How to Set Up Exchange API Keys Safely: Complete Security Guide

API keys are the bridge between your crypto exchange account and any trading bot — and securing them properly is critical, portfolio tracker, or automation tool you use. They grant programmatic access to your account, which means they are both incredibly useful and potentially dangerous. A misconfigured API key can expose your funds to theft. A properly configured one is safer than logging into your exchange in a browser.

This guide walks you through creating API keys on the three most popular crypto exchanges (Binance, Bybit, and OKX) with maximum security. By the end, you will understand exactly which permissions to enable, which to never enable, and how to protect your keys from compromise.

What Are API Keys?

API stands for Application Programming Interface. In the context of crypto exchanges, an API key is a pair of credentials:

• API Key (Public): A unique identifier, like a username. It tells the exchange which account is making the request.
• API Secret (Private): A cryptographic secret, like a password. It proves the request is authentic.

Some exchanges also provide a passphrase (OKX) as an additional layer of authentication.

When a trading bot places an order on your behalf, it signs the request with your API secret and sends the API key as identification. The exchange verifies the signature and executes the order.

Why API Keys Exist

API keys solve a fundamental problem: you want automation tools to trade on your behalf without giving them your exchange login credentials. Unlike your username and password, API keys can be:

• Permission-scoped: Limited to specific actions (read-only, trade, or withdraw)
• IP-restricted: Locked to specific IP addresses
• Revoked instantly: Deleted without changing your account password
• Multiple per account: Different keys for different tools, each with different permissions

This granularity is what makes API keys safe when configured correctly. For a deeper understanding of API key security models, read our guide on custodial vs non-custodial API key management.

Step-by-Step: Binance API Key Setup

Binance is the largest crypto exchange by volume. Here is how to create a secure API key.

Step 1: Enable Two-Factor Authentication

Before creating any API key, ensure your Binance account has 2FA enabled (Google Authenticator or hardware key). API key creation requires 2FA verification.

Step 2: Navigate to API Management

1. Log in to your Binance account
2. Click on your profile icon (top right)
3. Select "API Management" from the dropdown
4. You may be prompted to verify with 2FA

Step 3: Create a New Key

1. Click "Create API"
2. Select "System Generated" (not "Self-Generated" unless you need ED25519 keys)
3. Give your key a descriptive label (e.g., "Sentinel Bot - Trade Only")
4. Complete email verification, 2FA verification, and any additional security prompts

Step 4: Configure Permissions

This is the most critical step. Binance offers these permission options:

• Enable Reading: Allows viewing account balances, trade history, and market data. Enable this.
• Enable Spot & Margin Trading: Allows placing and canceling spot and margin orders. Enable this if your bot trades spot.
• Enable Futures: Allows futures trading. Enable only if your bot trades futures.
• Enable Withdrawals: Allows withdrawing funds from your account. NEVER ENABLE THIS. There is no legitimate reason for a trading bot to withdraw funds.
• Enable Internal Transfer: Allows transfers between sub-accounts. Disable this.
• Enable Vanilla Options: Allows options trading. Disable unless specifically needed.

Step 5: Restrict to IP Whitelist

1. Under "Restrict access to trusted IPs only," click "Restrict"
2. Add the IP address(es) of the machine running your trading bot
3. For Sentinel Bot, add the IP addresses listed in the connection setup page

Critical: Without IP restriction, anyone who obtains your API key can trade on your account from any IP address. With IP restriction, a leaked key is useless from unauthorized IPs.

Step 6: Save Your Credentials Securely

1. Copy the API Key and Secret Key immediately. The secret is shown only once.
2. Store them in a password manager (not a text file, not an email, not a screenshot)
3. Never share your API secret with anyone or paste it in public channels

Step-by-Step: Bybit API Key Setup

Bybit is a major derivatives exchange popular for perpetual futures trading.

Step 1: Enable 2FA

Ensure Google Authenticator or SMS 2FA is active on your Bybit account.

Step 2: Navigate to API

1. Log in to Bybit
2. Click your profile icon (top right)
3. Select "API" from the account menu
4. Click "Create New Key"

Step 3: Select API Key Type

1. Choose "System-generated API Keys"
2. Name your key descriptively (e.g., "Sentinel Trading Bot")
3. Select "API Transaction" for key usage

Step 4: Configure Permissions

Bybit uses a modular permission system:

• Read-Only: View account and market data. Enable this.
• Trade: Place and manage orders (Spot, Derivatives, Options). Enable for your trading pairs.
• Wallet: Transfer and sub-account management. Disable this.
• Exchange: Convert between currencies. Disable unless needed.
• NFT: NFT marketplace access. Disable this.

Within Trade permissions, you can further limit to specific contract types. Only enable exactly what your trading strategy requires.

Step 5: Set IP Restrictions

1. Toggle "Link to IP" to enabled
2. Enter the IP address(es) of your bot server
3. Bybit allows up to 20 whitelisted IPs

Step 6: Save Credentials

Bybit shows both API Key and Secret upon creation. Save both in your password manager immediately. The secret cannot be retrieved later.

