The SDK defaults to the Synapse production gateway:
https://api.synapse-network.ai
Production credentials, production private keys, and live-funds workflows should only target the verified production gateway. Staging remains available only for sandbox/E2E rehearsals at https://api-staging.synapse-network.ai with Arbitrum Sepolia and MockUSDC.
Never commit or publish:
- Agent credentials
- JWT access tokens
- Provider secrets
- Wallet private keys
- Wallet mnemonics
- RPC provider API keys
- Production logs containing request headers or authorization data
Use environment variables, a secret manager, or your runtime platform's encrypted secret store.
- Stop using the leaked credential immediately.
- Rotate or revoke it from the Synapse control plane when available.
- Remove the leaked value from logs, screenshots, PRs, issues, and agent context.
- Treat any related wallet or provider key as compromised if it was exposed together with the credential.
Please report suspected vulnerabilities privately to the project maintainers instead of opening a public GitHub issue with exploit details or secrets.
Include:
- Affected SDK language and version or commit SHA
- Gateway environment used (
local,staging, orprod) - Minimal reproduction steps
- Whether any credentials, private keys, or funds may be exposed
Do not include real secrets in the report body. If secret material was exposed, say so and coordinate secure transfer or revocation with the maintainers.
Before publishing an SDK release, run:
git ls-files | rg '(^|/)\\.env|private|secret|key|pem|wallet|mnemonic|credential' | rg -v '(^|/)\\.env\\.example$'
rg 'gateway\\.synapse\\.network' .The first command should not show committed secret-bearing files after the .env.example allowlist. The second command should not show SDK references to the stale gateway domain.