Practical Binance Tutorial Site About Disclaimer
EN JA KO ES FR
TK Crypto News TK Crypto News Binance Official Access - Download - Account - Wallet
Search Binance tutorials
Home All Tutorials Categories App Download About Us Disclaimer
Getting StartedApp InstallationIdentity VerificationDeposits and WithdrawalsTrading GuideExchange OverviewSecurityCountry PoliciesWallet Guide
Home All TutorialsSecurityTrading GuideIs Binance API Key Safe? How to Manage and Delete Them

Is Binance API Key Safe? How to Manage and Delete Them

TK Crypto News · 2026-04-08 · About20min·Security·Trading Guide

An API Key is the key to programmatic trading, and also hackers' favorite backdoor — many cases of "my account was hacked without my password leaking" are due to compromised API Keys. This article clarifies API Key permission systems, IP whitelisting, the principle of least privilege, and how to regularly clean up unused Keys. The management portal is in the account settings. Please log in to the Binance official website and go to the API Management page. Mobile users can also view it in the Binance official APP. Apple users, refer to the iOS Installation Guide.

What is an API Key

An API Key (Application Programming Interface Key) is a credential that allows a program to operate your account on your behalf.

An API Key consists of two parts:

  • API Key (Public Key): Identifies who you are, e.g., xH3kL9...
  • Secret Key (Private Key): Used to sign requests, absolutely must not be leaked

With these two + corresponding permissions, any program can operate your Binance account just like you do — check assets, place orders, withdraw funds, etc.

When Do You Need an API Key

Scenario 1: Quantitative Trading

Writing a trading bot in Python, Node.js, or similar languages to place orders automatically via API. This requires Read Account + Spot Trading + Futures Trading permissions.

Scenario 2: Trading Signal Syncing

Copying positions from one exchange to another. This requires Read Positions + Trade permissions.

Scenario 3: Asset Tracking

Connecting to asset management tools like CoinGecko or CoinStats to automatically update your portfolio. This only requires Read-Only permission.

Scenario 4: Tax Software

Tax calculation tools like Koinly or Cointracker need to read your historical transactions. This only requires Read-Only permission.

If you do not have any of these needs → Do NOT create an API Key. The mere existence of an API Key is a potential risk.

API Key Permission Types

Binance's API Keys support granular permissions, and you can select multiple:

1. Read (Default)

  • Can: View account info, query orders, download history.
  • Cannot: Trade, withdraw, transfer.
  • Security Level: Highest.

2. Spot & Margin Trading

  • Can: Place orders, cancel orders, query orders.
  • Cannot: Withdraw.
  • Security Level: Medium (you can only lose your trading assets).

3. Futures Trading

  • Can: Place futures orders, open/close positions, adjust leverage.
  • Cannot: Withdraw.
  • Security Level: Medium-Low (high leverage means fast losses).

4. Transfers

  • Can: Transfer assets between your sub-accounts and between different wallets (Spot/Futures/Earn).
  • Cannot: Withdraw out to on-chain addresses.
  • Security Level: Medium.

5. Withdrawals

  • Can: Withdraw to any address (default) or whitelisted addresses.
  • Off by default, must be manually enabled.
  • Security Level: Lowest.
  • Off by default when creating a new Key, strongly recommended NEVER to turn on.

Principle of Least Privilege

The fewer permissions an API Key has, the safer your account is.

Read-Only Scenarios

Only check "Read". Even if the Key is leaked, attackers can only look, not touch. Tax tools and asset trackers use this.

Trade Only, No Withdrawal Scenarios

Check "Read + Spot Trading + Futures Trading", absolutely do not check "Withdraw". This is standard for quantitative trading. Even if the Key is stolen, the hacker can at most place random orders in your account but cannot take the coins.

Cross-Platform Copying Scenarios

Check "Read + Trade". Do not enable transfers and withdrawals.

In short: Don't enable it if you can avoid it; enable as little as possible.

IP Whitelisting: The Strongest Defense Line

IP whitelisting restricts an API Key to only be callable from specified IP addresses. Even if other IPs obtain the Key, they cannot use it.

How to Set Up IP Whitelisting

  1. When creating an API Key → Check "Restrict access to trusted IPs only".
  2. Enter the allowed IP addresses (can be multiple, separated by commas).
  3. Save.

How to Find Your IP

  • Running locally: Visit whatismyipaddress.com to check your public IP.
  • Running on a cloud server: View the instance's public IP in the cloud provider panel.
  • Dynamic IP: Cannot use IP whitelisting (you can only use a static IP or VPS).

The Power of IP Whitelisting

Even if an attacker gets your complete Key and Secret, they cannot call it from their own computer, because their IP is not in the whitelist. This is the ultimate solution against API leakage.

