API key security for bots: protect your exchange account
An API key is what lets your bot trade on your behalf — and if it leaks or is over-permissioned, it can drain your account. Securing your keys is the single most important operational step in running a bot. This guide covers permission scoping, the withdrawal rule that saves accounts, IP whitelisting, and safe storage.
What an API key actually is
An API key is a credential — usually a key plus a secret — that lets software act on your exchange account without your password. Your bot uses it to read balances and place orders. Because it grants real control, an exposed key is as dangerous as a leaked password. The deeper reference is our trading bot API key security guide; this is the practical checklist.
Scope the permissions tightly
Exchanges let you choose what each key can do. Grant only what the bot needs: read (balances, market data) and trade (place and cancel orders). Nothing else. The principle of least privilege means a leaked key can do less damage. A bot that only places spot trades never needs futures, margin, or transfer permissions.
The one rule that saves accounts
A trading bot does not need to move money off the exchange — only to buy and sell. If you leave withdrawal disabled on the key, then even a fully compromised key cannot drain your funds; an attacker can only trade, not steal. This single setting is the most important protection you have. Countless account-drains happen because a key with withdrawal rights leaked. Disable withdrawals on every bot key, without exception.
Storing and handling keys safely
- IP whitelist — restrict the key to the IP address of the server running your bot, so it's useless from anywhere else.
- Never hard-code keys — keep them out of source code and out of any repository. Use environment variables or a secrets manager.
- Never paste keys into third-party sites — a "bot service" that asks for withdrawal-enabled keys is a red flag; treat unknown platforms as untrusted.
- Rotate and revoke — if a key may have leaked, revoke it immediately and generate a new one.
Read how to secure a trading bot for the full operational picture, and avoid the scams that phish for your keys.
Frequently asked questions
How do I keep my trading bot API keys safe?
Scope keys to only read and trade permissions, disable withdrawals, whitelist your server's IP, never hard-code keys in source code, and never paste them into untrusted third-party sites. Revoke any key you suspect has leaked.
Should a trading bot have withdrawal permission?
No, never. A bot only needs to buy and sell, not move funds off the exchange. With withdrawals disabled, even a fully compromised key cannot drain your account — an attacker can only trade. This is the single most important protection.
What is IP whitelisting for API keys?
It restricts an API key so it only works from specific IP addresses — typically the server running your bot. Even if the key leaks, it is useless to an attacker operating from any other location.
Where should I store API keys?
In environment variables or a dedicated secrets manager — never in source code, never committed to a repository, and never pasted into unknown websites. Treat them with the same care as account passwords.