NMKR Docs
ProductsContact
English
English
  • Welcome to NMKR Docs
  • Introduction
    • About NMKR
    • Powered by NMKR
    • What is an NFT?
      • What is IPFS?
    • Why Cardano?
  • NMKR Studio
    • Introduction - NMKR Studio
    • Features Overview
    • 🖥️Learn NMKR Studio in 3 minutes
      • Basic Workflow
    • How to - Quick Start Tutorials
      • Quickstart Full Video Tutorial
      • Guidelines Planning a Project
      • How To Add Tokens
      • How to set up Metadata
      • How To Sell Tokens
      • How To Set Up Sales Conditions
      • How To Do a Reveal
      • How To Burn Tokens
      • How To Enable Royalties
      • How To Enable DIDs
      • How To Set up Whitelisting
      • How to Airdrop Tokens
    • Pricing
    • Account
      • Registration & KYC
      • Security
      • Wallets
      • Mint Coupons
      • Dashboard
      • Transactions
      • Invoices
      • API Keys
    • Project
      • Policy
        • Managing policies
      • Create
      • Edit
      • Metadata Template
      • Statistics
      • DID - Decentralized Identifier
      • Notifications
      • Royalties
      • Additional Payout Wallets
      • Affiliate links
      • Export Metadata as Zip
      • Export NFT as csv
      • Mint and Send Jobs
      • Export placeholder.csv
    • Token
      • Manage Tokens Tab
      • Upload
        • Upload single tokens
        • Bulk Upload Files and Metadata
          • Bulk Upload via Drag and Drop
          • Bulk upload via SFTP
      • Edit
      • Metadata
        • Add Token-specific Metadata
        • Fingerprint (Metadata preview)
        • Metadata Check
        • Metadata Standard for fungible Tokens
        • Fully on-Chain NFTs
          • Partial URL-Encoding
        • CIP-68
      • Duplicate
      • Delete
      • Burn
      • Update (Edit after Mint / Reveal)
    • Set up Sales
      • Manage prices / Pricelist
        • Create new Prices
        • Free Drops
        • Custom Token payment
        • Discounts
      • Sales Conditions & Whitelisting
        • Sales conditions depending on policy ID or stake pool
        • Whitelist with Count
        • Blacklist
        • Test Sales Condition
      • Block Tokens
      • NMKR Pay
        • Set up NMKR Pay
        • MultiSig Payment
        • Website Integration
        • Specific Payment Links
        • Manual sending in NMKR Pay
        • FIAT ETH and SOL Payment
      • Pay-In Address
      • Auction
    • Minting
      • Minting on Demand
      • Manual Minting
      • Airdropper
        • Airdrop with random distribution
        • Airdrop with specific distribution
    • Tools
      • Managed Wallets
      • Split Addresses
      • Direct Sales
      • Policy Snapshot
      • Integrations & Plugins
        • NFT Pal
        • Zapier
    • Testnet
      • Create Testnet Account
      • Testnet Wallet & tADA
      • Testnet API Swagger
  • NMKR Studio API
    • Introduction - NMKR Studio API
    • API Features
    • Swagger API Endpoints
    • Get started with the API
    • API Swagger
      • Get Started with the Swagger
      • Swagger Responses and Error Codes
    • API Examples
      • Users
        • Payout Wallets
        • Subcustomers
      • Project
        • Create Project
        • Upload File and Metadata
      • Payment
        • Create unique NMKR Pay Link for random Token sales
        • Create NMKR Pay Link for specific Token sales
        • Get Payment Address for single NFT sales with native Tokens
        • Create NMKR Pay Link for a multi-specific Tokens sale
      • Minting
        • Manual Minting
      • Smart Contract
        • Secondary Sales via NMKR Pay
    • API Open Source Contributions
  • NMKR Mint
    • Introduction - NMKR Mint
    • Mint single NFTs
    • Mint Collection
  • NMKR Playground
    • Introduction - NMKR Playground
    • ADA Payment Link
    • Paperwallet
  • NMKR Pool
    • What is Staking?
    • Stake with NMKR Pool
  • Helpful Links
    • Cardano NFT Ressources
    • Cardano Resources
    • Cardano Wallets
    • Open Source Repositories
    • Security Practices
    • Deal with Bots
Powered by GitBook
On this page
  • Your NFT project's security
  • Preventing bots from buying your NFTs
  • Protecting your NFT reservation implementation
  • Protecting your pay-in address implementation
  • Setting up an external hardware wallet
  • Protect your NMKR Studio API usage
  • More important security practices
  1. Helpful Links

