Exchange API Key Security: Why Your Trading Bot Can't Drain Funds
Giving a third party access to your exchange account sounds risky. In the worst-case scenario you can imagine, the platform gets hacked, your API keys are stolen, and your funds disappear. That scenario is real — but it is also completely preventable with one setting that costs you nothing to enable: withdrawal-disabled API keys. This post explains what that restriction actually does, the additional layers VolatiCloud enforces on top of it, and how to generate keys that even a full database breach cannot turn into stolen funds.

What Exchange API Keys Actually Grant
When you connect an exchange account to a trading bot, you generate an API key and secret on the exchange. That key is a scoped credential: it proves you authorized something on your behalf, but the specific permissions depend entirely on what you checked when you created it.
Most exchanges offer a permission model like this:
| Permission | What it allows |
|---|---|
| Read | View balances, positions, order history |
| Trade | Place and cancel orders |
| Withdraw | Transfer funds to external addresses |
| Transfer | Move funds between sub-accounts or wallets |
| Margin | Manage margin positions |
A trading bot needs exactly one of these: Trade. Everything else is either unnecessary or actively dangerous to grant to an automated system you don't control every second.
The withdrawal permission is the dangerous one. An API key that can withdraw can drain your entire balance to an external wallet in seconds — one API call, no 2FA prompt, no email confirmation on most exchanges. If that key is compromised, the window between an attacker getting your key and your funds being gone can be measured in seconds.
The Withdrawal-Disabled Standard
The industry convention for trading bot API keys is simple: never generate a key with withdrawal permissions.
A withdrawal-disabled key can trade on your behalf but cannot move funds off the exchange. Even if the key is leaked in a database breach, exposed in a log file, or intercepted in transit, an attacker holding it can do exactly one thing: place and cancel orders. They can't drain your account. They can't transfer funds to their wallet. The worst they can do is make bad trades — which your bot's stop-loss settings will contain.
This is not an optional best practice. It is the minimum viable security posture for any API key you share with a third party. If you're connecting keys to any platform — VolatiCloud or anyone else — verify withdrawal permissions are off before you paste the key.