Skip to main content

Exchange Connections on VolatiCloud

An Exchange in VolatiCloud is a saved connection to a cryptocurrency exchange — your API key, secret, and any extra credentials (passphrase for OKX or KuCoin, EVM wallet for Hyperliquid) — that bots use to fetch market data and place orders. You connect an exchange once, and then any bot you create can use that connection without re-entering credentials.

This page covers how to add a connection through the guided wizard, what permissions to enable on the exchange side, and how VolatiCloud protects your keys at rest and at runtime. For per-exchange API setup walkthroughs, see Supported Exchanges.

Supported Exchanges (14 venues)

VolatiCloud supports every exchange Freqtrade integrates with. The catalog is the single source of truth in api/internal/exchange/catalog.go, and adding a new exchange is a one-line change in that file.

ExchangeSpotFuturesMarginPassphraseNotes
BinanceYesYesYesLargest exchange by volume
Binance USYesUS-regulated; spot only
BingXYesSpot and copy trading
BitgetYesYesStrong futures liquidity
BitMartYesBroad altcoin coverage
BitvavoYesDutch DNB-regulated
BybitYesYesMajor derivatives venue
Gate.ioYesYesExtensive altcoin and futures markets
HTXYesFormerly Huobi
HyperliquidYesYesOn-chain perpetuals DEX
KrakenYesYesUS-based, long-running
KuCoinYesRequiredEarly altcoin listings
OKXYesYesRequiredGlobal, deep order books
MyOKX (EEA)YesYesRequiredOKX endpoint for EEA users (my.okx.com)

For per-exchange API key creation steps, IP allowlisting, and link domains, see Supported Exchanges.

Adding an Exchange — The Two-Step Wizard

When you click Add Exchange, VolatiCloud opens a guided two-step wizard inside a single drawer. No JSON, no YAML, no Freqtrade config knowledge required for the common path.

VolatiCloud Exchanges page in an empty state, with a placeholder prompting the user to connect their first exchange and a green Add Exchange button in the top right

Step 1 — Pick the Exchange

The first screen is a visual grid of cards, one per supported venue, with brand colors and a one-line description. Click the card for the exchange you want to connect.

Add Exchange wizard drawer showing a grid of exchange cards with logos and short descriptions for Binance, Binance US, BingX, Bitget, BitMart, Bitvavo, Bybit, Gate.io, HTX, and more, with a Select Exchange to Enter Credentials stepper pinned to the top

Step 2 — Enter Credentials

The drawer transitions to a credentials form scoped to the exchange you picked. Required fields:

FieldDescription
Connection nameLabel for this connection (e.g., "Binance Production", "KuCoin Sub-Account")
API keyThe exchange-issued API key
API secretThe exchange-issued API secret
PassphraseRequired only for OKX, MyOKX, and KuCoin

Use the Open API Management helper link to jump directly to the exchange's API page if you haven't created keys yet. Click Connect Exchange to save — VolatiCloud will probe the key to verify it has the trade scope and reject it if withdrawal capability is enabled.

Advanced Mode

Need full Freqtrade configuration control — custom pair whitelists, ccxt_config, trading-mode overrides? Click Advanced Mode in the wizard to switch to the raw JSON config form. The wizard handles 95% of cases; Advanced Mode is the escape hatch.

tip

The wizard sets a wildcard pair whitelist (.*) by default, meaning bots can trade any available pair on this exchange. Edit the connection later to narrow this if you want to restrict bots to specific markets.

Editing an Exchange Connection

Open the Actions menu (⋮) on the exchange row in the list and select Edit. The edit form always renders the full configuration — you can update API keys, change pair whitelists, switch trading modes, or modify any field at any time. Saving the form re-encrypts updated secret fields.

Security: How VolatiCloud Protects Your Keys

API keys are the most sensitive credential you give us, and security is layered defensively to keep them safe at rest, in transit, and at runtime.

