How to Use an API Key Securely: 5 Tips From Binance
Application Programming Interface (API) keys can be used to grant certain programs convenient access to user data.
However, API keys can be compromised if not managed properly. Learning how to use your API keys safely is essential to prevent your assets from being compromised.
Binance now supports RSA API key pairs for increased security. Find out how to generate and use them.
API keys enable users to access their data conveniently. From RSA key pairs to IP key whitelists, learn five tips from Binance to keep your API keys safe.
Application Programming Interface (API) keys are an efficient way to grant certain programs access to user data, allowing them to act on behalf of the user. However, API keys can bring vulnerabilities if not stored and used properly. For instance, malicious actors who steal or phish the API keys of their victims could potentially get access to their funds. Learn to keep your assets safe with our five API key security tips.
1. Do Not Share Your Key With Others
Your API key's secret key (HMAC) and private key (RSA) are highly sensitive data. It’s strongly suggested that you do not disclose this information. With it, anyone can initiate an API request on your behalf without being detected by our risk monitoring system.
You should also frequently check the active API keys on your account via the API management page. If you suspect that the security of any API key is compromised, don’t hesitate to delete it and replace it with a new one. It’s also a good idea to frequently delete old API keys and replace them with new ones, similar to how some systems require passwords to be changed every 30-90 days – regardless of whether you actively use them or not.
2. Be Diligent in Access Management
API keys are useful tools for automated trading, position and risk monitoring, and taxes. Hence, it may be tempting to enable all permissions for a single API key to use it for multiple purposes, such as API trading and data queries. However, this reduces the security of the key – if your API key gets compromised, a hacker could obtain full access to your account and funds.
It’s safer to use an API key for a single application and enable permissions required for that purpose only. For instance, if you want to monitor trading risk, report taxes, and execute API Spot and Futures trading, you should create at least four keys, each for one of the following purposes:
Tax data query
Trading data query (read-only permission)
On Binance, you can create up to 30 API keys for each sub-account.
3. Store Your API Key Data Securely
As mentioned, if your API keys fall into the hands of a bad actor, your assets may be compromised. Just like how you would protect your private keys, do not store your API details in plain text. Instead, encrypt it or use a trusted secrets manager. You should also avoid using a cloud-based solution to keep your API keys, as they may be vulnerable to hacks.
It’s also recommended to avoid storing your API key inside your application’s source code or repository.
Consider storing your API key data in files or environment variables outside the third-party management system that you are using to avoid sharing your private information with them.
Since RSA private keys support password protection, users who are using RSA keys should add a password to any RSA private key they have.
4. Use an IP Whitelist
Binance highly recommends users to use an IP whitelist on all of their API keys, regardless of the permissions or purposes of the API keys. With an IP whitelist, your API keys can only be accessed from specific IP addresses. This prevents bad actors from using your API keys in the event that they get compromised. Therefore, you should whitelist all the IP addresses with which you use your API keys.
Be aware of scams
Although an API key cannot be used to initiate withdrawal requests without IP whitelisting, you need to protect your API keys. If a hacker gets access to your keys, they could use assets with a relatively small trading volume to pair trade and slowly siphon assets from your wallet. By executing buys of unwanted assets from the hacker’s account and trading it with your blue chip assets (BTC, BNB, BUSD, etc.), you will eventually be left with altcoins you never intended to buy. In other words, the hacker can use your API keys to trade your assets against their assets in a market that has relatively low liquidity..
To prevent such scams, Binance implemented an auto API key deletion policy in December 2022. If your API key is not IP whitelisted and inactive for 30 days, it will be deleted. To avoid automatic deletion, you should create your IP whitelist.
5. Use RSA Key Pairs
An RSA (Rivest-Shamir-Adleman) key pair is a mechanism that uses public and private keys to secure data transmission.
With an RSA key pair, the private key used to create signatures doesn’t need to be shared. This means that as long as the private key is kept secret and secure, no one else can initiate an authentic request on your behalf.
Binance Now Supports RSA API Keys
Binance now supports RSA API keys. You can now create RSA public and private key pairs, register the public key on Binance, and use the corresponding private key to create signed API requests.
How to create an RSA key pair on Binance?
Download the latest version of the official RSA Keys Generator.
Launch the application. You can generate, copy, or save keys. You can also adjust your key size.
To register your RSA key via the Binance App, go to [Profile] - [API Management] - [Create API] - [Self-generated API key].
Copy the public key from the RSA Key generator and paste it into the box to register.
Enter a name for your API key, click [Next], and complete the 2FA to complete registration.
For more details, please refer to our guide on How to Generate an RSA Key Pair to Send API Requests on Binance.
(Announcement) Binance Now Supports RSA API Keys (2022-12-29)
(Blog) How to Identify and Avoid Common Crypto Imposter Scams
(Blog) Fraudulent Recovery Services: How Not to Fall for a Scam Twice
(Blog) Scammers Created an AI Hologram of Me to Scam Unsuspecting Projects