Trading bots have become widely popular in the cryptocurrency world and they are being used on most popular exchanges. A crypto bot is a software that automatically trades on your exchange account using your API key. There are dozens of automated services out there that you can choose from but they all require your API key in order to operate.
So what is an API key?
API stands for Application Program Interface, it is essentially like a password that allows your trading bot to use your account and place cryptocurrency orders. Most exchanges allow you to create an API key but the method to obtain it will differ from platform to platform.
You will also be creating a secret key, which you should never share with anyone, and configure different permissions with your API key, like trade permissions, view permissions, withdrawal, etc.
Why do bots require access to your API?
All trading bots will require your API key but why? Can’t they simply use your PC interface and trade? Well, they could, however, the API not only gives them access to your account but also to the exchange in question.
This means the bot can interact much faster with the exchange. API keys will also have numerous settings that you can make use of. For instance, on Bitfinex you have two main options, ‘read’ and ‘write’ on features like withdrawals, margin trading, wallets, etc.
TOP TRADING BOTS
Free 14-day trial GET STARTED NOW
Up to 2 free bots GET STARTED NOW
Free 3-day trial GET STARTED NOW
Is it safe to share your API key?
People are certainly concerned about API keys security and rightly so, especially considering the numerous keys hacks recently. API allows you to set a few different settings, for instance, disabling withdrawals is a must when using trading bots. This prevents any malicious attempt to steal your funds.
There are other ways to ensure your API keys are protected, Two-Factor Authentication is also a must, something that most crypto exchanges already offer. IP whitelist is an additional feature most exchanges also offer and it’s a great way to secure your money since you can choose which IP’s can have access to your account.
It’s definitely not recommended to share your API secret ever, however, the API key should also not be shared freely, only for the trading bot or when you want to make use of it.
What if your API keys are stolen?
As mentioned above, API keys will offer an option to disable withdrawals, that means that even if a hacker steals your key, he would still not be able to withdraw all your funds. So why are hackers after API then?
Well, there is another way to benefit from stealing the keys – market manipulation. Since hackers cannot withdraw funds, they need other ways to benefit and market manipulation is definitely the best one. They use your funds to pump a previously bought coin/token and profit from it on another exchange.
It’s recommended to use separate exchange accounts for your trading bots and fund them with small amounts of money in case your API Keys are stolen. This way, even if they are stolen and the hacker or thief can create orders, he could only make you lose the money in that account.
How to keep your API key safe and avoid losses
Since pretty much all crypto trading bots make use of API keys, you will need to make sure you can store them safely. As mentioned above using 2FA and a strong password is certainly required. You should also never share your API secret.
You can always delete your old API keys if you stop using your trading bot, this practice is certainly recommended any time you don’t need to use automated service anymore since creating another API access is really easy.
What about the security of trading bot itself? The reputation here is crucial and not only because of fraud but failure in the software as well. A poorly coded algorithm can make you lose a lot of money. Check reviews, opinions and use only tested in field solutions if possible.
Reliability is also important, you could lose money if the bot stops working or goes offline so it’s important to make sure the service you are using works accordingly.
Cases of API keys being stolen
Binance hack was certainly one of the biggest out there with $40 million in Bitcoin stolen. Hackers were able to steal user’s API keys, however, this isn’t the only thing they stole, they also managed to get hold of users 2FA codes. Binance itself released a statement saying the hackers ‘executed well-orchestrated actions through multiple seemingly independent accounts at the most opportune time’ in order to bypass Binance security checks.
Keep in mind that the hackers used what it’s known as ‘phishing’ which means they were able to trick users into giving them sensitive information. Remember to never give your API secret to anyone but to also be extremely careful with your public API key because anyone with access to your API can create orders in your account. Of course, this is prevented by also using 2FA and IP whitelisting.
Other solutions to strengthen API security
There seems to be another solution for crypto exchanges to improve trading security by using OAuth or something similar. OAuth is an open protocol that allows secure authorization in a simple and standard method from web, mobile, and desktop applications.
Exchanges would then require trading bot services to apply for access to their OAuth client and would only be able to make use of the exchange API key if access was granted by the exchange. This means the exchange itself can take a look at any third party services and pick only legitimate ones.
Exchanges could also simply create their own bot service which would mean 100% security.