API Key Security

Protecting your API keys is critical. A compromised key could allow unauthorized trading on your account.

IP Allowlist

Restrict your API key to only accept requests from specific IP addresses:

• Add up to 20 IP addresses (supports both IPv4 and IPv6)
• Requests from non-listed IPs are rejected
• If the allowlist is empty, the key accepts requests from any IP

Strongly Recommended

Always set an IP allowlist, especially for keys with Trade permission. This is the most effective way to prevent unauthorized use of a compromised key.

Best Practices

1. Use IP allowlists — Always restrict keys to known server IPs
2. Minimize permissions — Only enable Trade if your bot needs to place orders
3. One key per bot — Create separate keys for different bots/services
4. Rotate keys regularly — Delete old keys and create new ones periodically
5. Never share keys — Treat your secret key like a password
6. Monitor activity — Check your trading history for unexpected activity
7. Delete unused keys — Remove keys you no longer need
8. 2FA enabled — Always keep 2FA active on your account