Exchange Setup
API Key Security
Best practices for keeping your exchange API keys secure while using TradingForge.
Getting exchange API security right is one of the most important steps you can take to protect your funds. TradingForge is designed with security in mind, but no software can fully compensate for poor API key hygiene. This guide covers the essential best practices every TradingForge user should follow.
1. Never Enable Withdrawal Permissions
This is the single most important rule. Never enable withdrawal or transfer permissions on any API key used with a trading bot. TradingForge does not require withdrawal permissions under any circumstances. If a key is ever compromised, an attacker without withdrawal permissions cannot remove funds from your exchange account.
2. Use IP Restrictions
Every major exchange supports restricting an API key to a list of trusted IP addresses. When IP restriction is enabled, the API key can only be used from those specific IP addresses — even a stolen key is useless from any other location.
- ›Find your public IP address at whatismyip.com
- ›Add it to the allowed IP list when creating or editing your API key on the exchange
- ›If your ISP assigns you a dynamic IP that changes regularly, consider using a VPN with a static exit IP, or update your allowed IP list when it changes
3. Use a Dedicated API Key for TradingForge
Create a separate API key exclusively for TradingForge. Do not reuse a key that is shared with other tools, scripts, or manual API testing. Dedicated keys make it easy to revoke access to one tool without affecting others, and they limit the blast radius if a key is ever exposed.
4. Store API Keys Securely
Once you have entered your API keys into TradingForge, you should not need them again unless you reinstall or transfer to a new machine. Store your keys in a password manager or other encrypted storage. Avoid:
- ›Pasting keys into chat messages, emails, or support tickets
- ›Saving them in plain text files or spreadsheets
- ›Including them in screenshots (even when asking for help)
- ›Storing them in clipboard managers that sync to the cloud
5. Rotate Keys Periodically
Even well-managed keys can be inadvertently exposed over time. As a precautionary measure, create a new API key every 6 to 12 months, update TradingForge with the new credentials, and delete the old key from the exchange. This limits the exposure window if a key was silently compromised.
How to rotate a key
- ›Create a new API key on your exchange with the same permissions
- ›Update TradingForge under Settings → Exchange with the new credentials
- ›Verify the new connection is working (check the green status indicator)
- ›Delete the old API key from the exchange
6. Monitor for Unusual Activity
Most exchanges let you set up notifications for API key usage, new logins, and order activity. Enable these alerts so you are immediately informed if your key is used unexpectedly. Regularly review your open orders and trade history to verify that all activity matches what TradingForge should be doing.
7. Never Share Your Screen with Keys Visible
When screen sharing, streaming, or recording your screen for any reason — including seeking technical support — ensure the TradingForge settings page with API keys is not visible. Keys are partially masked in the UI by default, but take care not to reveal the full key by editing the field while on screen.
Permissions Required Per Engine
Different TradingForge features require different levels of exchange access. Use this table as a reference when setting up keys with the principle of least privilege:
| Feature / Engine | Read | Spot Trade | Notes |
|---|---|---|---|
| TradeFuel (DCA Engine) | Required | Required | Needs both read and trade to manage DCA orders |
| TradeSmith (Market Analysis) | Required | Required for live trading | Read-only is sufficient if using TradeSmith for signals only |
| Paper Trading Mode | Required | Not required | Only needs read access to pull live price data; no orders are placed |