Skip to main content
Smartbull
All topics

Exchange API Permissions

What permissions to enable when you create an API key on each exchange.

TL;DR — only two permissions, never withdrawals

When you create an API key for Smartbull, enable exactly these two: - Read (account balance, positions, order history) - Spot trade (or Futures trade if you're using a perp-supporting exchange)

Never enable: - Withdrawals — Smartbull never needs this. We actively reject keys with withdrawal permission. - Transfer between accounts — same reason. - Sub-account management — we operate on the account you give the key to.

You can paste the key into /settings → Vault and we'll auto-validate it (we make a read-only call to confirm permissions are right).

Per-exchange notes

  • Binance — enable "Enable Spot & Margin Trading". Do not enable "Enable Futures" unless you've subscribed to our perp engine.
  • Bybit — create a "System-generated API key" with permissions: Contract → Orders + Positions, Spot → Trade. Skip "Withdraw".
  • OKX — "Trade" permission only. Set passphrase — you'll paste it in Vault alongside the key.
  • KuCoin — General + Trade permissions. KuCoin requires both a key and a passphrase.
  • Gate.io — "Spot trade" + "Read only". Wallet permissions stay off.
  • Kraken — "Query" + "Create & Modify Orders". No "Withdraw Funds".
  • MEXC — "Spot account" + "Spot trading".
  • BingX — "Standard" + "Spot". Leave "Withdraw" unchecked.
  • Hyperliquid — Generate an API wallet. No withdrawal permissions needed.
  • Aster — "Trade" + "Read". Standard CEX flow.

If your exchange isn't in the list, request it and we'll prioritize the adapter.

IP allowlisting

Most exchanges let you restrict the key to specific IPs. We strongly recommend turning this on. Our fixed egress IPs are published on /security.

If your exchange doesn't support IP allowlisting, the encrypted vault + read-only permission set is still secure — the key alone can't move funds off the exchange.

If a key gets compromised

Even though our keys can't withdraw, treat any compromise seriously: - Revoke the key on the exchange first (this is the only action that actually stops it). - Then remove it from /settings → Vault. - Email support@smartbull.app — we'll audit our logs to confirm the last call we made with it.

The vault stores keys encrypted with AES-256-GCM and per-row IVs. We support key rotation (up to 9 versions) — re-encryption happens transparently without re-asking you for the key.