Step-by-Step: OKX API Key Setup

OKX provides additional security with a mandatory passphrase on all API keys.

Step 1: Enable 2FA

Activate Google Authenticator and/or mobile authenticator on your OKX account.

Step 2: Navigate to API

1. Log in to OKX
2. Click your profile icon
3. Go to "API" under account settings
4. Click "Create API Key"

Step 3: Configure the Key

1. Enter a name for the key
2. Create a passphrase: This is unique to OKX. The passphrase is required alongside the API Key and Secret for all API requests. Choose a strong, unique passphrase.
3. Select permissions:

• Read: View account data. Enable.
• Trade: Place orders. Enable for your trading use case.
• Withdraw: Withdraw funds. NEVER enable this.

Step 4: IP Restriction

1. Add IP addresses to the whitelist
2. OKX strongly recommends IP whitelisting and warns about security risks of unrestricted keys

Step 5: Save Three Credentials

OKX API keys require three pieces of information:

1. API Key (the public identifier)
2. Secret Key (the signing secret)
3. Passphrase (the additional authentication factor)

Store all three in your password manager. You will need all three when connecting to Sentinel Bot or any other tool.

Permission Settings: The Golden Rules

Across all exchanges, follow these permission principles:

ALWAYS Enable

• Read/View access: Your bot needs to check balances, positions, and market data
• Trade access: Your bot needs to place and cancel orders (if you want automated trading)

NEVER Enable

• Withdrawal access: No trading bot should ever have withdrawal permissions. If your bot's server is compromised, an attacker with withdrawal-enabled keys can drain your entire exchange balance to their own wallet.

This single rule would have prevented most API key theft incidents in crypto history. The 2022 3Commas hack exploited keys that had withdrawal permissions enabled. Had those keys been trade-only, the attackers could not have stolen funds.

Enable Only If Needed

• Futures/derivatives access: Only if your strategy trades futures
• Margin access: Only if your strategy uses margin
• Transfer access: Almost never needed for trading bots

IP Whitelisting: Your Strongest Protection

IP whitelisting is the single most effective API key security measure available.

How It Works

When you whitelist an IP address, the exchange will reject any API request that does not originate from that IP. Even if your API key and secret are completely exposed, an attacker cannot use them from their own IP address.

When to Use It

• VPS/cloud server with static IP: Always whitelist the server's IP
• Home connection with static IP: Whitelist your home IP
• Dynamic IP (most home connections): This is trickier. Some exchanges allow CIDR ranges, but this reduces security. Consider using a VPS with a static IP for your bot.

Sentinel Bot and IP Whitelisting

Sentinel Bot uses a zero-knowledge signal-push architecture, which means your API keys never leave your local machine. The Sentinel server sends trading signals, and your local client executes them directly on the exchange. This means you whitelist your own IP (or your VPS IP), not Sentinel's servers. This is fundamentally more secure than platforms that require your keys on their servers.

Connecting API Keys to Sentinel Bot

Once you have created your API keys with the correct permissions and IP restrictions, connecting to Sentinel is straightforward:

1. Log in to your Sentinel Bot account
2. Navigate to the Bots section
3. Click "Add Exchange Connection"
4. Select your exchange (Binance, Bybit, or OKX)
5. Enter your API Key, Secret, and Passphrase (if OKX)
6. The keys are encrypted and stored locally on your machine, never on Sentinel's servers
7. Test the connection to verify read and trade access

Because Sentinel uses signal-push architecture, your keys remain encrypted on your device. Sentinel's server never sees, stores, or transmits your exchange credentials.

Frequently Asked Questions

What happens if my API key is leaked?

If your key has IP whitelisting enabled, the leaked key cannot be used from unauthorized IPs. If you suspect a leak, immediately delete the key from your exchange's API management page and create a new one. If the key had trade (but not withdrawal) permissions, an attacker could place trades but could not withdraw funds.

Should I use one API key for multiple bots?

No. Create a separate API key for each tool or bot. This way, if one key is compromised, you can revoke it without affecting your other tools. It also makes it easier to track which tool is responsible for which trades.

How often should I rotate my API keys?

Rotating API keys every 3-6 months is good security practice. Some exchanges allow you to set expiration dates on API keys. When you rotate, create the new key first, update your bot configuration, verify it works, then delete the old key.

Can someone steal my crypto with a trade-only API key?

Not directly. Without withdrawal permissions, an attacker cannot transfer your funds off the exchange. However, they could theoretically place bad trades to drain your account balance (buying at inflated prices from their own sell orders, known as a "wash trade attack"). IP whitelisting prevents this scenario entirely.

Secure your trading with the right API key configuration and zero-knowledge architecture. Get started with Sentinel Bot and keep your exchange credentials where they belong: on your own machine.

Disclaimer: This article is for educational purposes only and does not constitute financial advice. Exchange interfaces and API settings may change. Always verify current options on your exchange. Cryptocurrency trading involves significant risk of loss.