The Complete Security Reference for Every Supported Exchange
API key permissions are the single most important security decision you make when connecting a trading bot to your exchange. Get them right — and your funds are protected by architecture, not just trust. Get them wrong — and you’ve potentially created a vulnerability that no amount of trust in the bot author can compensate for.
This guide is the definitive reference for API key permissions across all exchanges supported by BitcoinEra. We’ll explain what each permission actually does at a technical level, why certain permissions are dangerous, the exact configuration you need for each exchange, and the security principles that should govern every API key you ever create.
Bookmark this page. Return to it every time you create a new API key on any exchange.
The Fundamental Principle — Minimum Necessary Access
Before looking at specific permissions, understand the governing principle behind all API security:
Grant only the permissions that are absolutely necessary for the intended function — nothing more.
This principle — called the Principle of Least Privilege in security engineering — is the foundation of all sound access control. Applied to trading bot API keys, it means:
A bot that needs to trade Bitcoin on the spot market needs exactly two permissions: the ability to read account data and the ability to place spot trades. It does not need withdrawal permissions. It does not need futures permissions. It does not need transfer permissions. It does not need any permission beyond what it specifically requires to execute its stated function.
Every additional permission you grant beyond the minimum necessary is an additional attack surface — another way things can go wrong if the key is ever compromised, the bot malfunctions, or the platform is misused.
The configuration in this guide applies this principle precisely — enabling exactly what’s needed, blocking everything else.
Why Withdrawal Permissions Must Never Be Enabled
This deserves its own section before anything else — because it’s the most important security rule in this entire guide.
Never enable withdrawal permissions on any API key connected to a trading bot. Under any circumstances. For any reason. Ever.
Here’s why this is absolute:
What Withdrawal Permission Actually Enables
When withdrawal permission is enabled on an API key — anyone or anything in possession of that key can initiate transfers of funds from your exchange account to any external wallet address.
They don’t need your exchange password. They don’t need your 2FA code. They don’t need to log in to your exchange at all. The API key alone is sufficient to drain your account entirely.
The Risk Scenario
Consider what happens if:
- Your BitcoinEra account is compromised
- The bot author’s systems are hacked
- Your API key is intercepted in transit
- A malicious actor gains access to the platform infrastructure
- The bot software has a bug that’s exploited
Without withdrawal permissions — the worst outcome is that trades are placed on your behalf. Your funds stay on the exchange. You can revoke the API key, stop the trading, and your capital is intact.
With withdrawal permissions — the worst outcome is that your entire account balance is transferred to an attacker’s wallet within seconds. This is irreversible. Cryptocurrency transactions cannot be recalled.
The False Argument
Some people argue: “I trust the bot author, so withdrawal permissions should be fine.” This misunderstands the threat model entirely.
The issue is not whether you trust the bot author. The issue is that enabling withdrawal permissions creates a vulnerability that doesn’t need to exist. Legitimate trading bots — every single one — can perform their complete function with Read + Trade permissions only. No legitimate trading bot requires withdrawal access to operate.
If any bot, platform, or person ever tells you that withdrawal permissions are required for a trading bot to function — they are either wrong or dishonest. Do not proceed.
🔒 The rule is absolute: withdrawal permissions on a trading bot API key = unacceptable risk. Full stop.
Permission Reference by Exchange
Binance API Permissions — Complete Reference
Read Info (Enable Reading)
What it does: Allows the API key to retrieve information from your account — current balance, open orders, trade history, account status, position information.
Why it’s needed: The bot needs to know your current balance to calculate position sizes. It needs to see existing open orders to avoid conflicts. It needs to read trade history to track performance.
Risk level: Very low. Read-only access cannot initiate any transactions.
Setting: ✅ Enable
Enable Spot & Margin Trading
What it does: Allows the API key to place, modify, and cancel orders on spot markets (buying and selling Bitcoin directly). Also enables margin trading if you have a margin account.
Why it’s needed: Without this permission, the bot can read your account but cannot place any trades. This is the core operational permission for spot trading bots.
Risk level: Low-medium. The bot can place trades — but only on your exchange, within your balance, and only for trading purposes. Cannot move funds externally.
Setting: ✅ Enable
Enable Margin
What it does: Allows the API key to execute margin trades — borrowing funds from Binance to trade with leverage beyond your actual balance.
Why it’s needed: Only if your specific bot uses margin trading. Most beginner-appropriate bots do not use margin.
