Proper API key management is essential for security. This section covers required permissions, security best practices, and how to verify your connection.
Required API Permissions #
For all supported brokers, Flows.Trading requires the following minimum permissions:
Essential Permissions (Must Enable):
- Read Account Information: Access to balances, positions, and account status
- Read Trading History: Historical trades and transaction records
- Place Orders: Market, limit, and stop order placement
- Cancel/Modify Orders: Order management capabilities
Prohibited Permissions (Never Enable):
- Withdrawals: Never enable withdrawal permissions for security
- Transfers: Do not allow fund transfers between accounts
- Sub-account Management: Not required for trading
⚠️ Critical: Enabling withdrawal permissions creates unnecessary risk. Flows.Trading never needs to withdraw funds from your account.
Security Best Practices #
Follow these guidelines to keep your API keys and account secure.
IP Whitelisting:
- Restrict API access to known and trusted IP addresses whenever possible.
- This reduces the attack surface for unauthorized access.
- Check your exchange’s API settings for IP restriction options.
Regular Key Rotation:
- Update API keys periodically (recommended: quarterly) to minimize exposure.
- Rotate immediately if you suspect any compromise or unusual activity.
Monitor API Usage:
- Regularly review your broker’s API logs for unusual activity.
- Look for unauthorized logins, suspicious trade patterns, or unexpected order placements.
- Most exchanges provide API activity logs in their security settings.
Separate Trading Keys:
- Use dedicated API keys exclusively for Flows.Trading.
- Do not reuse keys across multiple platforms or applications.
- This allows for easier tracking and revocation if needed.
User Environment Security:
- Even with strong platform security, risks remain if your network is compromised or your computer is infected.
- Users are responsible for maintaining secure personal environments, including:
- Antivirus protection
- Updated operating systems
- Secure network access (avoid public Wi-Fi for trading)
- Strong passwords and two-factor authentication (2FA) on exchange accounts
Pro tip: Enable 2FA on your exchange account. Even if someone gets your API key, they still can’t log into your account without the 2FA code.
Permission Verification #
After connecting, verify your API permissions are correctly configured by testing each function:
- Check account balance display accuracy – Does your balance match what’s shown on the exchange?
- Confirm order placement functionality – Place a small test order (market or limit) and verify it executes.
- Verify trade history synchronization – Check that past trades appear in the Journal.
- Test order modification capabilities – Place a limit order, then modify or cancel it.
If any of these fail, double-check your API permissions on the exchange and reconnect.
■ Try it now: After connecting a broker, go through each verification step to confirm everything works correctly.
