb-abc123... # Slack bot token
JWT_SECRET=mysupersecretvalue # Session signing key
These grant access to third-party services or let attackers forge user sessions.
These things are fine to share, commit to git, and discuss publicly:
https://api.mainnet-beta.solana.com — these are public).env.example files (templates with placeholder values, not real secrets)The industry-standard way to handle secrets:
.env file with your real secrets:# .env (NEVER commit this)
DATABASE_URL=postgresql://admin:s3cret@localhost:5432/mydb
API_KEY=sk-abc123def456
STRIPE_SECRET=sk_live_abc123
.env.example with placeholder values:# .env.example (DO commit this)
DATABASE_URL=postgresql://user:password@localhost:5432/dbname
API_KEY=your-api-key-here
STRIPE_SECRET=your-stripe-secret-here
.env to your .gitignore:# .gitignore
.env
.env.local
.env.production
When you clone a project that uses .env:
cp .env.example .env # Create your .env from the template
nano .env # Add your real values
The most common security mistake in software: accidentally committing a secret to git.
Even if you delete the file in a later commit, the secret is still in the git history. Anyone who clones the repo can see every previous commit. Bots actively scan GitHub for leaked API keys — they'll find yours within minutes.
# Search your git history for common secret patterns
git log -p | grep -i "api_key\|secret\|password\|private"
# Search current files
grep -r "sk-\|sk_live\|ghp_\|xoxb-" . --include="*.ts" --include="*.js" --include="*.env"
# Use git-filter-repo (install first: pip install git-filter-repo)
git filter-repo --invert-paths --path path/to/file-with-secret
Add these to every .gitignore:
.env
.env.*
!.env.example
*.pem
*.key
*secret*
*keypair*
When you use AI coding tools like Claude Code or Cursor, the AI reads your project files to understand your code. Here's what to know:
Create a .claudeignore file (works like .gitignore) to prevent Claude Code from reading sensitive files:
# .claudeignore
.env
.env.*
*.pem
*.key
secrets/
Claude Code has a deny-list system in its settings. You can block access to specific files:
{
"deny": [
"Read(~/.ssh/*)",
"Read(*private*key*)",
"Read(*secret*)",
"Read(*mnemonic*)"
]
}
This means even if you accidentally ask Claude Code to read a private key file, it'll refuse.
.env files (AI tools know to skip them)If you're building in crypto/Web3, the stakes are higher because transactions are irreversible.
Wallet keypair files (like Solana's JSON keypair) contain your private key. These files should:
~/.config/solana/)chmod 600 keypair.jsonPublic RPC endpoints (like https://api.mainnet-beta.solana.com) are safe to share. But paid RPC endpoints often include an API key in the URL:
# This is a secret (contains API key):
https://mainnet.helius-rpc.com/?api-key=abc123
# This is public:
https://api.mainnet-beta.solana.com
If your project handles significant funds, use a hardware wallet (Ledger, Trezor) for signing. Your code should request signatures from the hardware wallet — never store mainnet private keys on a server.
Before you push any code:
.env is in .gitignore.env.example has placeholder values, not real onesIf in doubt, treat it as secret. The cost of over-protecting something is zero. The cost of under-protecting something can be catastrophic.
Now that you know what's safe, it's time to build something. Check out our First Projects guide for 5 beginner wins.