Risk level: Medium-high. Margin trading amplifies both gains and losses. If the bot places leveraged margin trades — losses can exceed your initial deposit.
Setting: ⚠️ Only enable if your specific bot explicitly requires margin trading and you fully understand margin risk
Enable Futures
What it does: Allows the API key to trade Bitcoin futures contracts — derivative instruments that allow long and short positions with leverage.
Why it’s needed: Only if your bot specifically trades futures. Spot trading bots do not require this permission.
Risk level: High. Futures trading involves leverage and can result in liquidation — losing your entire futures account balance.
Setting: ⚠️ Only enable if your bot specifically trades futures contracts and you understand futures trading
Enable Withdrawals
What it does: Allows the API key to initiate fund withdrawals from your Binance account to any external address.
Why it’s needed: It isn’t. No legitimate trading bot requires withdrawal access.
Risk level: Catastrophic. A compromised key with withdrawal permission can drain your entire account immediately and irreversibly.
Setting: ❌ Never enable. Under any circumstances.
Enable Universal Transfer
What it does: Allows the API key to transfer funds between different Binance sub-accounts or between your spot wallet and futures wallet.
Why it’s needed: Rarely needed for standard bot trading. Some multi-account strategies may require this — but only if the bot specifically documents this requirement.
Risk level: Medium-high. Can move funds between accounts, potentially enabling complex attack scenarios.
Setting: ❌ Do not enable unless specifically required and you understand exactly why
Binance Correct Configuration Summary
| Permission | Setting |
|---|---|
| Enable Reading | ✅ Yes |
| Enable Spot & Margin Trading | ✅ Yes |
| Enable Margin | ⚠️ Only if required |
| Enable Futures | ⚠️ Only if required |
| Enable Withdrawals | ❌ Never |
| Enable Universal Transfer | ❌ No |
| Enable Options Trading | ❌ No |
| Enable Portfolio Margin | ❌ No |
Bybit API Permissions — Complete Reference
Read
What it does: Grants read-only access to account information — balance, positions, order history, market data.
Why it’s needed: The bot needs this to monitor your account state and make informed trading decisions.
Risk level: Very low. Read-only — cannot initiate transactions.
Setting: ✅ Enable
Spot Trading
What it does: Allows the API key to place, modify, and cancel orders on Bybit’s spot market — buying and selling Bitcoin directly.
Why it’s needed: Core operational permission for spot trading bots on Bybit.
Risk level: Low-medium. Trading permission only — cannot move funds externally.
Setting: ✅ Enable
Derivatives Trading
What it does: Allows the API key to trade perpetual futures and other derivatives on Bybit — including leveraged long and short positions.
Why it’s needed: Only for bots that specifically trade Bybit’s derivatives markets.
Risk level: High. Leveraged derivatives trading can result in liquidation.
Setting: ⚠️ Only enable if your bot specifically trades Bybit derivatives
Copy Trading
What it does: Allows the API key to participate in Bybit’s copy trading feature — automatically copying trades from other traders.
Why it’s needed: Not needed for standard bot trading through BitcoinEra.
Risk level: Medium. Enables a separate trading system that could conflict with or complement your bot’s activity.
Setting: ❌ Do not enable
Earn
What it does: Allows the API key to interact with Bybit Earn products — staking, savings, and yield products.
Why it’s needed: Not needed for trading bots.
Risk level: Medium. Could move funds into locked savings products.
Setting: ❌ Do not enable
Withdrawal and Transfer
What it does: Allows the API key to initiate withdrawals to external wallets and transfers between Bybit accounts.
Why it’s needed: It isn’t. No legitimate trading bot requires this.
Risk level: Catastrophic. Same as Binance withdrawal risk — complete account drainage possible.
Setting: ❌ Never enable
Bybit Correct Configuration Summary
| Permission | Setting |
|---|---|
| Read | ✅ Yes |
| Spot Trading | ✅ Yes |
| Derivatives Trading | ⚠️ Only if required |
| Copy Trading | ❌ No |
| Earn | ❌ No |
| Withdrawal | ❌ Never |
| Transfer | ❌ Never |
| NFT | ❌ No |
| Exchange | ❌ No |
OKX API Permissions — Complete Reference
OKX uses a slightly different permission model than Binance and Bybit — with more granular options and the unique Passphrase requirement covered in the API setup guide.
Read
What it does: Read-only access to account data — balance, positions, order history, market information.
Why it’s needed: Essential for the bot to monitor account state.
