TradingForge Logo
HomeFeaturesAboutBuyDownloadWikiContact
Get License
Navigation

FAQ

Security

Frequently asked questions about TradingForge security — API key safety, data storage, open source availability, and protecting your login.

Security is a top concern when running automated trading software. This page answers the most common questions about how TradingForge handles your API keys, data, and account access.

Is it safe to give TradingForge my API keys?

Your API keys are stored locally on your own machine in TradingForge's configuration files. They are never transmitted to TradingForge servers, never stored in the cloud, and never visible to anyone other than you. The connection goes directly from your computer to your exchange.

To further limit risk, we strongly recommend only enabling Spot Trading permission on the API key — never enable withdrawal permissions. With only trading permissions active, even in the unlikely event that a key was somehow compromised, an attacker could only place or cancel trades, not withdraw funds.

Never enable withdrawal permissions on an API key used for automated trading — for TradingForge or any other bot. Withdrawal access on an API key creates unnecessary risk.

Can TradingForge withdraw my funds?

No. TradingForge only requires Spot Trading permissions (to place and cancel orders) and Read permissions (to check balances and order status). Withdrawal is a completely separate API permission that must be explicitly enabled on your exchange API key — and we recommend you never enable it for any trading bot.

Where is my data stored?

All TradingForge data is stored locally on your Windows computer. This includes:

  • Your exchange API credentials (stored in local config files)
  • Your trading strategy configuration and profiles
  • Your trade history and performance records
  • Your notification settings (Telegram tokens, SMTP credentials)

TradingForge does not have cloud storage, does not sync data to any remote server, and does not transmit your configuration to TradingForge's infrastructure. The only outbound connections TradingForge makes are to your exchange's API and to the TradingForge license validation server (for periodic license checks).

Is TradingForge open source?

Yes. The TradingForge source code is publicly available on GitHub at github.com/theshabobo/TradingForge. You can review the code, verify what it does, and confirm that it behaves as described. Transparency is important for trading software, and the public repository allows the community to audit the codebase.

What happens to my API keys if I uninstall TradingForge?

When you uninstall TradingForge, the application and its local data files are removed from your computer. Your API keys are deleted along with the local config files.

However, as a best practice, you should also delete the API keys from your exchange account after uninstalling TradingForge. This ensures the credentials can no longer be used even if a copy of the config file was backed up or remains somewhere on your system. Deleting unused API keys from your exchange is good security hygiene.

How do I protect my TradingForge login?

TradingForge is protected by a password on the login screen at http://localhost:3000. The default password is tradingfuel and must be changed immediately after your first login.

  • Change the default password immediately. The default password is publicly known. Go to Settings after first login and set a strong, unique password.
  • Use a strong password. Use a password that is at least 12 characters long and not used for any other account.
  • TradingForge is localhost-only. By default, the TradingForge web interface is only accessible from your local machine. It is not exposed to your local network or the internet, so an attacker would need physical or remote access to your computer to reach the login page.
Lock your Windows session when you step away from your computer. Even though TradingForge requires a password, anyone with access to your Windows session can open a browser and access the dashboard if you are already logged in.

Is TradingForge a scam?

TradingForge is a legitimate, verifiable software product. Here is what you can confirm independently before purchasing:

  • Source code is public. The full application source code is available on GitHub at github.com/theshabobo/TradingForge for anyone to inspect.
  • Payment is processed by Stripe. Stripe is one of the world's largest and most trusted payment processors. TradingForge does not handle your card details.
  • Self-hosted software. TradingForge runs entirely on your machine. There are no servers that TradingForge could use to access your account, view your funds, or interfere with your trading — everything happens locally.
  • Contact is available. The support email is tfcontact@tradingforge.net for any questions or concerns before or after purchase.

Previous

Strategy Questions