Security
Latrine Bot must sign transactions as your Pump.fun creator wallet. This page explains what is stored, what is exposed, and how to reduce risk.
What you entrust to the service
- Dev wallet private key - used to claim creator fees, buy back your token, and send airdrops.
- RPC URL with API key - used for all Solana JSON-RPC and DAS holder snapshots.
- Project settings - mint (CA), auto-derived token symbol, tiers, thresholds, mode. The ticker is not a separate secret; it is looked up from DexScreener when the mint is saved.
How secrets are stored (cloud)
- Credentials are encrypted at rest with AES-GCM using a server master key (
SECRETS_MASTER_KEY). - Decrypted only inside the worker during an active mainnet cycle.
- After save, the dashboard shows only a masked RPC hint - not the full URL or key.
- Public Metrics API and event feeds never return private keys or full RPC URLs.
Session access
Dashboard login supports Sign-In With Solana (Phantom), Google OAuth, and X OAuth. Each method is a separate account - not linked. OAuth logins do not require owning a Solana wallet for sign-in, but running the bot still requires saving a dev wallet secret under Credentials.
Sessions use a JWT (about 7 days) in an HTTP-only cookie and, in the dashboard, localStorage.
Anyone with access to your browser while logged in can change settings or start the bot if they also know or paste the dev secret.
Sign out with the dashboard logout control (POST /api/auth/logout). See Authentication.
Public distribution transparency
Fee split, default payout currency, public perk toggles, and hold fund transparency are shown on the token page (hold fund card in goal mode or Dex Vault mode).
When a project owner saves a change to any of those fields, the API appends POLICY events that appear in the public activity log and dashboard Output.
This is mandatory and server-enforced - there is no project setting to disable logging or to customize what counts as a major distribution cut.
Only the platform operator can moderate unrelated social-boost claims; policy audit lines are not editable by devs through the dashboard.
Holder perk signatures (public token page)
Saving a holder reward preference uses the same SIWS challenge flow as dashboard login
(GET /api/auth/challenge?wallet=), but the signed message is sent to
POST /api/public/realm/:id/reward-preference (or the showcase mirror under
/api/public/latrine/reward-preference). Nonces are single-use and bound to the wallet.
This proves ownership without storing private keys on the server.
X post boost claims do not require SIWS. The server fetches the tweet server-side and enforces: one X post URL per token forever (first claim wins globally), and one active claim per wallet per token while the boost window runs. Different wallets can claim different posts on the same token; the same wallet can boost other tokens in parallel.
Metrics API keys
- Format:
lb_live_followed by random hex. - Read-only access to metrics and events for one project.
- Shown once when generated - copy immediately.
- If a key leaks (for example embedded in a public OBS browser source), revoke and generate a new key in the dashboard.
Dex Vault
When you activate Dex Vault, the Service generates a dedicated locked vault wallet per project and stores its private key encrypted (same AES-GCM family as dev wallet secrets). Hold fees from your hold % slice route to this vault each cycle - segregated from the dev wallet. Only the worker signs vault transfers during LIVE cycles and Dex payment. The vault public key and balance are public on the token page and APIs. You cannot withdraw vault funds through the dashboard; they are reserved for automated DexScreener payment.
Dex Prefill images (icon, header) are stored in object storage and served at public URLs so DexScreener can fetch them during order creation.
Recommendations
- Use a dedicated dev wallet that launched the token - not your main holdings wallet.
- Keep only enough SOL on the dev wallet for fees and reserves.
- Never paste your dev secret into chat, streams, or public repos.
- Use a Helius key with usage limits and rotate it if exposed.
- Run Launch readiness after any credential or settings change before Start.
- Review eligibility tiers so you do not airdrop to unintended large wallets (anti-whale cap).
What the bot cannot do
- Move tokens you did not buy in the current buyback step (it only distributes bought tokens to eligible holders).
- Claim fees without the dev wallet being the on-chain creator for that mint.
- Run cycles without valid credentials, mint, or a passing creator-wallet check.