Limitations of IP Whitelisting

  • Only supports IPv4 (IPv6 might be unstable).
  • If the IP changes, the whitelist must be updated manually.
  • Home dynamic IPs are not suitable.

Steps to Create an API Key

Step 1: Enter API Management

  1. Log in to binance.com.
  2. Click avatar in the top right → "API Management".
  3. Click "Create API".

Step 2: Select Type

  • System generated (Recommended): The system automatically generates a Key pair.
  • Self-generated (Advanced): Upload the public key using your own generated public/private key pair.

Step 3: Enter a Label Name

Give the API a meaningful name, for example:

  • QuantBot-BTCSth
  • Koinly-Tax
  • CopyTrade-Bitget

The label name helps you identify its purpose during later cleanups.

Step 4: Complete Identity Verification

  • Email verification code.
  • Phone verification code (if bound).
  • Google Authenticator 6-digit code.

Step 5: Set Permissions

Check according to the principle of least privilege, don't check a single extra one.

Step 6: Set IP Whitelist

Strongly recommended to check. Enter your server IP.

Step 7: Save and Record the Secret

The Secret is only displayed once upon creation. Immediately copy and save it in a secure place (Do not screenshot, do not email, do not save to cloud drives). Once you close the page, you will never see it again.

Regularly Cleaning Up Unused API Keys

Why You Need to Clean Up

  • Every Key is a potential attack surface.
  • You might forget where a certain Key is still running.
  • Old Keys might have excessively broad permissions.

Cleanup Recommendations

  • Check your API Key list once a month.
  • If unused for over 30 days → Delete.
  • If you can't identify its purpose → Delete.
  • If permissions are too broad → Delete and recreate.

How to Delete

  1. "API Management" → Find the Key to delete.
  2. Click "Delete".
  3. Complete identity verification.
  4. Confirm.
  5. Takes effect immediately, and all programs using that Key instantly lose access.

Batch Deletion

You can only delete one at a time, there is no batch deletion function. But you can "Disable" first and delete slowly.

Signs of a Stolen API Key

Sign 1: Abnormal Orders

  • Orders appear in your history that you didn't place.
  • Especially buy orders for small-cap coins (a common money laundering technique).
  • High-frequency small orders (an API characteristic).

Sign 2: Abnormal Fund Transfers

  • Sudden large transfers between Spot and Futures.
  • Abnormal transfers between sub-accounts.

Sign 3: Abnormal IPs in API Logs

  • "API Management" → View recent calling IPs.
  • If you find an unfamiliar IP → You're hacked.

Sign 4: API Permissions Modified

  • You only checked "Read", but find it's changed to "Read + Trade".
  • Someone altered your Key.

If you spot any of these signs → Immediately delete ALL API Keys and check your account.

Common Causes of API Key Leaks

Cause 1: Code Uploaded to GitHub

Hardcoded in the source code, then committed and pushed to GitHub. GitHub crawlers will find it in minutes, and your account is drained seconds later.

Protection: Always use environment variables or config files (add to .gitignore), never hardcode.

Cause 2: Config File Hacked

VPS gets hacked, and config.json is read.

Protection: Patch servers, disable password login, use SSH Keys, enable firewalls.

Cause 3: Third-Party Service Compromised

You gave your API Key to a "signal service" or "copy trading bot", and they got hacked.

Protection: Only give to trusted service providers + Enable IP Whitelisting + Only check Trade permission.

Cause 4: Local Computer Infected with Trojan

Your Windows or Mac has malware, and the API Key is stolen.

Protection: Install antivirus software + Do not download pirated software + Run important programs in isolated environments.

Frequently Asked Questions

Q: Which is worse to leak, API Key or account password?

A: It depends on permissions. If the API Key has withdrawal permissions enabled → As severe as a password leak. If only read permissions are enabled → Harm is minimal. This reiterates the importance of the principle of least privilege.

Q: How many API Keys can each account create at most?

A: Binance allows a maximum of 30 API Keys to exist simultaneously per account. You can recreate them after deleting. Generally, 1-3 is enough for an individual user.

Q: Do API Keys have an expiration date?

A: Most Keys have no mandatory expiration date. However, if there are no calls for 90 days, Binance will automatically disable them. You must re-enter the API Management page to manually activate them.

Q: Can I set sub-account permissions for an API Key?

A: Yes. Sub-accounts have independent API Keys, and their permissions and assets are isolated from the master account. It is strongly recommended to place quantitative trading in sub-accounts so that even if hacked, it doesn't affect the master account's assets.

Next Step Go to Binance Official Site Download Binance App