Please report security issues privately by emailing security@marketpal.ai. Do not open a public issue that contains API keys, tokens, account identifiers, or exploit details.

MPAL_API_KEY is a bearer credential. Keep it out of source control, logs, and shared prompts. If a key is exposed, rotate or revoke it in Marketpal before sharing diagnostics.

The CLI sends the key only in the Authorization: Bearer <key> header to the configured MPAL_BASE_URL.

mpal does not contain live order placement. Security reports about any path that appears able to place, route, or execute trades are high priority.