> ## Documentation Index
> Fetch the complete documentation index at: https://docs.crossmint.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Best Practices

> Follow these steps to prevent common pitfalls

<Tabs>
  <Tab title="Secure your API Key">
    ## Secure API Key Management

    Your Crossmint API key is very powerful. It allows you to mint new NFTs, and also to edit them.

    **To prevent malicious agents from compromising your project:**

    * **Never** share these keys with others or using non encrypted channels.
    * **Never** commit these keys in code that is saved to version control, like Git. Instead, use environment variables.
    * **Never** use these keys from the client side / frontend of your website. These keys should only be used from the server side.

    <Warning>**If your API key gets compromised, delete it ASAP on the [developer console](https://www.crossmint.com/console/projects/apiKeys). You can generate a new one to continue using your contracts.**</Warning>
  </Tab>

  <Tab title="Optimize your Media Files">
    ## Choosing the right media

    Pay special attention to the format and encoding you use for your media files, to ensure your users can view their NFT with high quality even in low bandwidth environments. Consider the following:

    1. **Choose an efficient file format**: Crossmint recommends `PNG` or `WEBP` for images, and `MP4` for video.
    2. **Find the right balance between media quality and loading speed**.
       * **Pick the lowest resolution that fits your use case**: 1024x1024 looks crisp on mobile. For desktop, you can increase it by a factor of 2 or 3 without compromising speed notably.
       * **Optimize the file size**: If your audience is mobile, aim for up to 300KB for images, and 5MB for video.
  </Tab>

  <Tab title="Follow Metadata Standards">
    ## Ensure your metadata follows industry standards

    Follow the metadata standards to ensure compatibility with marketplaces, wallets, and other apps.

    For more detail, read the [metadata guide](/minting/nfts/integrate/define-metadata). You can create test NFTs in staging to verify they function properly with other applications.

    <Accordion title="Need to modify metadata but you have already minted?">
      You can use the [Edit NFT API](/minting/guides/edit-and-burn-nfts) to the metadata of an existing NFT.
    </Accordion>
  </Tab>

  <Tab title="Test">
    ## Validate on staging before deploying on mainnet

    It is best practice to test everything on a testnet before moving to production. You can access all the tools from the [staging console](https://staging.crossmint.com/console), and read more about the differences between staging and production [here](/introduction/platform/).
  </Tab>

  <Tab title="Prevent Bots">
    ## Protect against bots 🤖

    It's common for free NFT claims to get abused by automated scripting and bots. Crossmint offers additional protection vs doing your own contract, as mints can only happen when calling via the mint API (i.e. a bot can't mint directly submitting transactions onchain).

    <Accordion title="Additional protections for open claims">
      If you are designing an open claim, you may need to implement additional mechanisms to prevent malicious parties from abusing the system. Here are some options:

      * Require a small payment or some proof-of-human. For example, completing a quest or being a loyal customer of yours.
      * Require social media or email verification.
      * Adding ReCaptcha or an equivalent anti-bot artifact.
      * Leverage authentication services such as <a href="https://stytch.com/" target="_blank">Stytch</a> to verify your users.
      * Use anti fraud providers such as <a href="https://sift.com/" target="_blank">Sift Science</a> to detect “bot-like” activity in your website, and don't allow them to get your NFTs
      * IP rate limiting and geofencing
      * Honey-pot hidden form fields that bots will detect and fill out but humans can't see.
      * Blocking emails to aliases (+) `user@gmail.com` vs `user+1@gmail.com`].
      * Disallow disposable emails from minting your NFTs. A good source of disposable domains can be accessed <a href="https://github.com/disposable-email-domains/disposable-email-domains" target="_blank">here</a>.
    </Accordion>
  </Tab>
</Tabs>
