feat: route custom token metadata imports through proxy

[0xApotheosis]

⚠️ Requests unchained friend to be merged for the proxy to deploy: shapeshift/unchained#1265

Description

Route custom token metadata import lookups through api.proxy.shapeshift.com instead of direct browser Alchemy/Metaplex calls. The primary motivation is that our Alchemy key is being abused since it's checked into the repo. This PR puts it behind a proxy so the key isn't exposed client-side. The key will be rotated once this PR merges.

• Remove dead client-side Alchemy SDK usage and centralize supported custom-token chain IDs
• Remove committed VITE_ALCHEMY_POLYGON_URL and related config/type references
• Update CSP for proxy-based metadata lookups

Issue (if applicable)

N/A

Risk

Low-medium. This changes how custom token metadata is fetched (proxy vs direct Alchemy calls), but does not affect any on-chain transactions, wallet interactions, or core state management. If the proxy is unavailable, custom token imports would fail to resolve metadata.

What protocols, transaction types, wallets or contract interactions might be affected by this PR?

No protocols, transaction types, wallets, or contract interactions are affected. This only impacts the custom token import metadata lookup flow.

Testing

Engineering

• Verify custom token import flow works end-to-end on this branch

Operations

• Import a custom token (e.g. a lesser-known ERC-20 on Ethereum) via the trade asset search and verify metadata (name, symbol, icon) resolves correctly
• Verify custom token import on Polygon and other supported chains

Screenshots (if applicable)

N/A

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c9bbe372-e9af-49a7-bc10-2ead2ff76776

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/custom-token-metadata-proxy-v2

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[NeOMakinG]

✅ LGTM — Clean refactoring

Changes:

1. Proxy routing — Custom token metadata lookups now go through api.proxy.shapeshift.com instead of direct Alchemy calls
2. Removed committed API keys — VITE_ALCHEMY_API_KEY, VITE_ALCHEMY_POLYGON_URL, VITE_ALCHEMY_SOLANA_BASE_URL removed from .env
3. Centralized chain IDs — New CUSTOM_TOKEN_IMPORT_SUPPORTED_CHAIN_IDS constant replaces scattered Alchemy SDK references
4. CSP updates — Added proxy URL, removed direct Alchemy URLs

Benefits:

• No more client-side API keys
• Centralized monitoring and rate limiting via proxy
• Cleaner code with single source of truth for supported chains

CI passes ✅

---

🤖 Reviewed by Claude Code

[NeOMakinG]

🤖 QABot Test Report

✅ 1/1 tests passed

Test	Status
Code Review (proxy routing)	✅ Passed

Verified: Custom token metadata now routes through proxy API, committed API keys removed.

📊 Full Report: https://qabot-kappa.vercel.app/runs/27ac5bb7-4fe0-4104-96be-c8a4055b6c6d

---

🤖 Automated QA by Claude Code