Free Custom Trading BotFree DCA Trading BotFree Grid Trading BotWebhook BotFree Copy Trading BotFree Smart Money BotFree CRT Trading BotFree AI Trading AgentTrading TerminalAI CoachNotificationsBacktest
HyperliquidHyperliquidGRVTGRVTAsterDEXAsterDEXExtendedExtendedDecibelDecibelStandXStandXPhoenixPhoenix
BlueprintsLeaderboard
Help CenterBlog
Theme
Language
Log InSign Up
securityapi keysafetytrading botbest practices

Crypto Bot API Key Security: A Complete Safety Guide

Crypto Bot API Key Security: A Complete Safety Guide
By fomoed TeamApril 11, 20265 min read

When you connect a trading bot to your exchange, you're handing over access to your account via an API key. Done correctly, this is safe and routine. Done carelessly, it's an invitation for disaster. This guide covers everything you need to know about API key security for crypto trading bots.

What API Keys Can and Can't Do

An API key is a pair of strings — a public key (identifier) and a secret key (password) — that lets software interact with your exchange account programmatically. When you create an API key, you choose what permissions it has.

Most exchanges offer three permission levels:

  • Read-only: Can view balances, positions, and trade history
  • Trading: Can place and cancel orders, modify positions
  • Withdrawal: Can send funds off the exchange to external addresses

For trading bots, you need read + trading permissions. You never need withdrawal permissions. This is the single most important security principle.

The Golden Rule: Never Enable Withdrawals

If your API key cannot withdraw funds, the worst case scenario from a compromised key is unauthorized trades — which might lose money, but can't drain your account to an external wallet. The moment you enable withdrawal permissions, a leaked key becomes a tool for outright theft.

No legitimate trading bot will ever ask for withdrawal permissions. If one does, it's either poorly designed or malicious. Walk away.

IP Whitelisting: Your Best Defense

IP whitelisting restricts your API key to only work from specific IP addresses. Even if someone steals your key and secret, they can't use it unless they're connecting from your approved IP.

How to set it up:

  1. Find your bot platform's server IP (fomoed displays this in the exchange connection settings)
  2. In your exchange's API management, add that IP to the whitelist
  3. Enable the "restrict to whitelisted IPs only" option
  4. Test that your bot still connects successfully

For centralized exchanges like Binance, Bybit, and OKX, IP whitelisting is the strongest security measure available. On Binance specifically, API keys without IP restriction have reduced capabilities as a safety measure.

Permission Scoping: Minimum Necessary Access

Apply the principle of least privilege:

  • Spot trading bot: Enable spot trading only, not futures
  • Futures bot: Enable futures trading only, not spot
  • Read-only monitoring: If you just want to track portfolio, use read-only keys

Some exchanges let you restrict which trading pairs an API key can access. If yours does and you're only trading BTC/USDT, restrict the key to that pair.

Storing Keys Safely

Your API secret is shown once when created. After that, the exchange never displays it again. Here's how to handle it:

  • Never store keys in plain text files, screenshots, or emails
  • Never paste keys into chats, Discord servers, or support tickets
  • Never commit keys to git repositories (even private ones)
  • Use a password manager (Bitwarden, 1Password) for personal backups
  • If you must store them locally, use an encrypted vault

When entering keys into a bot platform, verify you're on the legitimate site (check the URL, check the certificate) and that the connection is HTTPS.

What to Do If a Key Is Compromised

If you suspect your API key has been leaked or compromised:

  1. Immediately log into your exchange and delete the API key
  2. Check your recent trade history for unauthorized activity
  3. Check your withdrawal history (even if withdrawals weren't enabled, verify)
  4. Create a new API key with fresh credentials
  5. Investigate how the leak occurred — malware? Phishing? Shared screen?
  6. Enable 2FA on your exchange account if not already active

Deleting the key is instant and irreversible for the attacker. Don't hesitate — delete first, investigate after.

How fomoed Handles Your Keys

Transparency about security practices matters. Here's how fomoed protects your API credentials:

  • Encrypted storage: Keys are encrypted at rest using AES-256 encryption. They're never stored in plain text.
  • No withdrawal access: The platform will never request or accept keys with withdrawal permissions enabled.
  • Server-side only: Your API keys are only used server-side for trade execution. They're never sent to the frontend or exposed in browser traffic.
  • Minimal retention: If you disconnect an exchange, your keys are deleted from our systems.

For our Hyperliquid integration, we use a different approach entirely — wallet-based authentication with agent wallets that have limited permissions, which eliminates API keys altogether.

DEX Wallet-Based Auth: The Alternative

Decentralized exchanges like Hyperliquid don't use API keys. Instead, you connect your wallet and approve an agent wallet — a sub-key with trading-only permissions that can't transfer funds out of the exchange.

This has security advantages:

  • No secret to leak (agent approval is on-chain)
  • Permissions are enforced by smart contracts, not exchange policies
  • You can revoke agent access on-chain at any time
  • No IP whitelisting needed (permissions are cryptographically enforced)

The tradeoff is that wallet security becomes critical — if your wallet's private key is compromised, the attacker has full control. Use hardware wallets for significant funds.

Security Checklist for Bot Traders

Before connecting any bot to any exchange, verify these items:

  • Withdrawal permissions disabled on API key
  • IP whitelist configured (for CEX)
  • 2FA enabled on exchange account
  • API key permissions match bot's needs (no more, no less)
  • Bot platform uses HTTPS and encrypted key storage
  • You have a backup of the key in a password manager
  • You know how to quickly delete the key if needed

Start Trading Securely

Security doesn't have to be complicated. Disable withdrawals, enable IP whitelisting, and use a platform that handles keys responsibly. For a deeper walkthrough of getting started safely, check our beginner's guide to automated trading. With fomoed, you can set up your account for free and connect your exchange with confidence that your keys are handled with proper encryption and security practices.