Every year, traders lose funds not to bad trades but to mishandled API keys — over-permissioned, unrestricted keys that leak and get exploited. The good news: API-key security is almost entirely about a few settings you choose at creation. Here's how to get them right on any exchange.
The golden rule: least privilege
Create every key with the minimum permissions its job needs, and nothing more:
- Portfolio tracker, tax tool, or trade journal → read-only. It can see balances and history but cannot place orders or move funds. This is the safest key type; a leak costs you nothing.
- Trading bot → read + trade, never withdrawals. A trade-enabled key can still cause losses through malicious orders, so only use bots you trust.
- Withdrawals → basically never. Almost no third-party app has a legitimate reason to withdraw. A withdrawal-enabled key that leaks drains you outright.
Always IP-whitelist
Binding a key to specific IP addresses makes it useless to an attacker even if it leaks — requests from any other IP are rejected. On Binance and Bybit, unrestricted keys also have reduced permissions or expiry, so whitelisting is both safer and more functional. If your bot runs on a server, whitelist that server's static IP.
One key per app, and rotate
- Never reuse a key across services — if one leaks, you revoke it without breaking everything else.
- Delete keys you no longer use. Audit your API list every few months.
- Store the secret in a password manager. The secret is shown once at creation; if you lose it, delete and recreate.
Exchange-specific notes
- [Binance](/go/binance): requires 2FA to create keys; use "Enable Reading" only for trackers, add IP restrictions, keep withdrawals off. Full walkthrough: How to Create a Binance API Key.
- [Bybit](/go/bybit): choose System-generated, set read-only or scoped trade permissions, and whitelist IPs (keys without an IP expire after 90 days). See How to Create a Bybit API Key.
- [Hyperliquid](/go/hyperliquid): uses API wallets (agent wallets) that can trade but can never withdraw — a safer model by design. Details: How to Set Up Hyperliquid API Access.
How traders actually get drained
Not usually by "hacking" the exchange — by leaking the key themselves: committing it to a public GitHub repo, pasting it into a malicious "trading tool," or falling for a phishing site that harvests keys. Defenses: never share the secret, never paste it into unknown software, revoke on any suspicion, and prefer read-only wherever possible.
Get these settings right once and API keys become a convenience, not a liability. Then put them to work — model what your trading actually costs with our fee calculator and compare venues on the exchange comparison.