API Key Best Practices

This guide covers everything you need to know about creating, configuring, and managing exchange API keys securely for use with SignalBee.

What is an API Key?

Think of an API key as a "valet key" for your exchange account. Just like a valet key lets someone drive your car but not open your trunk or glove box, an API key lets SignalBee interact with your exchange while you control exactly what it can and cannot do.

How It Works

Your Exchange Password	Your API Key
Full access to everything	Limited access you define
Can withdraw funds	❌ Cannot withdraw (if disabled)
Can change settings	❌ Cannot change settings
Only you should know it	Safe to share with SignalBee

An API key consists of two parts:

API Key (public identifier) - Like a username
Secret Key (private credential) - Like a password, shown only once when created

Security Note: Your exchange will only show the Secret Key once when you create it. If you lose it, you'll need to create a new API key.

The Golden Rules

Follow these four rules to keep your funds safe:

🔒 Rule 1: NEVER Enable Withdrawal Permissions

SignalBee never needs withdrawal access. If any service asks for withdrawal permissions, treat it as a major red flag.

With withdrawals disabled:

✅ SignalBee can check your balances
✅ SignalBee can place trades
❌ Nobody can move your funds off the exchange

🔑 Rule 2: Use a Dedicated API Key for SignalBee

Don't reuse API keys across multiple services. Create a fresh key specifically for SignalBee.

Why this matters:

If one service is compromised, your other services remain unaffected
You can revoke the SignalBee key without disrupting other tools
Easier to track which service made which trades

🔐 Rule 3: Store Your Secret Key Securely

Your exchange shows the secret key only ONCE when you create it. After that, it's gone forever.

Best practices:

✅ Store in a password manager (1Password, Bitwarden, etc.)
✅ Keep an encrypted backup
❌ Never share via email, chat, or messaging apps
❌ Never take screenshots that might sync to cloud storage
❌ Never store in plain text files on your computer

🛡️ Rule 4: Consider IP Whitelisting

Restrict your API key to only work from SignalBee's servers. Even if your key is somehow exposed, it won't work from any other location.

This is optional but provides an extra security layer. See the IP Whitelisting Setup section below.

Required Permissions by Exchange Type

SignalBee requires different permissions depending on what type of trading you do:

Exchange Type	Read Account	Spot Trading	Futures Trading	Withdrawals
Spot Only	✅ Required	✅ Required	❌ Not needed	❌ NEVER
Spot + Perpetual	✅ Required	✅ Required	✅ Required	❌ NEVER
Perpetual Only	✅ Required	❌ Not needed	✅ Required	❌ NEVER

Why Each Permission Is Needed

Permission	Purpose
Read Account	Check your available balances before placing orders to ensure you have sufficient funds
Spot Trading	Execute market and limit orders for spot trading pairs (BTC/USDT, ETH/USDT, etc.)
Futures Trading	Execute orders on perpetual contract markets (only needed if you trade perpetuals)

Creating Your API Key (General Steps)

These steps apply to most exchanges. For exchange-specific screenshots and details, see your exchange guide.

Step-by-Step Process

Log in to your exchange using your regular credentials and 2FA
Navigate to API Management
- Usually found under: Profile → API Management or Settings → API
- Look for terms like "API Keys", "API Access", or "Manage API"
Click "Create New API Key" (or similar button)
Set a descriptive label
- Use something clear like SignalBee Trading or SignalBee-Spot
- This helps you identify the key's purpose later
Configure permissions carefully:
- ✅ Enable: Read / View Account
- ✅ Enable: Spot Trading (if trading spot)
- ✅ Enable: Futures Trading (only if trading perpetuals)
- ❌ Leave disabled: Withdrawals, Transfer, Internal Transfer
Set IP restrictions (optional but recommended)
- Add SignalBee's server IPs if you want extra security
- See IP Whitelisting Setup below
Complete 2FA verification
- You'll typically need to confirm via authenticator app or email
IMMEDIATELY copy both keys
- Copy the API Key (public)
- Copy the Secret Key (shown only once!)
Store securely
- Paste both keys into your password manager
- Verify you saved them correctly before closing the page
Add to SignalBee
- Go to Exchanges → Add Exchange
- Select your exchange
- Paste your API Key and Secret Key
- Click Test Connection to verify

Security Note: If you accidentally close the page before saving your secret key, you'll need to delete that API key and create a new one. There's no way to recover it.

IP Whitelisting Setup

IP whitelisting restricts your API key to only work from specific IP addresses. This is one of the strongest security measures available.

What Is IP Whitelisting?

