Solana CLI Best Practices
A condensed summary of the 25 most important Solana CLI practices drawn from every page in this section.
-
Pin Agave and CLI versions: Install Agave 4.1.1 so
solana --versionreports CLI 3.0.10 - mismatched toolchains cause deploy and RPC surprises (Solana CLI Basics). -
Verify config before every session: Run
solana config getand confirm RPC URL, keypair path, and commitment match the cluster you intend to touch. -
Separate keypairs per cluster: Never reuse a mainnet-funded key as your default on devnet scripts - reduces accidental mainnet spends.
-
Never commit keypair JSON: Add
*-keypair.jsonandid.jsonpaths to.gitignore; load production keys from secrets managers only (Keypairs with solana-keygen). -
Record seed phrases offline: Backup BIP39 phrases when creating keys - disk loss without a phrase is unrecoverable.
-
chmod 600 key files: Restrict secret key files to your user on Unix hosts before funding wallets.
-
Use devnet for faucet workflows: Fund with
solana airdroponly on devnet/testnet; mainnet requires real SOL (Airdrops & Balances). -
Leave fee headroom: Keep at least 0.01 SOL on active dev wallets - rent and priority fees consume more than the base 5,000 lamports.
-
Double-check recipient pubkeys: Test with a dust transfer before large payouts - base58 typos are irreversible (Sending SOL & Transactions).
-
Use finalized commitment for treasury ops: Set
--commitment finalizedwhen confirming high-value transfers on mainnet. -
Inspect before you debug code: Run
solana accountandsolana program showto verify owners, data length, and upgrade authority (Inspecting Accounts & Programs). -
Align program IDs everywhere:
declare_id!,Anchor.toml, and deploy keypair must share one pubkey before deploy (Deploying Programs). -
Build release artifacts for deploy: Use
anchor build/cargo build-sbfrelease output - debug.sofiles waste rent and CU. -
Fund deploys for programdata rent: Large programs need more lamports than a 2 SOL devnet airdrop - check balance before
program deploy. -
Transfer upgrade authority deliberately: Move authority to multisig on mainnet; use
--finalonly when immutability is intended. -
Use spl-token for tokens: Native
solana transfernever moves SPL balances - usespl-token transferwith--fund-recipient(spl-token CLI). -
Think in raw token units: Multiply human amounts by 10^decimals when minting or transferring SPL tokens.
-
Stream logs in a second terminal: Pair
solana logswith local validator or devnet RPC while iterating on program errors (Logs & Debugging). -
Capture failed transaction JSON:
solana transaction <SIG> --output json-compactpreserveslogMessagesfor tickets and CI artifacts. -
Prefer provider RPC for reliability: Public endpoints rate-limit; use dedicated devnet/mainnet URLs in
solana config set --url. -
Export config for CI carefully:
solana config get --jsonis fine for RPC URLs - never commit paths to production keypairs in shared repos. -
Confirm signatures explicitly in scripts: Use
solana confirm -vand check exit codes instead of assuming--no-waitsubmissions landed. -
Dump program binaries to verify deploys:
solana program dumpplus hash compare catches wrong-cluster or wrong-artifact deploys. -
Revoke mint authority after launch:
spl-token authorize <MINT> mint --disablewhen fixed supply is a requirement. -
Document cluster in runbooks: Every ops doc should state RPC URL, commitment, and CLI version so on-call actions match developer machines.
FAQs
What is the single highest-risk CLI mistake?
Running mainnet commands with a mainnet-funded default keypair while believing you are on devnet - always solana config get first.
Should teams share one dev keypair?
Prefer a shared devnet treasury plus per-engineer keys for auditability. Never share mainnet upgrade authority keys.
How do CLI practices relate to Anchor?
Anchor wraps the same deploy and keypair files - CLI hygiene directly protects anchor deploy outcomes.
Minimum checklist before mainnet deploy?
Pinned toolchain, funded payer, matching program ID, release build, devnet dry-run, multisig upgrade authority plan.
How often should I rotate dev keys?
Rotate when engineers leave or keys touch shared CI logs. Devnet keys are low stakes but good habit for mainnet discipline.
Related
- Solana CLI Basics - section entry point
- Keypairs with solana-keygen - key generation detail
- Deploying Programs - deploy workflow
- Toolchain Best Practices - version pinning beyond CLI
Stack versions: This page was written for Agave 4.1.1, Solana CLI 3.0.10, Anchor 0.32.1, anchor-lang 0.32.1, Rust 1.91.1, @solana/kit 7.0.0, Surfpool 0.12.0, and LiteSVM 0.6.x.