Exchange Connections on VolatiCloud
An Exchange in VolatiCloud is a saved connection to a cryptocurrency exchange — your API key, secret, and any extra credentials (passphrase for OKX or KuCoin, EVM wallet for Hyperliquid) — that bots use to fetch market data and place orders. You connect an exchange once, and then any bot you create can use that connection without re-entering credentials.
This page covers how to add a connection through the guided wizard, what permissions to enable on the exchange side, and how VolatiCloud protects your keys at rest and at runtime. For per-exchange API setup walkthroughs, see Supported Exchanges.
Supported Exchanges (14 venues)
VolatiCloud supports every exchange Freqtrade integrates with. The catalog is the single source of truth in api/internal/exchange/catalog.go, and adding a new exchange is a one-line change in that file.
| Exchange | Spot | Futures | Margin | Passphrase | Notes |
|---|---|---|---|---|---|
| Binance | Yes | Yes | Yes | — | Largest exchange by volume |
| Binance US | Yes | — | — | — | US-regulated; spot only |
| BingX | Yes | — | — | — | Spot and copy trading |
| Bitget | Yes | Yes | — | — | Strong futures liquidity |
| BitMart | Yes | — | — | — | Broad altcoin coverage |
| Bitvavo | Yes | — | — | — | Dutch DNB-regulated |
| Bybit | Yes | Yes | — | — | Major derivatives venue |
| Gate.io | Yes | Yes | — | — | Extensive altcoin and futures markets |
| HTX | Yes | — | — | — | Formerly Huobi |
| Hyperliquid | Yes | Yes | — | — | On-chain perpetuals DEX |
| Kraken | Yes | Yes | — | — | US-based, long-running |
| KuCoin | Yes | — | — | Required | Early altcoin listings |
| OKX | Yes | Yes | — | Required | Global, deep order books |
| MyOKX (EEA) | Yes | Yes | — | Required | OKX endpoint for EEA users (my.okx.com) |
For per-exchange API key creation steps, IP allowlisting, and link domains, see Supported Exchanges.
Adding an Exchange — The Two-Step Wizard
When you click Add Exchange, VolatiCloud opens a guided two-step wizard inside a single drawer. No JSON, no YAML, no Freqtrade config knowledge required for the common path.

Step 1 — Pick the Exchange
The first screen is a visual grid of cards, one per supported venue, with brand colors and a one-line description. Click the card for the exchange you want to connect.

Step 2 — Enter Credentials
The drawer transitions to a credentials form scoped to the exchange you picked. Required fields:
| Field | Description |
|---|---|
| Connection name | Label for this connection (e.g., "Binance Production", "KuCoin Sub-Account") |
| API key | The exchange-issued API key |
| API secret | The exchange-issued API secret |
| Passphrase | Required only for OKX, MyOKX, and KuCoin |
Use the Open API Management helper link to jump directly to the exchange's API page if you haven't created keys yet. Click Connect Exchange to save — VolatiCloud will probe the key to verify it has the trade scope and reject it if withdrawal capability is enabled.
Advanced Mode
Need full Freqtrade configuration control — custom pair whitelists, ccxt_config, trading-mode overrides? Click Advanced Mode in the wizard to switch to the raw JSON config form. The wizard handles 95% of cases; Advanced Mode is the escape hatch.
The wizard sets a wildcard pair whitelist (.*) by default, meaning bots can trade any available pair on this exchange. Edit the connection later to narrow this if you want to restrict bots to specific markets.
Editing an Exchange Connection
Open the Actions menu (⋮) on the exchange row in the list and select Edit. The edit form always renders the full configuration — you can update API keys, change pair whitelists, switch trading modes, or modify any field at any time. Saving the form re-encrypts updated secret fields.
Security: How VolatiCloud Protects Your Keys
API keys are the most sensitive credential you give us, and security is layered defensively to keep them safe at rest, in transit, and at runtime.
Withdrawal-Disabled Enforcement
VolatiCloud only accepts keys with the withdrawal permission disabled. When you save a connection, the backend probes the exchange's permission API; if the key has any withdrawal scope enabled, the connection is rejected with a message asking you to regenerate the key without it.