Risk level: Very low.
Setting: ✅ Enable
Trade
What it does: Allows the API key to place, modify, and cancel trading orders on OKX — including spot and potentially other markets depending on additional settings.
Why it’s needed: Core operational permission for trading bots on OKX.
Risk level: Low-medium. Trading permission within account balance — cannot move funds externally.
Setting: ✅ Enable
Withdraw
What it does: Allows the API key to initiate withdrawals from your OKX account to external addresses.
Why it’s needed: It isn’t. No legitimate trading bot needs this.
Risk level: Catastrophic.
Setting: ❌ Never enable
Transfer
What it does: Allows the API key to transfer funds between different OKX accounts or between trading accounts within OKX.
Why it’s needed: Not needed for standard trading bot operation.
Risk level: Medium-high.
Setting: ❌ Do not enable
Earn
What it does: Allows the API key to interact with OKX Earn — staking and savings products.
Why it’s needed: Not needed for trading bots.
Setting: ❌ Do not enable
Sub-Account Transfer
What it does: Allows the API key to transfer funds between OKX sub-accounts.
Why it’s needed: Not needed for standard trading bot operation.
Risk level: High — can move funds between accounts.
Setting: ❌ Do not enable
OKX Correct Configuration Summary
| Permission | Setting |
|---|---|
| Read | ✅ Yes |
| Trade | ✅ Yes |
| Withdraw | ❌ Never |
| Transfer | ❌ No |
| Earn | ❌ No |
| Sub-account transfer | ❌ No |
| Convert | ❌ No |
IP Restriction — The Additional Security Layer
Beyond permissions, all three exchanges offer IP address restriction — limiting which IP addresses can use a given API key. This is an important additional security measure worth understanding.
What IP Restriction Does
When you add an IP restriction to an API key — that key can only be used from the specified IP address. Even if an attacker obtains your complete API credentials — API Key, Secret Key, and Passphrase — they cannot use them unless they’re connecting from your approved IP address.
This effectively neutralizes the most common API key compromise scenario — credential theft. A stolen key without IP access is useless.
When to Use IP Restriction
Use IP restriction if:
- Your bot runs on a dedicated server with a fixed, static IP address
- You use a VPS (Virtual Private Server) with an assigned IP for your bot
- BitcoinEra provides a fixed server IP address for bot connections
Don’t use IP restriction if:
- Your bot runs from your home computer and your home IP address changes regularly (dynamic IP)
- You frequently travel and access your exchange from different locations
- You’re not sure what IP address your bot uses
How to find the correct IP address to whitelist: Contact BitcoinEra support to obtain the current server IP address used for bot connections. Enter this IP address in the IP restriction field when creating or editing your API key.
How to Set IP Restriction
On Binance: In API Management → Edit your key → Access Restriction → Select “Restrict access to trusted IPs only” → Enter IP address → Save
On Bybit: In API Management → Edit your key → IP Access Restriction → Select “Restrict to specific IPs” → Enter IP address → Save
On OKX: In API Management → Edit your key → IP Restriction → Enter IP address → Save
API Key Lifecycle Management — Best Practices
Creating an API key correctly is only the beginning. Managing it correctly over its lifetime is equally important.
Creating Keys
- Create a separate key for each bot
- Use a descriptive label that identifies the bot immediately
- Screenshot or note the exact permissions enabled when creating
- Test the connection immediately after creation
Rotating Keys
What key rotation means: Deleting an existing API key and creating a fresh replacement — with identical permissions but new credentials. This is a security best practice that limits the window of exposure if a key has been compromised without your knowledge.
How often to rotate:
- Every 6–12 months as a general practice
- Immediately after any suspected security incident
- Whenever a bot is permanently stopped and won’t be restarted
- After any exchange security incident notification
The rotation process:
- Create a new API key on your exchange with identical permissions
- Update the credentials in BitcoinEra — disconnect old key, connect new key
- Verify the new key is working correctly
- Delete the old key from your exchange API Management page
Deleting Unused Keys
Any API key that is no longer actively being used by a running bot should be deleted from your exchange immediately. An inactive key that nobody is monitoring is a silent security risk — if it’s ever compromised, you might not notice for an extended period.
Rule of thumb: If a bot is stopped and you don’t plan to restart it within a few weeks — delete the key. You can always create a new one when needed.
Auditing Your Keys
Once per month — log in to each exchange’s API Management page and review the complete list of active keys.