Security Practices

There are several security best practices that you should review before you launch your NFT project

PreviousOpen Source RepositoriesNextDeal with Bots

Your NFT project's security

Sometimes it can seem easy to connect the pieces required to mint and sell NFTs on Cardano but you have a responsibility to protect your customers from potential pitfalls.

Reviewing our best practices and staying up to date with the best way to perform secure and scalable NFT drops on Cardano will help ensure your success.

Preventing bots from buying your NFTs

If you have a large enough following or vulnerabilities in your NFT minting system then your NFTs can be purchased by bots.

Typically people will deploy bots in order to obtain as many of the NFTs as they can with hopes that the scarcity that comes from purchasing them all drives up the price on the secondary market.

It's up to you to ensure that your project is using the best method of minting and selling your NFTs based on your tolerance for this potential behavior.

Protecting your NFT reservation implementation

If you're selling your NFTs by using our API to generate unique addresses for each potential customer then there are several ways to prevent malicious behavior.

You can make sure you only reserve an NFT for purchase if the user clicks a certain button on a webpage. If you automatically reserve an NFT for purchase as soon as someone goes to your website then it's easy for people to open up tens or even hundreds of tabs and reserve all of the NFTs available rather quickly.

You can implement a (or similar) in order for the prospective buyers to validate they are a human before you create their unique address. Remember, only after the person has correctly solved the reCAPTCHA (or another verification method) should you generate the wallet address for them to use.

You could also implement a login system with email validation. This way you know only people who have a valid email address can reserve an NFT which makes it difficult to scale to reserving many.

Even the options we listed aren't foolproof. It's up to you to stay informed of the best practices in the always-changing Cardano NFT space.

Protecting your pay-in address implementation

If you're selling your NFTs by using our pay-in address implementation to have a single wallet address that everyone uses then there are different ways to prevent malicious behavior.

If you want only a certain group of people to use the address then you should try and ensure it stays as hidden as possible. It's easy for a single person to copy and paste the pay-in wallet address and instructions on social media. That's why it's important for you to explicitly tell your customers not to share the details of the sale.

You could also make sure to only post the address and buying instructions in a closed community like an email newsletter list, a private Discord group, DM'ing specific individuals, accounts on your website, etc.

By limiting the overall exposure of the pay-in address you have a better chance of preventing an individual from minting a majority of your NFTs.

Setting up an external hardware wallet

Your Internal Wallet is a wallet assigned to your account but managed by NMKR Studio. You can use it for minting NFTs or receiving ADA from your sales.

At the same time, we advise that you connect your own wallet external to NMKR Studio and never store large sums of ADA in the Internal Wallet.

You can use the Internal Wallet to facilitate your NFT sales but using an external wallet connected to a hardware device is the most secure option available.

Protect your NMKR Studio API usage

Since NMKR Studio is an API-based solution, it can be accessed from your local computer, a website, a server, etc. Although it's possible, it's not intended for you to make API calls directly to NMKR Studio from your website.

We recommend that if you need to interact with our API based on an action that a user does on your website then you call an API that you own and your server then calls our API to complete the action.

Don't expose your NMKR Studio key on your website or your own API

Don't expose values like NFT Project ids, NFT ids, etc anywhere to the public

More important security practices

  • Show you policy ID to your customers so they don't get scammed

  • Don't commit your NMKR Studio API Keys to a repository

  • Don't publish your keys to any of your policies anywhere online

  • Don't get tricked by people asking for an NFT they didn't get

  • Don't let someone get refunded twice by doing it manually

  • Don't collect personal information if you don't have to

reCAPTCHA