Security and Privacy

Forge was built with the principle that powerful analytics shouldn’t compromise safety. Whether you’re using the hosted version or running a self-hosted deployment, Forge is designed to respect user privacy, protect data, and avoid exploitative behavior.

This page explains how Forge handles on-chain data, user interactions, and external integrations while maintaining a secure and transparent environment.

🔐 What Forge Does Not Do

  • Forge does not front-run trades

  • Forge does not auto-execute transactions

  • Forge does not store private keys or wallet seed phrases

  • Forge does not monitor or retain personal DMs or Telegram content

  • Forge does not use AI to generate fake token activity or bots

Everything Forge analyzes is based on publicly available, on-chain activity and open-access social metadata (when provided by token deployers or visible in groups).

📡 On-Chain Data Access

Forge only listens to:

  • Token launches

  • Wallet transfers

  • Liquidity pool actions

  • Contract metadata

  • Public Telegram wallet joins (where possible)

All data is processed in-memory or cached securely. No sensitive information is harvested, injected, or stored outside what’s already public on Solana.

🧠 Language Model Handling

If you're using the hosted version:

  • Prompts are processed through OpenAI (GPT) or Anthropic (Claude) via encrypted API

  • No wallet data or secrets are sent

  • Context is sanitized before model input

  • Forge does not allow external models to store chat history or track identities

In self-hosted setups:

  • You choose your own model endpoint

  • You retain full control of prompt formatting, token usage, and inference logs

🗂 User Session Data

In the hosted UI, Forge temporarily stores:

  • Session chat history

  • Agent response logs

  • Follow-up action context

This is session-scoped and can be cleared or disabled entirely.

For teams or DAOs, shared instances can be configured with role-based access and separate workspaces.

🔄 API Security

When using external APIs (Telegram, Twitter, etc.):

  • All keys are stored in environment variables (.env)

  • No keys are injected into AI prompts

  • API usage is rate-limited and scoped to read-only endpoints

  • If keys are compromised, Forge fails safe and disables related modules

You should never expose Telegram bot tokens or trading keys directly in any agent logic.

🛡 Safe Usage Guidelines

To keep your Forge instance secure:

  1. Never use or connect private keys to Forge

  2. Host behind HTTPS with rate limiting if public

  3. Use .env secrets and never hardcode sensitive data

  4. Regularly update from upstream if you forked

  5. Monitor logs for excessive API hits or unexpected prompts

If you're building your own commercial version, consider adding login, wallet auth, or workspace isolation layers.

PreviousGlossaryNextRoadmap and Vision

Last updated