For each key ask:
- Is this key actively being used by a running bot?
- Do the permissions on this key match what they should be?
- Is there any suspicious activity in the key’s usage log?
- Should this key be rotated based on its age?
Delete anything that doesn’t need to exist. Verify permissions on everything that does.
What to Do If an API Key Is Compromised
If you have any reason to believe an API key may have been compromised — act immediately. Speed matters enormously in this scenario.
Immediate Actions (Do These First)
Step 1 — Delete the API key from your exchange Log in to your exchange immediately. Go to API Management. Delete the compromised key. This revokes all access immediately — no waiting for BitcoinEra to process anything.
Step 2 — Check your exchange account for unauthorized activity Review your trade history and transaction history for any trades or movements you didn’t authorize. If you see unauthorized withdrawals — contact your exchange support immediately.
Step 3 — Disconnect in BitcoinEra After deleting from the exchange — also disconnect the key in BitcoinEra’s Connected Exchanges settings.
Secondary Actions (Do These Within 24 Hours)
Step 4 — Change your BitcoinEra password Even if the compromise was at the exchange API level — change your BitcoinEra password as a precaution.
Step 5 — Review and revoke all active sessions Check your active sessions in BitcoinEra security settings and revoke any you don’t recognize.
Step 6 — Investigate how the compromise occurred How might the key have been obtained? Review your security practices. Was the key stored somewhere insecure? Was your device compromised? Understanding the vector helps prevent recurrence.
Step 7 — Create a new API key with fresh credentials Once you’re confident you understand and have addressed the compromise vector — create a new API key with correct permissions and reconnect.
Step 8 — Contact BitcoinEra support Report the incident so the support team can investigate from the platform side and confirm no other issues exist.
Common Permission Mistakes — And How to Avoid Them
Mistake 1 — Enabling withdrawal permissions “just in case” There is no legitimate “just in case” scenario for withdrawal permissions on a trading bot. Never do this.
Mistake 2 — Enabling futures permissions for a spot bot If your bot trades BTC/USDT spot — it doesn’t need futures permissions. Futures permissions expose you to leveraged trading risk that a spot bot should never trigger.
Mistake 3 — Using one API key for multiple bots Each bot should have its own key. This allows precise control — you can stop one bot by deleting its key without affecting any others.
Mistake 4 — Never deleting old keys Every unused key sitting on your exchange is an unnecessary risk. Delete them as soon as they’re no longer needed.
Mistake 5 — Setting no IP restriction when a fixed IP is available If you have a fixed server IP — use IP restriction. The marginal effort is minimal. The security benefit is significant.
Mistake 6 — Storing API credentials insecurely Never store API keys in plain text files, email drafts, messaging apps, or unencrypted notes. Use a password manager exclusively.
Mistake 7 — Ignoring exchange security notifications Exchanges send notifications about API key activity, new logins, and security events. Read these. Act on anything suspicious immediately.
Quick Reference — Universal Rules
These rules apply to every exchange, every bot, every API key, every time:
| Rule | Always | Never |
|---|---|---|
| Read permission | ✅ Enable | |
| Trade/Spot Trading permission | ✅ Enable | |
| Withdrawal permission | ❌ Never | |
| Separate key per bot | ✅ Always | |
| Descriptive key label | ✅ Always | |
| Delete unused keys | ✅ Always | |
| IP restriction (if fixed IP available) | ✅ Use | |
| Share credentials with anyone | ❌ Never | |
| Enable permissions beyond minimum | ❌ Never | |
| Store in insecure location | ❌ Never |
Summary
Here’s everything we covered in this guide:
- The Principle of Least Privilege — grant only what’s absolutely necessary
- Why withdrawal permissions must never be enabled — the complete security case
- Complete permission reference for Binance — every option explained with correct settings
- Complete permission reference for Bybit — every option explained with correct settings
- Complete permission reference for OKX — every option explained with correct settings
- IP restriction — what it does, when to use it, and how to set it up
- API key lifecycle management — creation, rotation, deletion, and monthly auditing
- What to do if an API key is compromised — immediate and secondary actions
- The seven most common permission mistakes and how to avoid them
- Universal rules that apply to every exchange and every bot
⚠️ Security Notice: Never enable withdrawal permissions on any API key connected to a trading bot. BitcoinEra will never request withdrawal permissions and has no mechanism to initiate withdrawals from your exchange account. If any platform or person tells you withdrawal permissions are required for bot trading — do not comply.
