DennTech Trading Solutions

Crypto Bot API Key Security: Best Practices for Automated Traders

Your API key is as powerful as your exchange password — securing it correctly is the most important operational security task for any bot trader.

When you connect a crypto trading bot to your exchange account via API, the bot operates with the permissions you grant it — including the ability to place and cancel orders, read your balance, and in the worst case, withdraw your funds. A compromised API key with full permissions is as dangerous as a compromised exchange account password. The consequences of an improperly secured API key range from unauthorized trading activity to complete loss of funds if withdrawal permissions were accidentally granted.

This guide covers the complete API key security framework for automated crypto traders — the minimum permission principle, IP restriction setup, local vs. cloud storage implications, key rotation best practices, and how DennTech's local-first architecture protects your credentials by design. Following these practices is mandatory for any serious bot trader regardless of platform.

The Minimum Permission Principle

The most important API security rule is to grant only the permissions your bot actually needs — nothing more:

  • Read: Allow. Your bot needs to read account balance, open orders, and trade history.
  • Trade / Spot Trade: Allow. Your bot needs to place and cancel orders.
  • Withdraw: NEVER allow. Your bot does not need withdrawal permissions. No legitimate trading bot requires withdrawal access. If a bot or service requests or requires withdrawal permissions, do not use it.
  • Futures / Margin: Only enable if your bot specifically uses futures or margin trading. Do not enable speculatively.
  • Transfer between sub-accounts: Only enable if specifically required. Do not enable by default.

This is the minimum permission principle: a compromised API key with only Read + Trade can place unauthorized trades — damaging and stressful, but recoverable. A compromised key with Withdraw permissions can empty your account — potentially not recoverable. The extra 10 seconds to uncheck "Withdraw" when creating an API key can save your entire account.

IP Restriction: The Second Most Important Control

Every major exchange supports IP address restrictions on API keys — you can specify which IP address(es) are allowed to use the key. A key with IP restrictions can only be used by requests originating from the whitelisted IPs, even if someone steals the key credentials.

How to implement:

  1. Identify your bot's outgoing IP address (your home IP, or your VPS IP from our VPS guide)
  2. When creating your API key, enter this IP in the IP restriction field
  3. If you run the bot from home and VPS, add both IPs
  4. If your IP changes dynamically (home ISP with DHCP), use your ISP's assigned range or update the restriction when your IP changes

IP restrictions significantly reduce the attack surface: a leaked key is useless to an attacker who cannot originate requests from your whitelisted IP.

Local vs. Cloud API Key Storage

How and where your API key is stored is a fundamental architectural security decision:

  • Local storage (DennTech): API keys are stored exclusively on your local machine (encrypted in the application's configuration). They never leave your device. An attacker would need direct access to your machine to steal them. This is the most secure model for API key storage.
  • Cloud storage (3Commas, Cryptohopper, Bitsgap, HaaS Cloud): Keys are stored on the platform's servers. Your keys' security depends entirely on the platform's security practices. If the platform's servers are compromised, your keys are potentially exposed. Cloud platforms have historically been targets of credential-related attacks.

This security difference is one of DennTech's core design advantages. For context, see our comparison guides: DennTech vs 3Commas, DennTech vs Cryptohopper, DennTech vs Bitsgap.

Creating Separate API Keys Per Bot and Use Case

Never use the same API key for multiple purposes or multiple bots:

  • Create one API key per bot instance (e.g., separate keys for DennTech on BTC strategy and DennTech on ETH strategy)
  • Never reuse an API key from one service in another
  • Label each key clearly in your exchange's key management panel (e.g., "DennTech-BTC-Strategy", "DennTech-VPS-July2026")

The benefit: if one key is compromised or a specific bot needs to be decommissioned, you revoke only that key without affecting other bots or access patterns.

API Key Rotation

Rotate (regenerate) your API keys periodically:

  • Routine rotation: Every 3–6 months as a preventive measure
  • Incident-triggered rotation: Immediately if you suspect a key has been exposed, if you notice unusual trading activity, or if the machine or service holding the key has been compromised
  • After service changes: If you stop using a cloud bot service, immediately revoke the keys you granted it even if the service claims to have deleted them

Rotation procedure: Create a new key → Update DennTech settings with the new key → Test connection → Revoke the old key.

Exchange-Specific API Security Setup

Each exchange has slightly different API creation interfaces. See our exchange-specific guides for exact steps: Kraken, Coinbase Advanced, Bybit, OKX, Gate.io. All follow the same core principles: read-only + trade permissions only, IP restrictions, no withdraw access.

Securing the Machine Running Your Bot

Your API keys are only as secure as the machine storing them:

  • Use a strong, unique password for the machine (or VPS) running DennTech
  • Enable 2FA on your exchange account (separate from API key security)
  • Keep your operating system and DennTech updated
  • Use a reputable antivirus/anti-malware solution
  • Do not install unverified software on the machine running your bot
  • For VPS deployments, disable root password login and use SSH key authentication — see our VPS guide

Frequently Asked Questions

What should I do if I see unauthorized trades on my exchange account?
Immediately: (1) Log into your exchange and revoke ALL API keys. (2) Change your exchange account password. (3) Enable or change 2FA. (4) Contact your exchange's security team to report unauthorized activity. (5) Review all recent trades and withdrawals for damage assessment. Do NOT wait to investigate first — revoke keys immediately as step one to prevent further unauthorized activity.
Is it safe to enter my API key in DennTech?
Yes — DennTech stores your API keys locally on your machine in an encrypted configuration file. They are never transmitted to DennTech servers and never leave your device. The application uses them locally to communicate directly with your exchange's API. Review the full security architecture at DennTech docs for technical details.
Do I need different API keys for each exchange I use?
Yes — each exchange generates its own API keys independently. If you run DennTech on Kraken and KuCoin simultaneously, you create one API key on Kraken and one on KuCoin, and enter both in DennTech's exchange settings. Each key only works for the exchange that issued it. See the exchange-specific connection guides at Kraken and KuCoin. Get started at the pricing page or visit the FAQ for more questions.

For complete setup guidance, see our installation guide, the documentation, and contact us at support for any security questions.

Educational content only. Security practices and exchange interfaces change over time. Always verify current exchange documentation.

Explore DennTech

Pricing & Versions Retro, Themed, and Elite editions — one-time purchase. Live Bot Demo Watch the real bot trading live on a real exchange account. Trading Strategies RSI, MACD, Scalping, Grid, Arbitrage, and more. Documentation Full user manual for setup, strategies, and risk controls. Video Tutorials Step-by-step walkthroughs for every feature. Support FAQ Answers to the most common questions before buying. Market Insights Blog Strategies, crypto market analysis, and trading tips. About DennTech The team, our principles, and why we build what we build.

Disclaimer: DennTech Trading Solutions is a software company, not a financial advisor. Nothing on this site constitutes financial advice, investment advice, or a recommendation to buy or sell any asset. Cryptocurrency trading involves substantial risk of loss and is not suitable for all investors. Always do your own research and consult a qualified financial professional before making any investment decisions. View full Liability Waiver →