Whether you are running trading bots, connecting TradingView alerts, or using third-party dashboards to track your portfolio, you cannot avoid configuring API keys on the Binance Official Website. Think of an API key as a cable connecting your account to an external script. You can monitor all recent API activity via the Official Binance App. iPhone users can follow the iOS Installation Guide to set up the client and revoke any suspicious APIs at any time.

Quick Take: The three golden rules of API security are Least Privilege (only enable "Read," keep withdrawals disabled), IP Whitelisting, and rotating keys every 90 days. If you follow these strictly, the risk of your account being drained drops to near zero.

How API Keys Get Drained

Fact: In 99% of real-world cases, funds are stolen not because of a Binance system vulnerability, but because the API key was leaked on the user side—stored in code repositories, written in plaintext config files, or compromised by malicious third-party panels.

Real-world Leak Scenarios

  1. Public GitHub Repositories: Pushing a config.json file containing your API key. Bots crawl GitHub and will find it within hours.
  2. Discord/Telegram Screenshots: Sharing a script screenshot without blurring the API key.
  3. Malicious Browser Extensions: Installing untrusted plugins that can sniff your input or monitor the "Secret" field.
  4. Exit Scams by Third-party Platforms: Giving your API key to a quant platform that eventually gets hacked or turns out to be a scam.
  5. Local Malware: Trojans on your computer reading your .env or configuration files.
  6. Keyloggers: Your API key being recorded while you type it into a suspicious dashboard.
  7. Public Wi-Fi Man-in-the-Middle: Transferring API keys over non-HTTPS connections on public Wi-Fi.
  8. Customer Support Phishing: Fake "support" agents tricking you into providing API details.

Once leaked, if "Enable Withdrawals" is turned on, the attacker will immediately withdraw all assets to their address. If "Enable Futures" is on, they might open 100x leverage counter-trades to wash your balance into their own account. If only "Spot Trading" is on, they could use your funds to buy illiquid coins at high prices to pump them for their own profit.

Step 1: Grant Only Necessary Permissions

Rule: Create a separate API key for every specific use case. Never create an "all-in-one" key.

Permission Categories

  • Read Only: Can query balances, orders, and history. Cannot trade or transfer.
  • Enable Spot & Margin Trading: Can place spot and margin orders.
  • Enable Futures: Can open and manage futures positions.
  • Enable Withdrawals: Can transfer funds to external addresses.
  • Enable Universal Transfer: Can move funds between different wallets within your own account.
  • Permits Universal Transfer to Whitelisted Wallets Only: Restricts withdrawals only to addresses on your whitelist.

Minimum Required Permissions by Use Case

Use Case Required Permissions Must Be Disabled
Portfolio Monitoring / Balance Checking Read Only All others
Tax Software Calculation Read Only All others
Spot Trading Bot Read + Spot Trading Withdrawals, Futures, Transfers
Futures Trading Bot Read + Futures Trading Withdrawals, Spot, Transfers
Auto-withdrawal to Cold Wallet Read + Withdrawal (Manual is safer) Not recommended for automation
TradingView Alert Execution Read + Spot Trading Withdrawals, Futures

Never enable withdrawal permissions for any API key—unless you have a highly specialized business workflow and strictly lock it down with both IP and address whitelists. For most users, the best practice is: Keep API withdrawals off and handle all transfers manually.

Step 2: Bind to an IP Whitelist

Fact: An API key without an IP restriction is like a key left in a lock—anyone who finds it can use it from anywhere.

How to Get Your IP Address

  • Scripts on a Cloud Server: Log in to your server and run curl ifconfig.me to get your public IP.
  • Home PC / Raspberry Pi: Visit https://ip.sb or https://whatismyipaddress.com.
  • Static IP Service: Use the fixed IP provided by your ISP.
  • VPN Users: Use the exit IP of your VPN (note that this may change).

Binding IPs on Binance

  1. When creating or editing an API, check "Restrict access to trusted IPs only."
  2. Enter your IP addresses (up to 30 per key).
  3. Separate multiple IPs with spaces.
  4. Do not use 0.0.0.0/0—this effectively disables the restriction.
  5. Save the configuration.

What if Your IP is Dynamic?

Most home broadband IPs change every time you reboot or every few days. Here are three solutions:

  1. Rent a Cloud Server: (Alibaba Cloud, Tencent Cloud, or AWS entry-level at ~$5/month). Run your scripts there; cloud servers have static IPs.
  2. Cloud Functions with Static Egress: Use AWS Lambda or Cloudflare Workers paired with a NAT Gateway.
  3. Request a Static IP from your ISP: Some providers offer this as a paid add-on.

We strongly advise against "leaving it unrestricted because my IP changes." Doing so removes a critical layer of defense.

Step 3: Secure Storage of API Keys

Warning: The "Secret" of an API key is only shown once at creation. Once you close the page, it is gone forever. Where you store it determines the risk of leakage.

