guide

How to Connect Your Exchange API Key Safely (Step-by-Step)

API keys unlock automated trade syncing — but a misconfigured key can expose your funds. Learn the exact permission settings to use on every major exchange.

How to Connect Your Exchange API Key Safely (Step-by-Step) — editorial cover image
How to Connect Your Exchange API Key Safely (Step-by-Step) — EdgeLedger guide guide cover.
3 min Read time
Guide Playbook
579 API key

Why API Keys Are the Right Choice

Rather than logging into five exchange dashboards every day to export your trades, an API key lets tools like EdgeLedger automatically pull your trade history in real time. The critical detail: always use read-only permissions. A read-only key can see your trades but cannot place orders, transfer funds, or withdraw anything.

Permission Settings by Exchange

Binance

  1. Go to Account → API Management.
  2. Click Create API and give it a label like "EdgeLedger".
  3. Enable only "Enable Reading". Disable everything else — especially Enable Withdrawals and Enable Futures unless you trade futures.
  4. Restrict IP access if possible: whitelist EdgeLedger's IP range.

Bybit

  1. Go to Account → API.
  2. Select Read-Only as the API type.
  3. Permissions needed: Account and Positions. Do NOT enable Trade or Withdraw.

OKX

  1. Navigate to Profile → API.
  2. Set Passphrase, enable only Read permission.
  3. Disable trade and withdraw permissions entirely.

Kraken

  1. Go to Settings → API.
  2. Create a key with only Query Funds and Query Trades History checked.
  3. Nonce Window: leave at default.

Security Best Practices

  • Never share API keys in chat or screenshots — revoke and regenerate if exposed.
  • Set IP whitelisting if the tool provides static IPs.
  • Rotate keys every 6 months as a habit.
  • Never enable withdrawal permissions for any third-party tool.

Connecting to EdgeLedger

Once your key is created, navigate to EdgeLedger → Exchange Connections → Add Exchange. Paste your API key and secret. EdgeLedger will validate the connection and begin syncing your trade history retroactively. Ongoing trades sync automatically every few minutes.

Additional Exchanges

The same read-only principle applies on every venue, but the menu paths vary. Quick reference for the four exchanges most often missed:

  • KuCoin — API Management → Create API → enable General only. KuCoin keys require a passphrase in addition to the key/secret pair.
  • Gate.io — API Keys → Create API Key v4 → permissions: Read for Spot, Margin and Futures. Disable Wallet/Withdraw.
  • BitGet — API Management → System Generated → Read Only. BitGet requires the passphrase you set at creation time.
  • MEXC — API Management → Create API Key → Spot Account Reading + Futures Account Reading. MEXC requires IP whitelisting on new accounts.

Hardening Beyond Read-Only

Read-only is the floor, not the ceiling. Three additional steps cut your residual risk to near zero:

  • Withdrawal address whitelist — enable on every exchange that supports it, even though your read-only key cannot withdraw. A compromised separate trading key still cannot exfiltrate funds to an unknown address.
  • Hardware 2FA — replace SMS with a YubiKey or Titan key for the exchange login itself. SIM-swap attacks remain the most common way exchange accounts get drained.
  • Separate trading keys per tool — never reuse one API key across two third-party services. If one tool is breached you only revoke that one key.

What a Compromised Key Looks Like

Read-only keys cannot move funds, but they leak metadata: balances, position sizes, fills, and timestamps. If you see unfamiliar IP addresses in the exchange's API activity log, or trades you did not place appearing on the account, treat the entire account as compromised. Revoke every key, change the account password, force-logout all sessions, regenerate 2FA seeds, and audit any linked exchange or wallet that shares funding sources.

Rotation Cadence

Set a recurring calendar reminder every 90 days to rotate every exchange API key, regardless of whether anything looks wrong. The cost is five minutes per exchange. The benefit is that any leaked-but-unused key has a ceiling on its useful lifetime. EdgeLedger's connection page surfaces a "last rotated" timestamp on every key so you can spot the laggards.

API key exchange sync security Binance Bybit