The Binance API Key is a key pair consisting of a 64-bit public key and a 64-bit secret key, used in automated scenarios such as quantitative strategies, cross-exchange arbitrage, and market data subscription. The core principles of protection are minimizing permissions, mandatory IP whitelisting, and never storing keys in plaintext. New users can log in to the Binance Official Website and find the "API Management" entry under the account menu. Mobile users can create it via "More - API Management" in the Binance Official APP. For first-time use on a new iOS device, please refer to the iOS Installation Tutorial to complete device activation. Direct answer in the first paragraph: The most critical permission is the Withdraw permission. 99% of individual users do not need to check it. Keeping only Read and Trade, combined with an IP whitelist, can reduce the losses after an API is stolen to near zero.
I. Composition and Signature Mechanism of API Key
Step 1: Understand the Key Pair
Each API Key consists of a pair of Base64 strings: the public key is used in the request header to identify identity, and the secret key is used locally to generate a signature. The Binance server only saves the public key and corresponding permissions, and never saves the secret key. Therefore, if you forget the secret key, you can only recreate it.
Step 2: HMAC-SHA256 Signature
Every time a private interface is called, the client needs to sort the request parameters in lexicographical order and concatenate them into a querystring, then use the secret key as the key for HMAC-SHA256 calculation to obtain a 64-character hex signature. The server calculates it again in the same way and only allows access after comparison. This mechanism prevents keys from directly going online.
Step 3: Time Window
Requests must carry a timestamp parameter, which by default allows a 5000ms deviation and can be adjusted up to 60000ms. A window that is too wide allows replay attacks to occur, so it is recommended to keep the default value and synchronize NTP time locally.
II. Differences Between Three Types of Permissions and Suggested Enabling Strategies
Binance API permissions are divided into three levels based on increasing risk, and users can check them as needed:
- Read (Read-Only): Can query account assets, historical transactions, and current orders. Even if leaked, it's only an information leak and won't lead to fund loss. Almost all bots, dashboards, and tax software only need this one.
- Trade: Can place orders, cancel orders, and convert spot to futures. After leakage, an attacker can benefit a linked account through pump-and-dump, causing indirect losses, but funds remain within the exchange.
- Withdraw: Can directly withdraw assets to an on-chain address. Once leaked, assets can go to zero in seconds. It is strongly discouraged to enable this in ordinary quantitative scripts.
Additionally, there are two subdivided switches: Universal Transfer controls internal transfers from spot to futures, and Margin controls leverage accounts. If you only do spot strategies, all can be kept off by default.
The path to create an API Key is: Account Center → API Management → Create API → Enter Key Name (e.g., "grid-bot-btc") → Check Permissions → Enter IP Whitelist → Email and 2FA Double Verification. After creation, the secret key is displayed only once, so be sure to save it to an offline password manager immediately.
III. IP Whitelisting and Key Rotation Strategy
The following table provides recommended configurations for different types of users:
| User Type | Read | Trade | Withdraw | IP Whitelist | Rotation Cycle |
|---|---|---|---|---|---|
| Pure Dashboard User | On | Off | Off | Mandatory 1 Entry | 180 Days |
| Grid Bot | On | On | Off | Mandatory 1 Entry | 90 Days |
| Market Maker | On | On | Off | Mandatory 1-3 Entries | 60 Days |
| Cross-exchange Arbitrage | On | On | Off | Mandatory 2 Entries | 60 Days |
| Enterprise Custody Settlement | On | On | Optional | Mandatory 1 Entry + Multi-person Approval | 30 Days |
| One-time Script | On | On | Off | Mandatory 1 Entry | Delete immediately after use |
Crucial emphasis: For API Keys without IP whitelisting enabled, asset losses are almost irreparable once leaked. Even if only Trade permission is checked, an attacker can shrink account assets through wash trading. After enabling an IP whitelist, the Binance server will verify the source IP at each request, and only addresses in the list will be allowed.
The meaning of key rotation is: even if a key is accidentally leaked at some point (e.g., mistakenly submitted to GitHub, log files backed up), the key will automatically expire after 90 days, and the attacker cannot utilize it long-term. When rotating, create a new key first, update all scripts, and then delete the old key, avoiding having two available keys at the same time in between.
IV. Typical Scenarios and Risk Examples
Scenario 1: A quantitative novice mistakenly submits code to a public repository. GitHub's secret scanning bot may find the plaintext key within minutes, and then an attacker will take over the account using automated scripts. Correct practice: Put the secret key into environment variables or a .env file, and exclude that file in .gitignore.
Scenario 2: A cloud server is compromised. Keys without an IP whitelist will be extracted directly from the server configuration file by an attacker and then used from any IP globally to initiate trades. With an IP whitelist enabled, even if the key is leaked, requests from non-whitelist IPs will be rejected.
Scenario 3: Phishing webpage induction. Some third-party trading platforms require users to paste an API Key for access. If the other party forges an interface and uploads it to their own server, your key will be recorded. Never paste a secret key on an unfamiliar third party; any compliant tool supports OAuth or official exchange authorization.
Scenario 4: Internal employee leakage. In enterprise custody scenarios, multiple people may need to operate. It is recommended to use sub-accounts + independent API Keys to isolate permissions and enable access log auditing. When an employee leaves or changes positions, immediately revoke the corresponding key.
Risk Summary: Once a 64-bit secret key leaves the local machine, it should be considered leaked. Any screen recording, cloud sync, or chat screenshot may cause accidental exposure. During storage, be vigilant about both electronic and physical leakage paths.
V. FAQ Frequently Asked Questions
Q: Can multiple programs share an API Key at the same time? A: Technically yes, but not recommended. Sharing a key makes logs difficult to track. It is recommended to create a separate key for each strategy and each machine to facilitate locating abnormal behavior.
Q: Can the IP whitelist only be filled with static IPs? A: Yes, it must be a public static IP. If using home broadband with a dynamic IP, you need to use a VPS or DDNS to fix the exit. Generally, an IP whitelist supports up to 20 entries, which can cover servers in multiple locations.
Q: What if I forget the secret key? A: The secret key is only displayed once when created and cannot be retrieved. You can only delete the old key and recreate it, and all original scripts need to update the configuration. This is the fundamental difference from ordinary passwords.
Q: What is the default validity period of an API Key? A: Default is unlimited, but Binance will prompt users to manually extend it if there is no activity within 90 days. It is recommended to actively rotate every 90 days instead of relying on automatic expiration.
Q: What should be done first after an API Key is leaked? A: Immediately log into the account's API Management page to delete the key, enable a whitelist to block all withdrawals, reset the login password and 2FA, check the recent transaction history for abnormal orders, and submit a customer service appeal if necessary.