Production Checklist

Before deploying Engine to production, ensure you have completed the following steps.

• Ensure access tokens are not accessible from your frontend. The Engine API is intended to be called from your backend only.

  Exception: Relayer endpoints do not require access tokens.

• Securely store access tokens, vault admin keys, and your project's secret key. You may use a tool such as AWS Secrets Manager, Google Secrets Manager, and others.

• Use labels to keep track of your wallets, admins, and access tokens.

• Use access token with expirations to grant time-bound access.

After deploying Engine to production, ensure you check regularly to keep your setup secure.

• Regularly review the admins list to remove inactive and former team members.
• Rotate credentials such as access tokens, admin keys, and your project's secret key if they have been compromised.
• Ensure your server wallets have sufficient funds. Use wallet webhooks to alert when your gas balance is low.

• Use a wallet backed by AWS KMS or Google KMS. Wallet access is always recoverable and your wallet's private keys are never exposed.
• If using a local wallet: back up the private key. Engine cannot recover private keys if the encrypted stored data is lost or corrupted.