This is a hard guarantee enforced in the backend (see api/internal/exchange/permissions.go). Even if VolatiCloud's database were fully compromised, an attacker could attempt adverse trades but could not initiate withdrawals.
For deeper background, see Security — API Keys.
Field-Level Encryption at Rest
API keys, secrets, passphrases, and private keys are encrypted with AES-256-GCM before they reach the database. Each value gets a fresh per-field nonce, and ciphertext is prefixed with $vc_enc$v1$ so we can roll out encryption gracefully (plaintext values written before encryption shipped still decrypt as plaintext).
The encryption is applied at the ENT hook layer for these paths:
exchange.config.api_key,api_secret,password,private_keyrunner.config.docker.certPEM,keyPEM,caPEMrunner.s3_config.accessKeyId,secretAccessKey
Architectural background: ADR-0026 — Field-Level Encryption. Implementation: Security — Encryption.
Audit Logs
Every read of a sensitive field is logged with requester identity, resource ID, timestamp, and user agent. Audit logs are visible to organization admins and exportable to CSV. See Security — Encryption — Audit Logs.
View-Secrets Permission
Sensitive fields are gated by the view-secrets UMA scope. Regular organization members can use a public exchange connection in their bots without ever seeing the underlying credentials — only users explicitly granted view-secrets can read keys back from the API. This makes it safe to share an exchange connection across a team.
API Key Permissions Required
For VolatiCloud to trade on your behalf, your exchange API key needs these permissions:
| Permission | Required for | Required by VolatiCloud |
|---|---|---|
| Read / Query | Fetching balances, positions, market data | Yes |
| Trade (Spot) | Placing spot orders | Yes (if running spot bots) |
| Trade (Futures) | Placing futures orders | Yes (if running futures bots) |
| Trade (Margin) | Borrowing and margin orders | Yes (if running margin bots) |
| Withdraw | Withdrawing funds off-exchange | No — never grant this |
Never grant Withdraw permission to a VolatiCloud-bound API key. Trading bots have no need for withdrawal access, and VolatiCloud explicitly rejects keys that have it. This is the single most important hardening step you can take on the exchange side.
Recommended Setup
- Use a sub-account dedicated to bot trading, separate from your personal account.
- Disable withdrawals. VolatiCloud will reject the key if you don't, but disable it at source.
- Disable scopes you don't use. Spot-only strategies don't need futures scope. Long-only strategies don't need margin scope.
- Set IP allowlisting to restrict the key to VolatiCloud's runner egress IPs (see Egress IPs).
- Rotate keys every 90 days. Replace the key in the VolatiCloud connection, verify the next trade event, then revoke the old key on the exchange.
- Start in Dry Run for a few days before flipping to live trading.
Dry Run vs Live
The same exchange connection works for both modes:
- Dry Run — VolatiCloud uses the key to fetch live market data and prices, but no real orders are placed. Trades are simulated locally at real-market quotes.
- Live — Real orders are placed on the exchange using your key.
For initial testing of a new connection, attach it to a Dry Run bot first to confirm the key authenticates and market data flows correctly. Then flip the same bot's mode to live (or create a new live bot reusing the connection).
Visibility and Sharing
Exchange connections are private by default — only the creator and users with explicit access can see them. You can mark a connection public within your organization so other members can attach bots to it; sensitive credentials remain hidden behind the view-secrets scope.
Unlike strategies and bots, exchange connections cannot be made public across organizations — they always belong to a single org.
Multiple Exchanges
You can add as many exchange connections as your plan allows and run different bots on different exchanges, or even on different sub-accounts of the same exchange. Plan limits on the number of exchange connections appear on the Plans & Pricing page.
Next Steps
- Supported Exchanges — Per-exchange API key setup walkthroughs.
- Creating a Bot — Attach an exchange to a bot and start trading.
- Security — API Keys — Withdrawal-disabled enforcement, rotation cadence, audit logs.
Learn more
- Blog: Multi-Exchange Crypto Trading — How VolatiCloud connects to 14 exchanges through a single unified interface.