Security-First Setup — April 2026 · Ron Nguyen
API setup takes under 5 minutes. The one rule that matters: trade-only permission, NEVER withdrawal. If your keys leak, the worst outcome is bad trades — funds cannot leave your exchange. This guide covers Bybit + Binance setup, IP whitelist, sub-account isolation, and connecting 3Commas, Cryptohopper, and Bitsgap.
Start with Bybit — Best for Bot Trading
0.02% maker fee · 400+ perpetuals · Native grid/DCA bots · No API needed for native bots
What Is an API Connection?
API keys let a bot trade on your exchange — funds stay on Binance/Bybit, never move to the bot platform.
When you connect a bot like 3Commas or Cryptohopper to Bybit, your funds never leave Bybit. The bot platform gets two keys: an API Key that identifies your account, and a Secret Key that signs each request. The bot sends a signed request → Bybit verifies the signature → executes the trade. Your funds stay on Bybit the entire time.
Rate limits matter for high-frequency bots: Binance allows approximately 1,200 requests per minute — exceeding this triggers a 429 error and a temporary IP block (Cryptowisser 2026). Most retail bots stay well under this limit, but it's worth knowing if you run multiple bots on the same key.
API Permission Types — What Each Does
View balances, positions, order history. Safe to enable always.
Place and cancel spot orders. Required for spot bots.
Place futures/margin orders. Enable only if bot needs it.
Move funds off the exchange. NEVER enable for any bot.
Move funds between sub-accounts. Disable unless specifically needed.
The One Rule
NEVER enable Withdrawal permission on any API key used by a bot. With trade-only keys, even if your keys are compromised, an attacker can only make bad trades — they cannot move your funds off the exchange. This single rule eliminates the catastrophic risk scenario.
Bybit API Setup
Account Security → API Management → Create Key → trade-only → IP whitelist. Under 3 minutes.
Bybit has the cleanest API setup flow of any major exchange. The whole process takes under 3 minutes if you have your bot platform's IP addresses ready. Get those IPs first — I'll show you where to find them in the next section.
Login bybit.com → Account Security → API Management → Create New Key → System-generated
Use System-generated keys — not user-defined. System keys are cryptographically stronger.
Enable: Contract Orders + Spot Trading. DISABLE: Asset Transfer + Withdrawal
Double-check Withdrawal is OFF before saving. This is the single most important step.
IP Restriction: enter bot platform IP, enable trusted IPs only
Get the IP from your bot platform's security docs before creating the key. Whitelist ALL listed IPs.
Label the key (e.g. '3Commas-Bot-1'), complete 2FA verification
Use descriptive labels — you'll thank yourself when auditing keys 90 days later.
Copy Key + Secret immediately — Secret is shown only once
Store in a password manager (Bitwarden, 1Password). Never in Notion, Google Docs, or plain text.
Bybit API Management — enable Contract Orders + Spot Trading, disable Asset Transfer + Withdrawal
Don't have a Bybit account yet?
Sign up in 2 minutes — 5-min KYC, 20,000 USDT demo account included
Binance API Setup
Profile → API Management → Create API → Spot & Margin only → IP whitelist. NEVER enable Withdrawals.
Binance's API setup is slightly more involved than Bybit's, but the same principles apply. One important Binance-specific note: changing permissions on an existing key requires deleting and recreating it. Get the permissions right the first time.
Login → Profile → API Management → Create API → System Generated
System Generated is more secure than User Defined. Always use this option.
Enable: Reading + Spot & Margin. Futures bot: also enable Futures. NEVER Withdrawals
"If keys leaked, hacker can only make bad trades, not steal funds" — Coinmonks 2026. This is why trade-only matters.
IP Restriction: trusted IPs → enter bot IP → 2FA → copy immediately
Binance note: changing permissions requires deleting and recreating the key. Get it right the first time.
Binance API Management — enable Reading + Spot & Margin, disable Withdrawals, add IP restriction
Coinmonks 2026 on Key Leaks
"If keys leaked, hacker can only make bad trades, not steal funds." — Coinmonks 2026. This is the entire point of trade-only permissions. A leaked trade-only key is annoying. A leaked withdrawal-enabled key is catastrophic.
Find Your Bot Platform's IP Addresses
Bot platforms publish server IPs in security docs — whitelist ALL of them before creating keys.
This is the step most guides skip. You need the bot platform's server IPs before you create the API key on the exchange. Whitelist all of them — platforms often have multiple server IPs and rotate them. If you miss one, the bot will fail to connect intermittently.
Troubleshooting Connection Failures
If the bot fails to connect after setup: temporarily disable IP restriction on the key to confirm the credentials are correct. If it connects without IP restriction, the issue is a missing IP in your whitelist. Re-enable IP restriction after adding the correct IPs — never leave it disabled permanently.
Sub-Account Isolation
Create a dedicated sub-account for your bot — limits damage if key compromised, isolates P&L.