Recommended Storage Methods

  1. Environment Variables (Best Practice): Add your .env file to .gitignore and read it via process.env.BINANCE_API_KEY.
  2. Secrets Management Services: AWS Secrets Manager, Google Secret Manager, or HashiCorp Vault.
  3. Encrypted Local Storage: Use a password manager like 1Password or Bitwarden.
  4. Hardware Security Modules (HSM): Usually reserved for institutional-grade security.

Places You Should NEVER Store Keys

  • Hardcoded in source code that gets committed to Git.
  • Screenshots shared with "mentors" or online groups.
  • A plaintext file like ~/Downloads/binance-api.txt.
  • Sent via Email, WeChat, or Telegram to team members.
  • Written in cloud notes like Notion, Evernote, or OneNote.
  • Pasted into ChatGPT for code debugging.

Git Commit Checklist

Before every commit, run a check:

git diff --staged | grep -i "api\|secret\|key"

If you find a suspected key, unstage it immediately. If a key is accidentally pushed to GitHub, deleting the commit is not enough—it remains in the Git history. You must revoke that key on Binance immediately.

Step 4: Periodic Rotation of API Keys

Standard Practice: Even the most secure key should be rotated every 90 days.

Rotation Workflow

  1. Create a new API key (e.g., name it bot_v2_2026Q2).
  2. Configure the exact same permissions and IP whitelist.
  3. Replace the old key with the new one in your scripts/platform.
  4. Test that the new key is working correctly.
  5. Go back to Binance and "Delete" the old key.

Immediate Rotation Triggers

  • You receive a Binance alert: "Your API was called from [unknown IP] at [time]."
  • You change your cloud server provider or migrate servers.
  • A team member with access to the key leaves.
  • You stop using a third-party platform.
  • You upgrade your trading framework and no longer trust the old code.

Step 5: Monitor API Call Logs

Tip: The Binance API management page shows "Recent Activity." Reviewing this weekly can help catch anomalies early.

Metrics to Watch

  • Spikes in Call Frequency: Could indicate an attacker placing massive orders.
  • Unfamiliar IP Addresses: If you haven't changed servers, a new IP is a major red flag.
  • Increased Failure Rate: Someone might be brute-forcing permissions.
  • Large Orders Being Rejected: An attacker might be trying to place orders exceeding your balance.

Emergency Actions

  • Revoke suspicious API keys immediately.
  • Check if other account settings have been tampered with.
  • Open a support ticket with Binance.
  • Inspect all other active API keys for similar issues.

API Security Configurations by Scenario

Scenario Permission Combo IP Restriction Rotation Cycle Risk Level
Personal Spot Trading Read + Spot Mandatory 90 Days Medium
Personal Futures Trading Read + Futures Mandatory 60 Days High
Market Data Aggregator Read Only Recommended 180 Days Low
Tax Software Read Only Recommended 365 Days Low
Institutional Operations Read + Spot + Sub-account isolation Mandatory 30 Days High
Automated Bridge Auto-Withdrawal (Not Recommended) Mandatory + Whitelisted Address 30 Days Critical

FAQ

Q: If my API key is leaked, can Binance freeze it for me? A: Yes, but it takes time. The fastest way is to go to the API Management page and "Delete" the key yourself. This is instantaneous. You should also open a support ticket for a security audit, as Binance can track API activity in detail.

Q: How are API rate limits calculated? A: Binance limits calls based on "weight" (6,000 weight per minute) and "order count" (50 orders per 10 seconds, 160,000 orders per day). Standard trading bots rarely hit these limits, but high-frequency strategies might. Limits return 429 or 418 errors; exceeding them significantly may result in a temporary IP ban.

Q: Are API keys for Testnet and Production interchangeable? A: No. Binance provides a Testnet (testnet.binance.vision) for development using test funds with no real value. Testnet keys only work on the Testnet, and Production keys only work on the main site. Always test new strategies on the Testnet first.

Q: What is an HMAC signature, and what happens if I don't sign requests? A: Private endpoints (account info, trading, withdrawals) require you to sign request parameters with your API Secret using HMAC-SHA256. This prevents tampering and replay attacks. Most official SDKs (like python-binance) handle this automatically. Unsigned requests will be rejected with a 401 error.

Q: Should API calls use HTTP or HTTPS? A: Always HTTPS. Binance enforces HTTPS (TLS 1.2+) for REST APIs and WSS for WebSockets. Plain HTTP calls are rejected. This ensures your API keys are not intercepted by man-in-the-middle attacks.

Q: Can I create API keys on the mobile app? A: You can view and delete them, but creation must be done on the web. This is a deliberate security measure by Binance—creating a key requires multiple steps (2FA, email verification, IP config) that are safer on a private PC where they are less prone to shoulder surfing or accidental screen captures.

Q: A third-party platform (like a quant site) is asking for my API key. Should I give it? A: Only if it's a reputable, well-known platform (e.g., Coinglass, TradingView) and only for "Read Only" access. Never give any platform withdrawal permissions. Research the platform's history, user base, and any past security incidents before proceeding. Monitor your logs regularly after connecting.