// This skill should be used when building secure Bankr integrations, implementing API key management, configuring access controls, setting up dedicated agent wallets, or handling rate limits and security best practices in Bankr API projects.
| name | Bankr Dev - Safety & Access Control |
| description | This skill should be used when building secure Bankr integrations, implementing API key management, configuring access controls, setting up dedicated agent wallets, or handling rate limits and security best practices in Bankr API projects. |
| version | 1.0.0 |
Security patterns and best practices for Bankr API integrations.
Each API key has independent toggles managed at bankr.bot/api:
| Flag | Controls | Default |
|---|---|---|
agentApiEnabled | /agent/* endpoints | false |
llmGatewayEnabled | LLM Gateway at llm.bankr.bot | false |
readOnly | Restricts agent to read-only tools | false |
| Config | Agent API Key | LLM Gateway Key |
|---|---|---|
| Env var | BANKR_API_KEY | BANKR_LLM_KEY (falls back to API key) |
| CLI config | apiKey | llmKey (falls back to apiKey) |
When readOnly: true:
/agent/prompt works but only read tools are available/agent/sign returns 403/agent/submit returns 403// Handle read-only 403 errors
const response = await fetch(`${API_URL}/agent/sign`, { ... });
if (response.status === 403) {
const error = await response.json();
// error.message: "This API key has read-only access..."
}
// Requests from non-whitelisted IPs get 403
// Configure allowedIps at bankr.bot/api
const response = await fetch(`${API_URL}/agent/prompt`, { ... });
if (response.status === 403) {
const error = await response.json();
// error.message: "IP address not allowed for this API key"
}
For autonomous agents, create a separate Bankr account:
| Use Case | readOnly | allowedIps | Funding |
|---|---|---|---|
| Monitoring bot | Yes | Yes (server IP) | None |
| Trading bot (server) | No | Yes (server IP) | Limited |
| Development/testing | No | No | Minimal |
| Research agent | Yes | No | None |
| Tier | Daily Limit |
|---|---|
| Standard | 100 messages/day |
| Bankr Club | 1,000 messages/day |
| Custom | Set per API key |
// Handle 429 rate limit responses
const response = await fetch(`${API_URL}/agent/prompt`, { ... });
if (response.status === 429) {
const error = await response.json();
// error.resetAt: Unix timestamp when counter resets
// error.limit: Daily limit
// error.used: Messages used
const retryAfter = error.resetAt - Date.now();
}
// Always use environment variables
const API_KEY = process.env.BANKR_API_KEY;
const LLM_KEY = process.env.BANKR_LLM_KEY || API_KEY;
if (!API_KEY) {
throw new Error("BANKR_API_KEY not set. Get one at https://bankr.bot/api");
}
Storage rules:
~/.bankr/config.json for local development (CLI manages this)~/.bankr/, .env to .gitignore/agent/submit executes immediately with no confirmation promptwaitForConfirmation: true for important transactionsbankr-client-patterns - Client setup with error handlingbankr-api-basics - API fundamentalsbankr-sign-submit-api - Sync endpoints that need extra cautionThis skill should be used when building the async job workflow, implementing polling loops, handling job status transitions, processing rich data, managing conversation threads, or understanding the full submit-poll-complete lifecycle of the Bankr Agent API.
This skill should be used when building apps that need to sign messages, sign typed data (EIP-712), sign transactions, or submit raw transactions via the Bankr API. Covers the synchronous /agent/sign and /agent/submit endpoints with TypeScript patterns.
This skill should be used when the user asks about "agent profile", "create profile", "update profile", "project profile", "bankr.bot/agents", "profile page", "project updates", or any agent profile management operation.
This skill should be used when the user asks about "LLM gateway", "Bankr LLM", "LLM credits", "top up credits", "auto top-up", "llm.bankr.bot", "Claude Code gateway", "OpenClaw setup", "Cursor setup", "OpenCode setup", "LLM models", or any LLM gateway configuration or usage topic.
This skill should be used when the user asks about "API key security", "read-only key", "IP whitelist", "rate limits", "dedicated wallet", "agent wallet", "key rotation", "access control", or any safety, security, or access control topic related to Bankr.
This skill should be used when the user asks to "sign a message", "sign typed data", "sign a transaction", "submit a transaction", "submit raw transaction", "personal_sign", "EIP-712", "eth_signTypedData", "eth_signTransaction", or any direct signing or transaction submission operation. Covers the synchronous /agent/sign and /agent/submit endpoints.