This is the setup I use personally. A sub-account dedicated to bot trading means that even in the worst case — a compromised key — the attacker only has access to the capital you transferred to that sub-account. Your main account is completely untouched. It also gives you clean P&L tracking: you can see exactly what the bot is making or losing without it mixing with your manual trades.
Sub-account isolation — bot capital separated from master account
Sub-Account Setup Process
Create sub-account
Binance: Account → Sub Account → Create (max 200 sub-accounts). Bybit: Account → Sub Account → Create (max 20 sub-accounts).
Transfer only bot capital
Move only the capital you want the bot to trade. Keep the rest in your master account.
Create API keys on sub-account only
Log into the sub-account and create the API key there. Never create bot keys on your master account.
Connect bot to sub-account key
Paste the sub-account API key into your bot platform. The bot now only has access to the sub-account.
Compromise = sub-account only
If keys leak, attacker only accesses the sub-account capital. Master account untouched.
Clean P&L tracking
Bot performance is completely isolated from manual trades. No mixing.
Stop bot without touching master
Pause or revoke the bot's key without affecting any other trading activity.
Different leverage per sub-account
Bybit allows different leverage settings per sub-account — useful for running multiple strategies.
Connect to 3Commas, Cryptohopper, Bitsgap
All three: add exchange → paste Key + Secret → verify → test paper trade. Same process.
The connection process is nearly identical across all three platforms. The key difference is where each platform warns you about dangerous permissions — Cryptohopper and Bitsgap both auto-detect withdrawal-enabled keys and warn you. 3Commas does not, so you need to verify manually.
My Exchanges → Add Exchange → select exchange → paste credentials → Connect
Set default futures leverage here after connecting.
Account → Exchange → Add → paste → test
Warns if withdrawal permission is enabled — take that warning seriously.
Connect Exchange → paste → Verify
Auto-warns if withdrawal detected. Always run a test order after connecting.
Always Run a Test Order
After connecting any bot platform, run a test order — even a $1 market buy and immediate sell. This confirms the API key is working, the permissions are correct, and the bot can actually execute trades. Don't skip this step. A key that looks connected but fails silently will miss your first real trade signal.
Permissions by Bot Type
Spot bots need Spot Trading; futures bots need Futures; no bot ever needs Withdrawal.
Use this as your reference when setting up any new bot. Enable only what the bot actually needs — minimum permissions = minimum risk. Audit all active keys monthly and revoke any with Withdrawal enabled immediately.
API Permissions Matrix by Bot Type
| Bot Type | Read | Spot | Margin | Futures | Withdrawal |
|---|---|---|---|---|---|
| Spot Grid / DCA Bot | NEVER | ||||
| Futures / Perps Bot | NEVER | ||||
| Margin DCA Bot | NEVER | ||||
| Copy Trading Bot | NEVER | ||||
| Withdrawal (ANY bot) |
Monthly Audit Rule
Audit all active API keys monthly. Check the "Last Used" timestamp on each key. Any key unused for 14+ days should be investigated — either the bot stopped working silently, or the key is no longer needed. Revoke any key with Withdrawal enabled immediately, regardless of when it was last used.
Key Rotation
Rotate every 90 days; revoke immediately on any suspicious activity.
Key rotation is the security practice most bot traders skip until something goes wrong. The 90-day cycle is a reasonable balance between security and operational overhead. If you notice any unusual trading activity — orders you didn't place, positions you don't recognize — revoke the key immediately and investigate before creating a new one.
90-Day Rotation Process
Create new API key on the exchange
Same permissions as the old key. Same IP whitelist. Label it with the date: 'Bot-3Commas-2026-07'.
Update credentials in bot platform
Paste the new Key + Secret into your bot platform. Test with a small order to confirm it works.
Verify bot is running on new key
Check the bot executed at least one trade or heartbeat on the new key before deleting the old one.
Delete the old key
Once confirmed working, delete the old key from the exchange. Don't leave unused keys active.
Check "Last Used" weekly
Unused 14+ days = investigate. Either the bot stopped silently or the key is orphaned.
Password manager only
Store keys in Bitwarden or 1Password. Never plain text, Notion, Google Docs, or screenshots.
One key per platform
Separate key for 3Commas, separate for Cryptohopper. Enables clean revocation per platform.
FAQ
Not with trade-only permissions. An API key without Withdrawal permission cannot move funds off the exchange — it can only place and cancel orders. Even if your API key is completely compromised, the attacker can only make bad trades on your behalf. Your funds cannot leave Bybit or Binance. This is why the single most important rule is: never enable Withdrawal permission on any bot API key.
Risk Disclaimer — This article represents Ron Nguyen's personal experience and opinions based on publicly available research (Coinmonks 2026, Cryptowisser 2026). It is not financial advice. Automated trading bots do not guarantee profit. Crypto markets are highly volatile. API key security is your responsibility — always verify permissions before saving. Only risk capital you can afford to lose entirely. Ron Nguyen, April 28, 2026.