Skip to content
tb
tbot.team

Learn

API Security for Trading BotsA Practical Checklist

Your API key is the front door to your exchange account. Here's how to lock it down -- with lessons from real breaches.

Security6 min read

Why API Security Matters

Every trading bot connects to your exchange through an API key. That key grants programmatic access to your account -- the ability to read balances, place orders, and potentially withdraw funds. If that key is compromised, an attacker can drain your account in seconds.

This isn't theoretical. In December 2022, 3Commas confirmed that API keys stored on their platform were leaked, resulting in millions of dollars in unauthorized trades across user accounts. In October 2023, a second incident occurred where accounts without two-factor authentication enabled experienced unauthorized trading activity. These breaches demonstrated that even major platforms are vulnerable.

Five Security Questions to Ask Before Connecting Any Bot

1. Where Does the Software Run?

Cloud-based bots (like 3Commas, CryptoHopper, Bitsgap) store your API key on their servers. If the platform is breached, your key is exposed. Self-hosted bots (like Gunbot or unCoded Bot) run on your own server or VPS -- the API key never leaves your infrastructure. This distinction is the single biggest security variable.

2. What API Permissions Are Required?

Every major exchange lets you configure granular permissions when creating an API key. A trading bot needs exactly two permissions: Read (to check balances and prices) and Trade (to place orders). It should never need Withdrawal permission. If a bot asks you to enable withdrawal access, that is a red flag. No legitimate trading bot requires the ability to move funds off the exchange.

3. How Is the API Key Stored?

Ask whether the platform encrypts API keys at rest. Industry standard is AES-256 encryption. Some platforms store keys in plaintext or with weak encryption -- the 3Commas breach made it clear what happens when key storage is inadequate. For self-hosted bots, you control the storage: encrypted config files, environment variables, or secrets managers.

4. Is IP Whitelisting Enabled?

Most exchanges, including Binance, allow you to restrict an API key to specific IP addresses. If your bot runs on a VPS with a static IP, whitelist that IP and nothing else. Even if the key is leaked, it becomes useless from any other IP address. This single setting would have prevented the majority of losses in the 3Commas breach.

5. What Happens When the Bot Stops?

When a bot shuts down -- planned or unplanned -- what happens to open orders? Some bots cancel all open orders on shutdown. Others leave them on the exchange. Know the behavior of your bot beforehand. Orphaned orders in a volatile market can result in unexpected fills and exposure you didn't plan for.

Custodial vs Non-Custodial Bots

This distinction is critical for understanding where your money actually sits.

Non-Custodial

Your funds stay on your exchange account. The bot connects via API and can only trade -- it cannot move your money. Most third-party bots (3Commas, CryptoHopper, Bitsgap, WunderTrading, Gunbot, unCoded Bot) operate this way. If the bot platform goes offline, your funds remain safe on the exchange.

Custodial

Your funds are held on the bot platform itself. Pionex is the most prominent example -- it's both an exchange and a bot platform, so your capital sits on Pionex. This introduces exchange risk: if the platform faces solvency issues, your funds are at risk. Convenience comes at the cost of counterparty exposure.

From a regulatory perspective, the EU's MiCA framework and Switzerland's FINMA treat non-custodial bots as software tools, not financial intermediaries. Custodial platforms face stricter regulatory requirements because they hold customer assets.

Common User Mistakes

  • Granting excessive API permissions -- enabling withdrawal access "just in case" or because a setup guide didn't specify otherwise. Always start with the minimum: Read and Trade only.
  • Skipping IP whitelisting -- many users leave the IP restriction field empty because their IP changes. Use a VPS with a static IP or update the whitelist when your IP changes. The inconvenience is worth it.
  • Neglecting VPS security -- running a self-hosted bot on a VPS with default SSH passwords, no firewall, and no updates. Your bot is only as secure as the server it runs on. Use SSH key authentication, enable a firewall, and keep the OS updated.
  • Using one API key for multiple bots -- if one platform is compromised, all bots using that key are affected. Create a separate API key for each bot or platform.
  • Never checking API key logs -- exchanges provide logs of API key activity. Review them periodically for unexpected trades or access from unknown IPs.

The Security Checklist

Before connecting any trading bot to your exchange, verify each item:

  • API key created without withdrawal permission -- Read and Trade only, no exceptions
  • IP whitelist configured -- restricted to your VPS or home IP address
  • 2FA enabled on exchange account -- hardware key (YubiKey) preferred over TOTP apps
  • Separate sub-account for bot trading -- isolate bot activity from your main holdings
  • Regular API key log review -- check for unexpected trades or access patterns monthly
  • Bot platform security audit verified -- check if the platform publishes security audits, has a bug bounty program, or has had past incidents

The Bottom Line

API security isn't optional -- it's the foundation of safe automated trading. The 3Commas breaches proved that even popular platforms can fail to protect your keys. The only reliable protection is defense in depth: minimal permissions, IP restrictions, separate accounts, and regular monitoring.

Spend 15 minutes on this checklist before deploying any bot. It's the highest-ROI security investment you'll make.

← All Articles← Grid Bots Explained