🔑Security
We take your security serious!
Last updated
We take your security serious!
Last updated
We want to be transparent about how we handle keys with the Terminal so you can make informed decisions about your security. We also want to share some thoughts and good practices on keys in general. When you "add" an API key to the Terminal, it is actually added to the local storage in your browser/device. It is not added to a central server or database. That is to say, you maintain custody of your keys. This was a deliberate design choice to avoid a single point of failure. Also we don't want the liability of storing user data which is why Terminal has no database/storage (except for candlesticks for the chart, and Auth0 handles sign-in credentials). If someone steals your sign in credentials and uses them they are just greeted by a blank page.
Additionally we have enabled 2FA. To set it up, head in the Settings menu to the "2FA" tab.
You can confirm key custody in two ways. 1) Sign into the Terminal from a new device or browser, you will notice the keys are absent. 2) By opening the developer console in your browser (F12) and viewing the contents of local storage. The key, secret and other data are encrypted by default. Here is an example:
You can also test this by deleting that data directly: right click on the area indicated by the green arrow and click Delete. Then reload the Terminal. (NOTE: you will have to re-add your keys!) Keys are decrypted just-in-time to sign transactions and then immediately discarded.
Some notes on generating API keys: When creating a Bybit key, use the "Connect to Third Party Application" option detailed here: Creating a Bybit API Key Using this ensures the key will be locked to our server's IP range (pre-approved with the Bybit team). When creating a Binance key, whitelist our server IPs, instructions detailed here: Creating a Binance Key . Additionally, it is good practice is to create one API key exclusively for use with one application which will help with any disputes.
Don't share your keys with anyone and obviously do not ever enable withdrawals! Also we advice not keep all funds on only one exchange. Ideally you only keep on an exchange an amount of funds which you need for trading. Stay safe!
