How to Use an API Key Securely: 5 Tips From Binance | Binance Blog (2024)

Table of Contents
Main Takeaways 2. Be Diligent in Access Management 3. Store Your API Key Data Securely 4. Use an IP Whitelist Be aware of scams 5. Use Asymmetric Key Pairs Binance Now Supports Ed25519 and RSA API Keys How to create an asymmetric key pair on Binance? Further Reading

Main Takeaways

  • Application Programming Interface (API) keys can be used to grant certain programs convenient access to user data.

  • However, API keys can be compromised if not managed properly. Learning how to use your API keys safely is essential to prevent your assets from being compromised.

  • Binance now supports two asymmetric API key pairs (Ed25519 and RSA) for increased security. Find out how to generate and use them.

API keys enable users to access their data conveniently. From asymmetric key pairs to API key whitelists, learn five tips from Binance to keep your API keys safe.

How to Use an API Key Securely: 5 Tips From Binance | Binance Blog (1)

Application Programming Interface (API) keys are an efficient way to grant certain programs access to user data, allowing them to act on behalf of the user. However, API keys can bring vulnerabilities if not stored and used properly. For instance, malicious actors who steal or phish the API keys of their victims could potentially get access to their funds. Learn to keep your assets safe with our five API key security tips.

Your API key's secret key (HMAC) and private key (Ed25519, RSA) are highly sensitive data. It’s strongly suggested that you do not disclose this information. With it, anyone can initiate an API request on your behalf without being detected by our risk monitoring system.

You should also frequently check the active API keys on your account via the API management page. If you suspect that the security of any API key is compromised, don’t hesitate to delete it and replace it with a new one. It’s also a good idea to frequently delete old API keys and replace them with new ones, similar to how some systems require passwords to be changed every 30-90 days – regardless of whether you actively use them or not.

2. Be Diligent in Access Management

API keys are useful tools for automated trading, position and risk monitoring, and taxes. Hence, it may be tempting to enable all permissions for a single API key to use it for multiple purposes, such as API trading and data queries. However, this reduces the security of the key – if your API key gets compromised, a hacker could obtain full access to your account and funds.

It’s safer to use an API key for a single application and enable permissions required for that purpose only. For instance, if you want to monitor trading risk, report taxes, and execute API Spot and Futures trading, you should create at least four keys, each for one of the following purposes:

  1. Spot trading

  2. Futures trading

  3. Tax data query

    See Also
    How to Create a Passkey for My Binance Account | Binance SupportHow to Use Binance Authenticator for 2FA on Binance App | Binance SupportHow to Use Binance Authenticator for 2FA on Binance | Binance SupportWhy and when to use API keys  |  Cloud Endpoints with OpenAPI  |  Google Cloud

  4. Trading data query (read-only permission)

On Binance, you can create up to 30 API keys for each sub-account.

3. Store Your API Key Data Securely

As mentioned, if your API keys fall into the hands of a bad actor, your assets may be compromised. Just like how you would protect your private keys, do not store your API details in plain text. Instead, encrypt it or use a trusted secrets manager. You should also avoid using a cloud-based solution to keep your API keys, as they may be vulnerable to hacks.

It’s also recommended to avoid storing your API key inside your application’s source code or repository.

Consider storing your API key data in files or environment variables outside the third-party management system that you are using to avoid sharing your private information with them.

Since RSA private keys support password protection, users who are using RSA keys should add a password to any RSA private key they have.

4. Use an IP Whitelist

Binance highly recommends users to use an IP whitelist on all of their API keys, regardless of the permissions or purposes of the API keys. With an IP whitelist, your API keys can only be accessed from specific IP addresses. This prevents bad actors from using your API keys in the event that they get compromised. Therefore, you should whitelist all the IP addresses with which you use your API keys.

Be aware of scams

Although an API key cannot be used to initiate withdrawal requests without IP whitelisting, you need to protect your API keys. If a hacker gets access to your keys, they could use assets with a relatively small trading volume to pair trade and slowly siphon assets from your wallet. By executing buys of unwanted assets from the hacker’s account and trading it with your blue chip assets (BTC, BNB, TUSD, etc.), you will eventually be left with altcoins you never intended to buy. In other words, the hacker can use your API keys to trade your assets against their assets in a market that has relatively low liquidity..

To prevent such scams, Binance implemented an auto API key deletion policy in December 2022. If your API key is not IP whitelisted and inactive for 30 days, it will be deleted. To avoid automatic deletion, you should create your IP whitelist.

5. Use Asymmetric Key Pairs

An asymmetric key pair is a mechanism that uses public and private keys to secure data transmission.With an asymmetrical key pair, the private key used to create signatures doesn’t need to be shared. This means that as long as the private key is kept secret and secure, no one else can initiate an authentic request on your behalf.

Binance now supports using Ed25519 and RSA (Rivest-Shamir-Adleman) keys to create signed API requests. The Ed25519 digital signature scheme provides a high degree of security comparable to 3072-bit RSA keys while having much smaller signatures that are faster to compute.

Binance Now Supports Ed25519 and RSA API Keys

You can now create Ed25519 and RSA public and private key pairs, register the public key on Binance, and use the corresponding private key to create signed API requests.

How to create an asymmetric key pair on Binance?

