Trading Bot API Keys: How to Connect a Bot to Your Exchange Safely

A trading bot needs to place orders on your exchange — but it should never be able to touch your money. The mechanism that makes that possible is the API key, and the difference between a safe setup and a drained account comes down to a few permission toggles most people never read. Here's exactly how to connect a bot to your exchange safely.

What an API key actually is

An API key is a credential that lets one app act on your exchange account on your behalf — programmatically, without your password. It comes as a pair: a key (a public-ish identifier) and a secret (the password-equivalent — guard it). You decide what a key is allowed to do via its permissions.

The crucial idea: a bot connected by API never holds your funds. Your money stays in your own exchange account. The bot can only do what the key's permissions allow — and you control those.

The only permissions a trading bot needs

Most exchanges offer three permission classes on an API key:

Permission	Enable for a bot?	Why
Read / view	Yes	So the bot can see balances, positions and prices
Spot / Futures trade	Yes	So the bot can open and close trades
Withdraw	NEVER	A bot never needs to move money OUT of your account

The single rule that keeps you safe: never enable withdrawal permission. A trade-only key cannot send your funds anywhere. Even in the worst case — the bot is buggy, the service is hacked, the key leaks — an attacker can only trade your account, not empty it.

Extra hardening (do these too)

• IP-whitelist the key. Restrict it to the bot's server IP so a stolen key is useless from anywhere else.
• Store the secret once. Exchanges show the secret only at creation. Save it securely; if you lose it, delete the key and make a new one.
• Use a sub-account if available. Isolate the bot's trading from your main holdings.
• Disable the key when you stop using the bot. No active key, no risk.

How to create trade-only API keys (general steps)

The wording differs slightly per exchange (Binance, Bybit, OKX, Gate), but the flow is the same:

1. Go to API Management in your account settings.
2. Create a new API key and label it (e.g. "ezath-bot").
3. Enable "Read" and "Futures/Spot Trading." Leave "Enable Withdrawals" OFF.
4. Add an IP restriction to the bot's IP if you have one.
5. Copy the key and secret, paste them into your bot or auto-trader, and store the secret safely.
6. Connect, start small, and confirm the first trades behave as expected.

Red flags: when NOT to hand over keys

• The service asks you to enable withdrawals "for performance." There is no legitimate reason. Walk away.
• The service asks you to deposit funds to them instead of connecting via API. That's custodial — your money's gone the moment there's trouble.
• No mention of trade-only keys or IP whitelisting in their setup docs. A serious tool leads with security.

FAQ

Can a trading bot steal my money with API keys?
Not if the key has withdrawal permission disabled. A trade-only key can place and close trades but cannot move funds off your exchange — your money never leaves your account.

What permissions should I give a trading bot?
Read and trade only. Never enable withdrawals. Add an IP whitelist if your exchange supports it.

Is it safe to connect a bot to Binance or Bybit via API?
Yes, when you use trade-only keys (withdrawals off) and ideally IP-restrict them. The bot can trade; it can't withdraw.

What if my API key leaks?
With withdrawals disabled, a leaked key can only trade your account, not drain it. Delete the key immediately and create a new one. IP whitelisting prevents use from another machine entirely.

---

Ezath's Auto-Trader connects with trade-only API keys — it can place and manage your BTC, ETH and SOL trades but never withdraw a cent. New to automation? Start with how to automate your crypto trading, then check the public track record before you connect. Start free →