APIs are tools for advanced users to implement strategies / automation, but they are also the most common avenue for theft. This article provides security configurations. Download portal: Binance website, mobile Binance official app, or if you don't have the App on iOS, check out the iOS install guide.
1. API Key Permissions
| Permission | Default | Recommendation |
|---|---|---|
| Read-only | On | On |
| Spot / Margin Trading | Off | Open as needed |
| Futures Trading | Off | Open as needed |
| Universal Transfer | Off | Open as needed |
| Withdrawal | Off | **Never open** |
2. The Dangers of Withdrawal Permissions
Once the API withdrawal permission is enabled:
- Obtaining the key allows withdrawals without 2FA.
- There is no 24-hour delay.
- There are no whitelist restrictions (unless additionally configured).
Almost all large-scale API theft incidents occur because the withdrawal permission was enabled. Unless you have absolute confidence + a physically isolated server, never enable it.
3. IP Whitelisting
API keys can be bound to specific IPs:
- Your server's IP
- Your home gateway's public IP
Once bound, only requests coming from these IPs are accepted. Even if the key is leaked, attackers cannot use it from other IPs.
Setup
API Management → Edit key → IP Whitelist → Add IP (multiple allowed).
Limitations
Home network IPs occasionally change (dynamic). Commercial VPS using static IPs are more stable.
4. Key Storage
The secret visible after an API is created is only displayed once. Storage:
Recommended
- Password managers like 1Password / Bitwarden
- Encrypted notes
- Server .env files (permission 600)
Taboos
- Committing to GitHub / GitLab
- Emailing it to yourself
- Sending it to the team via Slack / WeChat
- Saving it as a screenshot in the cloud
- Writing it in code comments
5. Signals of an API Theft
Regularly check the API Management page:
- Are there keys you did not create?
- Have existing key permissions been changed (especially withdrawals)?
- Has the IP whitelist been changed?
- What is the latest call time?
Delete the key immediately upon noticing any anomaly.
6. Regular Rotation
Frequency
- High risk (quantitative trading): Once a month
- Normal strategies: Every quarter
- Read-only monitoring: Half a year
Process
- Create a new key
- Update the strategy code
- Test that the new key works
- Delete the old key
- Do not retain multiple keys for the same purpose for long periods
7. API Theft Emergency Response
If you discover a key anomaly:
Immediately
- Log in to binance.com → API Management
- Delete all keys (one-click delete all)
- Change your Binance password
- Reset 2FA (the attacker might have acquired it too)
Next
- Check trading history / withdrawal history
- Submit an "API Theft" ticket
- Run virus scans on all devices where the key was saved
- Troubleshoot the source of the leak (Public on GitHub? Colleague's computer?)
Long-term
- Enable all protections when regenerating a key (IP whitelist, limited permissions)
- Do not enable withdrawal permissions ever again
8. The Relationship Between APIs and 2FA
The API call itself does not require 2FA — this is the convenience of an API. However:
- Creating / deleting keys requires 2FA
- Modifying key permissions requires 2FA
- Modifying IP whitelists requires 2FA
So strong 2FA = API creation is protected = It is not easy for an attacker to directly create a malicious key.
9. Connecting APIs to Third-Party Platforms
Some copy-trading / arbitrage platforms ask you to provide an API key:
Evaluation
- Is the platform compliant?
- Does it require withdrawal permissions? (If yes → Reject)
- Does it lock the IP? (If no → Be vigilant)
Recommendation
- Only grant "Read-only + Trading" permissions
- Lock the IP to the platform's public IP
- Check the key status every other month
FAQ
Q1: How long until an API key expires? There is no automatic expiration. They must be manually deleted or rotated.
Q2: What happens to a running strategy after a key is deleted? It will instantly disconnect. Other requests will return an authentication error.
Q3: Can I set a maximum daily trading limit? The Binance API has an internal rate limit, but users cannot set a "daily limit" at the interface level. This needs to be implemented within your strategy code.
Q4: Why do I see some keys being used continuously that I don't remember creating? Delete them immediately and treat it as a theft.