Security Overview
Your funds and data security are our top priority. This page explains exactly how SignalBee protects you.
Our Security Promise
SignalBee is 100% non-custodial. We never hold your funds. Your crypto stays on your exchange at all times.
Here's what SignalBee can and cannot do with your API key:
| Action | Can SignalBee Do This? |
|---|---|
| ✅ Read your account balances | Yes - to check available funds before trading |
| ✅ Place buy/sell orders | Yes - to execute your trading signals |
| ❌ Withdraw funds | No - never |
| ❌ Transfer between accounts | No - never |
| ❌ Access your exchange password | No - never |
Why can't we withdraw? When you create an API key, you choose exactly what permissions to grant. We only ask for Read and Trade permissions. Without Withdrawal permission enabled on your API key, it's technically impossible for anyone - including us - to move your funds off the exchange.
Security Note: Even if someone somehow obtained your SignalBee credentials AND your API key, they still couldn't withdraw your funds. The exchange simply won't allow it without withdrawal permissions.
How We Protect Your API Keys
Your exchange API keys are the most sensitive data we store. Here's how we protect them:
Military-Grade Encryption
We use AES-256-GCM encryption - the same encryption standard used by banks, government agencies, and the military. Your API keys are encrypted the moment you enter them and remain encrypted until the exact moment we need to place a trade.
┌─────────────┐ ┌─────────────────────┐ ┌────────────────┐ ┌──────────┐
│ You enter │ ──► │ Encrypted Storage │ ──► │ Decrypt only │ ──► │ Exchange │
│ API key │ │ (AES-256-GCM) │ │ for trade │ │ API │
└─────────────┘ └─────────────────────┘ └────────────────┘ └──────────┘
What This Means for You
- ✅ Keys are never stored in plain text - not in our database, not in logs, nowhere
- ✅ Keys are never included in URLs or query parameters
- ✅ Keys are never logged in any system
- ✅ Decryption happens only at the moment of trade execution and only in secure memory
- ✅ Encryption keys are stored separately from encrypted data
Data Encryption
Security doesn't stop at API keys. Here's how we protect all your data:
In Transit (Moving Data)
All communication between your browser and SignalBee uses HTTPS/TLS 1.3 encryption. This means:
- Data cannot be intercepted or read by third parties
- You'll always see the 🔒 padlock in your browser's address bar
- We enforce HSTS (HTTP Strict Transport Security) to prevent downgrade attacks
At Rest (Stored Data)
| Data Type | Protection Method |
|---|---|
| API Keys & Secrets | AES-256-GCM encryption |
| Passwords | bcrypt hashing (cost factor 12) - cannot be reversed |
| Session Tokens | JWT with 24-hour expiration |
| Webhook Secrets | AES-256-GCM encryption |
Security Headers
We implement industry-standard security headers:
- X-Frame-Options: Prevents clickjacking attacks
- Content-Security-Policy: Blocks XSS and code injection
- X-Content-Type-Options: Prevents MIME type sniffing
IP Whitelisting
For advanced users, IP whitelisting adds an extra layer of security by restricting your API key to only work from specific IP addresses.
SignalBee Server IPs
To enable IP whitelisting, add these SignalBee server addresses to your exchange's API key whitelist:
Note: Contact support@signalbee.trade for our current production IP addresses. IP addresses may change during infrastructure updates - we'll notify you via email before any changes.
Why Use IP Whitelisting?
Even if your API key were somehow exposed:
- ❌ Attacker tries to use key from their computer → Blocked by exchange
- ✅ SignalBee uses key from whitelisted IP → Works normally
Security Note: IP whitelisting is optional but recommended for maximum security. See your exchange-specific guide for setup instructions.
What Permissions We Need (And Why)
SignalBee requests the minimum permissions necessary to function. Here's exactly what we need:
| Permission | Required? | Why We Need It |
|---|---|---|
| Read Account | ✅ Required | Check your balances before placing trades to ensure sufficient funds |
| Spot Trading | ✅ Required | Execute buy and sell orders based on your signals |
| Futures/Perpetual Trading | ⚠️ Optional | Only required if you're using perpetual contract exchanges |
| Withdrawals | ❌ NEVER | We never need this - do not enable it |
| Internal Transfer | ❌ Never | Not required for any SignalBee feature |
| Universal Transfer | ❌ Never | Not required for any SignalBee feature |
Security Note: If any service asks you to enable withdrawal permissions, treat it as a major red flag. SignalBee will never ask for withdrawal access.
What Happens If...
Let's address the security scenarios you might be worried about:
"What if SignalBee gets hacked?"
Even in a worst-case breach scenario:
- Your API keys are encrypted - Attackers would get encrypted data, not usable keys
- Encryption keys are stored separately - Getting one doesn't give access to the other
- Even with decrypted keys, no withdrawals possible - Your funds remain safe
- We have breach detection and response procedures - We'd notify you immediately
"What if my SignalBee account is compromised?"
If someone gains access to your SignalBee account:
- They cannot withdraw your funds - API keys don't have that permission
- They could potentially place trades - But this requires knowing your connected exchanges
- Take immediate action:
- Log in to your exchange and revoke the API key immediately
- Change your SignalBee password
- Enable 2FA if not already active
- Contact us at support@signalbee.trade
"What if my API key is leaked?"
If you suspect your API key has been exposed:
- Immediately revoke the key on your exchange (don't wait!)
- Review recent trades on your exchange for any unauthorized activity
- Generate a new API key with the same permissions
- Update the new key in SignalBee
- Consider enabling IP whitelisting to prevent future issues
Our Security Practices
Building trust requires transparency. Here's how we maintain security:
Development Security
- Secure coding practices - Code reviews with security focus
- Dependency scanning - Automated vulnerability detection in third-party libraries
- No secrets in code - All credentials managed through secure vaults
Operational Security
- Minimal access principle - Team members only access what they need
- No plain-text key access - Even our team cannot see your decrypted API keys
- Comprehensive logging - All access is logged (but sensitive data is masked)
- Regular security reviews - Periodic assessment of security controls
Incident Response
- Detection systems - Automated alerts for suspicious activity
- Response procedures - Documented playbooks for security events
- User notification - Commitment to notify affected users promptly
- Post-incident review - Learning from any incidents to prevent recurrence
Recommended Security Practices
Help us keep you safe by following these best practices:
Account Security
- Use a strong, unique password for SignalBee (12+ characters, mix of letters, numbers, symbols)
- Never reuse passwords from other services
- Enable 2FA on your exchange account (hardware key > authenticator app > SMS)
- Use a password manager to store your credentials securely
API Key Security
- Create a dedicated API key just for SignalBee
- Enable only Read + Trade permissions (never Withdrawals)
- Consider IP whitelisting for maximum security
- Rotate your API keys every 90 days as a security habit
- Never share API keys via email, chat, or screenshots
Ongoing Vigilance
- Regularly review your trade history for unauthorized activity
- Check API key permissions periodically on your exchange
- Keep your email secure - it's your account recovery method
- Report suspicious activity to support@signalbee.trade immediately
Related Resources
- API Key Best Practices - Detailed guide on creating and managing API keys
- Exchange Guides - Step-by-step API key setup for each supported exchange
- FAQ - Common questions answered