Report security issues to: security@arcrouter.com

Include: description, steps to reproduce, potential impact.

We respond within 72 hours.

• Private key handling — the SDK accepts an EVM signer but never stores or logs private keys. Only the signed payment payload is transmitted.
• API key transmission — the apiKey is sent as Authorization: Bearer sk_... over HTTPS only. Never log or expose the key.
• x402 payment signing — payment signatures are created via the user-supplied wallet signer. The SDK does not have access to private keys.