TokenPlay is designed as a local, single-user tool. It stores runtime data in local JSON files under data/.
Do not commit or publish:
data/*.jsondata/chat-sessions/data/single-chat-sessions/data/test-results/data/battle-games/data/api-keys.jsondata/.tokenplay-secret.env.localor any real.env*filepublic/avatars/uploads that may contain personal images
Only data/examples/*.json is intended to be public.
API keys are encrypted at rest with AES-256-GCM. The encryption key comes from TOKENPLAY_LOCAL_SECRET or from a generated local file at data/.tokenplay-secret.
This protects against casual offline text scans, not against a compromised machine or an attacker who can read both data/ and the local secret.
Do not expose this app directly to the public internet without adding authentication, authorization, CSRF protection, rate limits, and a production-grade secret management strategy. The built-in API routes assume a trusted local user.
- Revoke and rotate all affected API keys immediately.
- Remove the sensitive files from the repository.
- Rewrite Git history before making the repository public.
- Check releases, tags, screenshots, issue attachments, and documentation for copied secrets.