API trading access offers so many cool new features, but if it’s set up incorrectly, it can bring more harm than benefit. Here at Trader1 we want to make you sure that your API keys are as secure as possible.
First, let’s go through what you can do to make your API usage as safe as possible. Then, we will explain what we do in order to make it even more secure.
Limit your keys permissions
Creating API keys on your crypto Exchange is quite an easy task and it opens the door to awesome new features such as our DCA algo trading, but there are some things that can go wrong. Luckily, most Exchanges allow us to define permissions for the keys. For example, you can give permissions for withdrawal, trade, deposit, balance, etc.
One permission we will surely not need is withdrawal and you should not give it to anyone. If you create a key with this permission and share it with the wrong person, this person will be able to steal all your funds in just a couple of seconds.
Let’s have a look at Binance API page, and see how the permissions are managed on their exchange:
On Binance you can choose Read Only access, you can Enable Trading along with read permissions, and you can also Enable Withdrawals. In order to use our platform, you need to Enable Trading (since you will be using our services on autopilot. Otherwise, you would have to do everything manually. As we mentioned before, you should never share your Withdrawal API key, because that’s the easiest way to lose all your funds.
Additionally, we highly recommend restricting your API access only to trusted IP addresses (the last tickbox on Binance’s API management page).
Restrict Your Keys to Only be Used From Trusted IP Addresses
When an API key data leaks, it can then be used by anyone who has it, unless you restrict your API keys to trusted API addresses only. You can set this limit on most exchanges.
In our Binance example image above, we can see that we can Restrict API access to trusted IP’s. This is where we add an IP address from our system. The IP address you need to add is in our Whitelist instructions.
This would prevent the usage of the key even if someone else gets their hands on your API secret key.
Encrypt your keys before sharing them
The encryption of the keys is the most important step of securing them and we want to make this process as clear as possible. There are two ways to safely transfer the API keys into our system.
- When you create a new account for an Exchange, you enter the keys and before we save them, we encrypt them for you. This works every time and it’s secure.
- If you want to be 110% in control and be even more secure, we recommend you to encrypt the keys by yourself, and send us the encrypted keys. It doesn’t get any safer than this!. You can find our public key for the encryption in our FAQ’s or follow our guide on GitHub.
You can also follow our quick video guide on how to do this on asciinema.org.
What do we do to make your funds more secure?
On our side, we have a clear separation between data that is available in the online system and offline system. We make sure that all the critical actions are performed on systems that are not reachable from the internet and are hidden from malicious attackers.
The encryption we are using is RSA PKCS1 Optimal Asymmetric Encryption Padding (OAEP) with SHA512 and the keys are created with a true random hardware generator. More details in an upcoming post.
New Currency Pairs
We are happy to announce the addition of Tezos (XTZ) on Kraken. Let us know if you want to trade XTZ somewhere else too.
╔═════════╗
║ Kraken ║
╠═════════╣
║ XTZ/USD ║
║ XTZ/EUR ║
║ XTZ/ETH ║
║ XTZ/BTC ║
╚═════════╝Stay safe,
Steffen
