How to Secure Your API Keys on Binance: 5 Tips For Protecting Your Crypto
Main Takeaways
Application programming interface (API) keys can be used to programmatically grant certain programs convenient access to the data they need – for example, supplying market data to trading bots.
However, API keys can be compromised if not managed properly. Learning how to use your API keys safely is essential to prevent your assets from being compromised.
Binance now supports two asymmetric API key pairs (Ed25519 and RSA) for increased security. Find out how to generate and use them.
API keys enable users to access their data conveniently. From asymmetric key pairs to API key whitelists, learn five tips from Binance to keep your API keys safe.
What is an API Key?
Application programming interfaces (APIs) are an efficient way to grant certain programs access to user data, allowing them to act on behalf of the user. With APIs, data can be pulled from Binance to interact with external applications as needed. However, API keys can bring vulnerabilities if not stored and used properly. For instance, malicious actors who steal or phish the API keys of their victims could potentially get access to their funds. Learn to keep your assets safe with our five API key security tips.
Five Tips For Securing Your Binance API Keys
1. Do Not Share Your API Key With Others
Your API's secret key (HMAC) and private key (Ed25519, RSA) are highly sensitive data. Never share the API keys with third parties. With your API’s secret key, anyone can initiate an API request on your behalf without being detected by our risk monitoring system.
You should also frequently check the active API keys on your account via the API management page. If you suspect that the security of any API key is compromised, change them immediately. It’s also a good idea to frequently rotate the API keys, similar to how some systems require passwords to be changed every 30-90 days – regardless of whether you actively use them or not.
2. Be Diligent in Access Management
API keys are useful for tasks like automated trading, position and risk monitoring, and tax purposes. Hence, it may be tempting to enable all permissions on a single API key and use it for multiple purposes, such as API trading and data queries. However, this reduces the security of the key – if your API key gets compromised, a hacker could obtain full access to your account and funds.
It’s safer to use an API key for a single application and enable permissions required for that purpose only. For instance, if you want to monitor trading risk, report taxes, and execute API spot and futures trading, you should create at least four keys, one for each of the following purposes:
Spot Trading
Futures Trading
Tax Data Query
Trading Data Query (read-only permission)
On Binance, you can create up to 30 API keys for each sub-account.
3. Store Your API Key Data Securely
As mentioned, if your API keys fall into the hands of a bad actor, your assets may be compromised. Just like how you would protect your private keys, do not store your API details in plain text. Instead, encrypt it or use a trusted secrets manager. You should also avoid using cloud-based solutions to keep your API keys, as they may be vulnerable to hacks.
It’s also advisable to avoid storing your API keys inside your application’s source code or repository. If you are using Github or any other SCMs, we recommend using secret scanners like gitLeaks or git-secrets to ensure that your token and other secrets used by your tooling do not persist in the repo.
Consider storing your API key data in files or environment variables outside the third-party management system that you are using to avoid sharing your private information with them. Use additional passphrase protection for the private key files.
4. Use an IP Whitelist
We strongly recommend that users utilize an IP whitelist on all of their API keys, regardless of the permissions or purposes of these keys. With an IP whitelist, your API keys can only be accessed from specific IP addresses. This prevents bad actors from using your API keys in the event that they get compromised.
Although an API key cannot be used to initiate withdrawal requests without IP whitelisting, there are other ways in which the keys can be abused. If a hacker gets access to your keys, they could use assets with a relatively small trading volume to pair trade and slowly siphon assets from your wallet. Executing buys of unwanted assets from the hacker’s account and trading it with your blue chip assets (BTC, BNB, TUSD, etc.) will eventually leave you with altcoins you never intended to buy. In other words, the hacker can use your API keys to trade your assets against their assets in a market that has relatively low liquidity.
To prevent such scams, Binance has implemented an auto API key deletion policy in. If your API key is not IP whitelisted and inactive for 30 days, it will be deleted. To avoid automatic deletion, you should create your IP whitelist.
We also recommend being diligent in the use of third-party libraries and tooling. There are malicious libraries specifically designed to exfiltrate API keys. In addition to virus and malware scanners, consider using a software composition analysis (SCA) tool and carefully review third-party libraries before including them.
5. Use Asymmetric Key Pairs
An asymmetric key pair is a mechanism that uses public and private keys to secure data transmission. With an asymmetric key pair, the private key used to create signatures doesn’t have to be shared. This means that as long as the private key is kept secret and secure, no one else can initiate an authentic request on your behalf.
Binance now supports using Ed25519 and RSA (Rivest-Shamir-Adleman) keys to create signed API requests. The Ed25519 digital signature scheme provides a high degree of security comparable to 3072-bit RSA keys while having much smaller signatures that are faster to compute.
How to Generate an API Key on Binance
You can now create Ed25519 and RSA public and private key pairs, register the public keys on Binance, and use the corresponding private key to create signed API requests.
Step-by-Step Guide to Creating an Asymmetric Key Pair
Download the latest version of our official Asymmetric Keys Generator
Launch the application. You can generate, copy, or save keys. You can also adjust your key size.
To register your public key via the Binance App, go to [Profile] -> [API Management] -> [Create API] -> [Self-generated API key].
Copy the public key from the asymmetric key generator and paste it into the box to register.
Enter a name for your API key, click [Next], and complete the 2FA to complete registration.
For more details, please refer to our guide on How to Generate an Ed25519 Key Pair to Send API Requests on Binance.
5 Common API Key Security Mistakes to Avoid
Sharing Your API Key: Never share your API keys with third parties. Doing so can allow unauthorized access to your account, leading to potential loss of funds.
Enabling Excessive Permissions: Avoid enabling all permissions on a single API key. Use separate keys for different purposes to minimize risk if one key is compromised.
Storing API Keys Insecurely: Do not store your API keys in plain text or within your application's source code. Use encryption or trusted secrets managers to keep them secure.
Not Using IP Whitelisting: Always use an IP whitelist to restrict access to your API keys from specific IP addresses, preventing unauthorized use even if the keys are compromised.
Neglecting Asymmetric Key Pairs: Utilize asymmetric key pairs (Ed25519 or RSA) for creating signed API requests, ensuring that your private key remains secure.
Final Thoughts
Securing your API keys is crucial to protecting your assets and ensuring safe interactions with external applications. By following best practices such as not sharing your API keys, managing access diligently, storing keys securely, using IP whitelists, and leveraging asymmetric key pairs, you can significantly reduce the risk of unauthorized access and potential loss of funds. Stay vigilant and proactive in managing your API keys to always keep your digital assets safe on Binance.