Security
We take your security serious!
Last updated
We take your security serious!
Last updated
We want to be transparent about how we handle keys with the Terminal so you can make informed decisions about your security. We also want to share some thoughts and good practices on keys in general. When you "add" an API key to the Terminal, it is actually added to the local storage in your browser/device. It is not added to a central server or database.
However you also have the option to by storing them on our servers. If you want to understand how we securely handle your API keys with the Sync feature, please read this section: .
You can confirm the local key custody in two ways. 1) Sign into the Terminal from a new device or browser, you will notice the keys are absent. 2) By opening the developer console in your browser (F12) and viewing the contents of local storage. The key, secret and other data are encrypted by default. Here is an example:
You can also test this by deleting that data directly: right click on the area indicated by the green arrow and click Delete. Then reload the Terminal. (NOTE: you will have to re-add your keys!) Keys are decrypted just-in-time to sign transactions and then immediately discarded.
For additional security we recommend using 2FA. For the API keys sync 2FA is mandatory. To set it up, head in the Settings menu to the "2FA" tab. Please allow pop-ups in your browser for the webpage for this - although you might not notice it, 2FA opens and instantly closes a pop-up to get the authentication token.
Don't share your keys with anyone and obviously do not ever enable withdrawals! Also we advice not keep all funds on only one exchange. Ideally you only keep on an exchange an amount of funds which you need for trading. Stay safe!
Some general notes on generating API keys: When creating a Bybit key, use the "Connect to Third Party Application" option detailed here: Using this ensures the key will be locked to our server's IP range (pre-approved with the Bybit team). When creating a Binance key, whitelist our server IPs, instructions detailed here: Creating a Binance Key . Additionally, it is good practice is to create one API key exclusively for use with one application which will help with any disputes.