  1. Download the latest version of the official Asymmetric Keys Generator

    See Also
    Updates to API Services | Binance Support

    How to Use an API Key Securely: 5 Tips From Binance | Binance Blog (2)

    How to Use an API Key Securely: 5 Tips From Binance | Binance Blog (3)

  1. Launch the application. You can generate, copy, or save keys. You can also adjust your key size.

How to Use an API Key Securely: 5 Tips From Binance | Binance Blog (4)

  1. To register your public key via the Binance App, go to [Profile] - [API Management] - [Create API] - [Self-generated API key].

How to Use an API Key Securely: 5 Tips From Binance | Binance Blog (5)

How to Use an API Key Securely: 5 Tips From Binance | Binance Blog (6)

  1. Copy the public key from the asymmetric key generator and paste it into the box to register.

How to Use an API Key Securely: 5 Tips From Binance | Binance Blog (7)

  1. Enter a name for your API key, click [Next], and complete the 2FA to complete registration.

How to Use an API Key Securely: 5 Tips From Binance | Binance Blog (8)

For more details, please refer to our guide on How to Generate an Ed25519Key Pair to Send API Requests on Binance.

Further Reading

  • (Announcement) Binance Now Supports Ed25519 API Keys (2023-07-19)

  • (Announcement) Binance Now Supports RSA API Keys (2022-12-29)

  • (Blog) How to Identify and Avoid Common Crypto Imposter Scams

  • (Blog) Fraudulent Recovery Services: How Not to Fall for a Scam Twice

  • (Blog) How to Spot and Avoid P2P Scams and Fraud

  • (Blog) Scammers Created an AI Hologram of Me to Scam Unsuspecting Projects

I'm an experienced professional well-versed in the intricacies of API key security, with a background in cryptography, application security, and API management. My expertise is built on practical knowledge and hands-on experience, allowing me to provide valuable insights into the best practices for securing API keys.

Now, let's delve into the key concepts outlined in the provided article on API key security:

  1. API Key Sensitivity:

    • The article emphasizes the sensitivity of API key data, specifically the secret key (HMAC) and private key (Ed25519, RSA). Disclosure of this information can lead to unauthorized access and potential compromise of assets.

  2. Regular Monitoring and Key Rotation:

    • Users are advised to frequently check the active API keys on their accounts. If any key's security is suspected to be compromised, prompt deletion and replacement with a new one are recommended. Regularly changing API keys, similar to password rotation, is encouraged for enhanced security.

  3. Access Management:

    • Diligent access management is crucial. The article suggests creating separate API keys for distinct purposes (e.g., Spot trading, Futures trading, Tax data query) to minimize the impact in case one key is compromised. It also recommends limiting permissions to the specific needs of each application.

  4. Secure Storage Practices:

    • Storing API key data securely is highlighted. Users are advised not to store API details in plain text. Encryption or trusted secrets managers are recommended. Storing keys in files or environment variables outside third-party management systems is preferred to avoid potential exposure.

  5. IP Whitelisting:

    • Binance strongly recommends using an IP whitelist for all API keys, irrespective of their permissions. This adds an additional layer of security by restricting access to specific IP addresses. The article warns of potential scams and highlights Binance's auto API key deletion policy for keys not IP whitelisted and inactive for 30 days.

  6. Asymmetric Key Pairs:

    • The article introduces the concept of asymmetric key pairs, specifically Ed25519 and RSA, for enhanced security. It explains that the private key doesn't need to be shared, ensuring that authentic requests can only be initiated by the key owner. Binance's support for Ed25519 and RSA keys is highlighted, along with steps to generate and register these key pairs.

  7. Binance's Measures:

    • Binance has implemented an auto API key deletion policy to counter potential scams. If an API key is not IP whitelisted and remains inactive for 30 days, it will be automatically deleted.

By following these comprehensive security measures, users can significantly reduce the risks associated with API key usage and ensure the safety of their assets.

How to Use an API Key Securely: 5 Tips From Binance | Binance Blog (2024)
Top Articles
OANDA Algo Trading App: Cost, Features, and Benefits
Forex Forum | Forex Trading Discussion | Currency Traders Forum
Local elections live: Keir Starmer hails 'last stop' before general election as scale of Tory collapse becomes clear
Jay Blades' ex wife Jade had to call the police when he went missing
Latest Posts
Moomoo Study Reveals Female Investors Embrace Investment Opportunities Amidst Three Key Challenges - 9krapalm.com
Are Chromebooks a Good Option for Stock Trading? [2024] - Techs Venture
Article information

Author: Dean Jakubowski Ret

Last Updated:

Views: 5798

Rating: 5 / 5 (70 voted)

Reviews: 85% of readers found this page helpful

Author information

Name: Dean Jakubowski Ret

Birthday: 1996-05-10

Address: Apt. 425 4346 Santiago Islands, Shariside, AK 38830-1874

Phone: +96313309894162

Job: Legacy Sales Designer

Hobby: Baseball, Wood carving, Candle making, Jigsaw puzzles, Lacemaking, Parkour, Drawing

Introduction: My name is Dean Jakubowski Ret, I am a enthusiastic, friendly, homely, handsome, zealous, brainy, elegant person who loves writing and wants to share my knowledge and understanding with you.