Skip to content

Commit 523e037

Browse files
ryanioryanio
authored
Merge 70b914b into 09c26fa 
2 parents 09c26fa + 70b914b commit 523e037

File tree

2 files changed

+19
-0
lines changed

2 files changed

+19
-0
lines changed

README.md

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,23 @@ Happy seafaring! ⛵️
2929
- [Frequently Asked Questions](developerDocs/faq.md)
3030
- [Contributing](developerDocs/contributing.md)
3131

32+
### Security Warning
33+
34+
**⚠️ Do not use this SDK directly in client-side/frontend applications.**
35+
36+
The OpenSea SDK requires an API key for initialization. If you embed your API key in frontend code (e.g., browser applications, mobile apps), it will be publicly exposed and could be extracted by anyone, leading to potential abuse and rate limit issues.
37+
38+
#### Recommended Architecture
39+
40+
For frontend applications that need to interact with OpenSea functionality:
41+
42+
1. **Create a backend API wrapper**: Set up your own backend server that securely stores your OpenSea API key
43+
2. **Call OpenSea SDK server-side**: Use opensea-js on your backend to interact with OpenSea's APIs
44+
3. **Return data to your frontend**: Send the necessary data (like transaction parameters) back to your frontend
45+
4. **Execute transactions in the browser**: Have users sign transactions with their own wallets (e.g., MetaMask) in the browser
46+
47+
For a detailed example of this architecture, see [this guide on frontend fulfillment architecture](https://gist.github.com/ryanio/52b909dc36e50dd0c03983983ed5839b).
48+
3249
## Changelog
3350

3451
The changelog for recent versions can be found at:

developerDocs/quick-start.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,3 +52,5 @@ const openseaSDK = new OpenSeaSDK(walletWithProvider, {
5252
```
5353

5454
In a browser with web3 or an extension like [MetaMask](https://metamask.io/) or [Coinbase Wallet](https://www.coinbase.com/wallet), you can use `window.ethereum` to access the native provider.
55+
56+
> **⚠️ Security Warning**: While the SDK supports browser-based providers like `window.ethereum`, **you should never include your API key in client-side code**. Exposing your API key in frontend applications allows anyone to extract and abuse it. Instead, use the SDK on a secure backend server and return transaction data to your frontend. See the [README Security Warning](../README.md#security-warning) for the recommended architecture.

0 commit comments

Comments
 (0)