How to Use an API Key Securely: 5 Tips from Binance

Main

• Application program interface (API) keys can give certain programs convenient access to user data.

• If API keys are not managed correctly, they can be compromised. To protect their assets, users need to use their API keys securely.

• Binance now supports RSA API key pairs for increased security. In this article we will take a detailed look at how to create and use them.

API keys are required to access data. Learn 5 Binance tips for protecting your API keys in a variety of ways, from RSA key pairs to whitelists.

Application programming interface (API) keys can be used to grant specific programs access to a user's data and allow them to perform actions on the user's behalf. However, if stored and used incorrectly, API keys become vulnerable to attacks. If they are stolen or tampered with by attackers, they will be able to gain access to user funds. Keep your assets safe with Binance's five tips for protecting your API keys.

1. Do not share your key with third parties

The secret key (HMAC) and private key (RSA) of your API key are confidential information. We strongly recommend that you not disclose it to anyone. With this data, anyone can initiate an API request on your behalf without even being detected by the risk monitoring system.

Additionally, be sure to check your active API keys on the API management page. If you suspect that the security of your API key has been compromised, immediately delete it and replace it with a new one. It's worth removing old API keys from time to time and replacing them with new ones, just as some platforms require you to change passwords every 30-90 days regardless of frequency of use.

2. Manage access carefully

API keys are useful tools for automated trading, position and risk monitoring, and taxes. Therefore, it may be tempting to enable all permissions for one API key and use it for multiple purposes—for example, API trading and data querying. However, this will seriously compromise the security of the key: if it is compromised, the hacker will have full access to the account and funds.

We recommend that you use the API key for a single task and only enable the necessary permissions. For example, if you want to track trading risks, generate tax reports, and trade spot and futures via API, create at least four keys, one for each task:

1. Spot trading

2. Futures trading

3. Request tax information

4. Query trade details (read-only permission)

On Binance, you can create up to 30 API keys per subaccount.

3. Store your API key data securely

As mentioned above, if API keys fall into the hands of an attacker, they can steal your assets. Like private keys, API data must be kept secure. Use encryption software or a reliable confidential data management service. Avoid cloud-based API key storage solutions as they may be vulnerable to hacking.

Additionally, it is not recommended to store the API key in your application's source code or storage.

Instead, API key data can be stored in files or environment variables outside of your third-party management system to help protect sensitive information.

Since RSA private keys support password protection, it is best to add a password to each private key.

4. Use an IP whitelist

Binance strongly recommends that users use an IP whitelist for all API keys, regardless of their permissions and purpose. An IP whitelist restricts access to your API keys so that only authorized IP addresses can connect to them. This will prevent attackers from using your API keys even if they are compromised. Be sure to whitelist IP addresses that will be approved to access your API keys.

Beware of scammers

While hackers will not be able to withdraw funds via an API key without whitelisting the IP address, it is critical to ensure that API keys are protected. After all, if an attacker gains access to them, he will be able to use small amounts for pairs trading and gradually withdraw assets from your wallet. The hacker will sell you unwanted assets in exchange for your blue chips (BTC, BNB, BUSD, etc.) and end up leaving you with altcoins that you did not intend to purchase. In other words, it can use API keys to exchange your profitable assets for its low-liquidity assets.

To prevent such fraud, Binance implemented an automatic API key deletion policy in December 2022. If your API key is not IP whitelisted and inactive for 30 days, it will be deleted. To avoid automatic deletion, create a whitelist of IP addresses.

5. Use RSA key pairs

RSA (Rivest-Shamir-Adleman) key pair is a mechanism that uses public and private keys to secure data transmission.

When using an RSA key pair, the private key needed to create signatures remains confidential. That is, as long as the private key is kept secret, no one else will be able to initiate an authentic request on your behalf.

Binance Adds Support for RSA API Keys

Binance has added support for RSA API keys. You can now create RSA public and private key pairs, register the public key on Binance, and use the corresponding private key to create and sign API requests.

How to Create an RSA Key Pair on Binance

1. Download the latest version of the official RSA key generator.

2. Launch the application. In it you can generate, copy and save keys, as well as adjust their size.

3. Register your RSA key through the Binance app by going to Profile - API Management - Create API - Self-Generated API Key.

4. Copy the public key from the RSA key generator and paste it into the registration field.

5. Provide an API key name, click Next, and complete two-factor authentication to complete registration.

For more details, check out the guide How to Generate an RSA Key Pair to Send API Requests to Binance.

Additional Information

• (Announcement) Binance has added support for RSA API keys (12/29/2022)

• (Blog) How to Identify and Protect Against Impostor Scams

• (Blog) Refund Fraud: How to Avoid Getting Scammed Twice

• (Blog) How to Recognize and Avoid P2P Trading Scams

• (Blog) Fraudsters created an AI hologram of me to defraud crypto projects