Withdrawal-Disabled Enforcement

VolatiCloud only accepts keys with the withdrawal permission disabled. When you save a connection, the backend probes the exchange's permission API; if the key has any withdrawal scope enabled, the connection is rejected with a message asking you to regenerate the key without it.

This is a hard guarantee enforced in the backend (see api/internal/exchange/permissions.go). Even if VolatiCloud's database were fully compromised, an attacker could attempt adverse trades but could not initiate withdrawals.

For deeper background, see Security — API Keys.

Field-Level Encryption at Rest

API keys, secrets, passphrases, and private keys are encrypted with AES-256-GCM before they reach the database. Each value gets a fresh per-field nonce, and ciphertext is prefixed with $vc_enc$v1$ so we can roll out encryption gracefully (plaintext values written before encryption shipped still decrypt as plaintext).

The encryption is applied at the ENT hook layer for these paths:

  • exchange.config.api_key, api_secret, password, private_key
  • runner.config.docker.certPEM, keyPEM, caPEM
  • runner.s3_config.accessKeyId, secretAccessKey

Architectural background: ADR-0026 — Field-Level Encryption. Implementation: Security — Encryption.

Audit Logs

Every read of a sensitive field is logged with requester identity, resource ID, timestamp, and user agent. Audit logs are visible to organization admins and exportable to CSV. See Security — Encryption — Audit Logs.

View-Secrets Permission

Sensitive fields are gated by the view-secrets UMA scope. Regular organization members can use a public exchange connection in their bots without ever seeing the underlying credentials — only users explicitly granted view-secrets can read keys back from the API. This makes it safe to share an exchange connection across a team.

API Key Permissions Required

For VolatiCloud to trade on your behalf, your exchange API key needs these permissions:

PermissionRequired forRequired by VolatiCloud
Read / QueryFetching balances, positions, market dataYes
Trade (Spot)Placing spot ordersYes (if running spot bots)
Trade (Futures)Placing futures ordersYes (if running futures bots)
Trade (Margin)Borrowing and margin ordersYes (if running margin bots)
WithdrawWithdrawing funds off-exchangeNo — never grant this
danger

Never grant Withdraw permission to a VolatiCloud-bound API key. Trading bots have no need for withdrawal access, and VolatiCloud explicitly rejects keys that have it. This is the single most important hardening step you can take on the exchange side.

  1. Use a sub-account dedicated to bot trading, separate from your personal account.
  2. Disable withdrawals. VolatiCloud will reject the key if you don't, but disable it at source.
  3. Disable scopes you don't use. Spot-only strategies don't need futures scope. Long-only strategies don't need margin scope.
  4. Set IP allowlisting to restrict the key to VolatiCloud's runner egress IPs (see Egress IPs).
  5. Rotate keys every 90 days. Replace the key in the VolatiCloud connection, verify the next trade event, then revoke the old key on the exchange.
  6. Start in Dry Run for a few days before flipping to live trading.

Dry Run vs Live

The same exchange connection works for both modes:

  • Dry Run — VolatiCloud uses the key to fetch live market data and prices, but no real orders are placed. Trades are simulated locally at real-market quotes.
  • Live — Real orders are placed on the exchange using your key.

For initial testing of a new connection, attach it to a Dry Run bot first to confirm the key authenticates and market data flows correctly. Then flip the same bot's mode to live (or create a new live bot reusing the connection).

Visibility and Sharing

Exchange connections are private by default — only the creator and users with explicit access can see them. You can mark a connection public within your organization so other members can attach bots to it; sensitive credentials remain hidden behind the view-secrets scope.

Unlike strategies and bots, exchange connections cannot be made public across organizations — they always belong to a single org.

Multiple Exchanges

You can add as many exchange connections as your plan allows and run different bots on different exchanges, or even on different sub-accounts of the same exchange. Plan limits on the number of exchange connections appear on the Plans & Pricing page.

Next Steps

Learn more