When enabled, your exchange will reject API requests from any IP address not on your whitelist. This means:

Scenario	Without IP Whitelist	With IP Whitelist
SignalBee places trade	✅ Works	✅ Works (from whitelisted IP)
Attacker tries to use stolen key	⚠️ Could work	❌ Blocked

SignalBee Server IP Addresses

To configure IP whitelisting, you'll need SignalBee's production server IPs:

Note: Contact support@signalbee.trade for current production IP addresses. We maintain a small set of static IPs specifically for exchange API calls.

How to Set Up IP Whitelisting

When creating or editing your API key, look for "IP Restriction" or "IP Whitelist"
Enable the restriction option
Add each SignalBee IP address provided by support
Save the API key settings

Security Note: If SignalBee's IP addresses change (rare, but possible during infrastructure updates), we'll notify you via email before any changes take effect. Your trades won't fail without warning.

API Key Rotation

Rotating your API keys periodically is a security best practice, similar to changing passwords.

Why Rotate Keys?

Limits exposure time if a key was compromised without your knowledge
Good security hygiene
Required by some compliance frameworks

Recommended Frequency

Standard: Every 90 days
After any security concern: Immediately
After revoking team access: If someone who had access leaves your organization

How to Rotate Your API Key

Follow this process to avoid any downtime:

Create a new API key on your exchange with the same permissions
Copy both the new API Key and Secret Key securely
Update SignalBee:
- Go to Exchanges → Select your exchange
- Click Edit
- Paste the new credentials
- Click Save
Test the connection in SignalBee to verify it works
Delete the old API key on your exchange (only after verifying the new one works!)

Security Note: Don't delete your old key until you've confirmed the new one works. If you delete first and the new key has an issue, you'll temporarily lose trading ability.

Troubleshooting Common Issues

If you're having problems with your API key, check this table:

Problem	Likely Cause	Solution
"Invalid API Key"	Typo when copying	Re-copy the API key carefully. Watch for extra spaces at the beginning or end.
"Invalid Signature"	Wrong or corrupted Secret Key	Re-copy the Secret Key. If lost, create a new API key.
"Permission Denied"	Missing required permissions	Go to your exchange and enable Read + Trade permissions.
"IP Not Whitelisted"	Using IP restriction	Add SignalBee's IPs to your whitelist, or disable IP restriction.
"API Key Expired"	Some exchanges expire keys	Create a new API key on your exchange.
"Timestamp Error"	Clock synchronization issue	Usually temporary. If persistent, check your exchange's server status.
"Rate Limited"	Too many requests	Wait a few minutes and try again. Check for duplicate webhooks in your signal provider.
"Insufficient Balance"	Not enough funds	Ensure you have sufficient balance in the correct account (Spot vs Funding vs Futures).

Still Having Issues?

Double-check you're using the correct API key for the correct exchange
Verify the key hasn't been revoked on your exchange
Ensure you're connecting to the right environment (mainnet vs testnet)
Contact support@signalbee.trade with your exchange name and error message

What to Do If Your Key Is Compromised

If you suspect your API key has been exposed or stolen, act immediately:

Emergency Response Steps

🚨 IMMEDIATELY revoke the key on your exchange
- Don't wait - do this first
- Log in to your exchange → API Management → Delete/Revoke the key
Review recent activity
- Check your exchange trade history for any unauthorized trades
- Note any suspicious activity with timestamps
Create a new API key
- Follow the creation steps above
- This time, consider enabling IP whitelisting
Update SignalBee
- Go to Exchanges → Edit your exchange
- Enter the new API credentials
- Test the connection
Enable additional security
- Set up IP whitelisting if not already enabled
- Review your exchange account security settings
Investigate the compromise
- How might the key have been exposed?
- Did you share it accidentally?
- Is your computer/password manager secure?
Contact support if needed
- Email support@signalbee.trade if you need assistance
- Include your account email and exchange name

Remember: Even if your API key is compromised, your funds cannot be withdrawn if you followed Rule 1 and never enabled withdrawal permissions.

API Key Checklist

Use these checklists to ensure your API key is configured correctly.

Before Adding to SignalBee

Created with a descriptive label (e.g., "SignalBee Trading")
Read/View Account permission ✅ enabled
Spot Trading permission ✅ enabled (if trading spot)
Futures Trading permission ✅ enabled (only if trading perpetuals)
Withdrawal permission ❌ disabled
Transfer permissions ❌ disabled
Secret Key saved in password manager
IP whitelist configured (optional but recommended)

After Adding to SignalBee

Connection test passed ✅
Account balances visible in SignalBee
Test webhook/signal executed successfully
Confirmed trade appeared in exchange history

Periodic Security Review (Every 90 Days)

API key still has correct permissions (no unwanted additions)
No unauthorized API keys on your exchange account
Consider rotating to a fresh API key
Review recent trades for any anomalies

Security Overview - How SignalBee protects your data
Exchange Guides - Step-by-step setup for each exchange
User Guide - Complete SignalBee documentation
Troubleshooting - Common issues and solutions