Launch Web Trader
Close
Launch Web Trader
Launch Web Trader
View Categories

8.4 API Key Management

2 min read

Managing your API keys properly is one of the most important responsibilities you have as a trader.
Even the most advanced trading platform cannot protect you if your API credentials are misconfigured or if your computer environment is insecure.

This guide explains:

  • Which permissions Flows.Trading requires

  • Which permissions must never be enabled

  • How to keep your environment and API keys safe

  • How to verify that your connection works correctly

  • Critical warnings every trader should know

Our objective is simple: give you full control and full clarity—while keeping your funds 100% safe.

Required API Permissions #

Flows.Trading only requires the minimum permissions necessary for chart trading, monitoring, and order execution.

Essential Permissions (Must Enable) #

These permissions are required for the platform to function correctly:

  • Read Account Information
    Allows balance, positions, and account status retrieval.

  • Read Trading History
    Necessary to sync past trades into the Trading Journal.

  • Place Orders
    Enables market, limit, and stop orders from the trading interface.

  • Cancel/Modify Orders
    Required for editing or cancelling open orders from the platform.

Prohibited Permissions (Never Enable) #

For your safety, never activate these permissions:

  • Withdrawals
    No reason ever exists to enable this. Flows.Trading will never request or require withdrawal access.

  • Transfers
    Disallow any feature that moves funds between accounts.

  • Sub-account Management
    Not required for trading and introduces unnecessary risk.

⚠️ Critical:
Enabling withdrawal or transfer permissions creates significant security exposure. Flows.Trading does not use, need, or access these features.

Security Best Practices #

These practices dramatically reduce risk and help you maintain a safe trading environment.

1. IP Whitelisting #

If your exchange supports IP restrictions:

  • Restrict API access to known and trusted IP addresses

  • Prevent access from unknown networks

  • Review your exchange’s IP restriction settings often

This is one of the strongest security layers you can enable.

2. Regular Key Rotation #

Rotating your keys helps minimize long-term exposure:

  • Update API keys periodically (recommended every 90 days)

  • Replace them immediately if:

    • you log in on a new device

    • your PC behaves oddly

    • you suspect malware

    • an unauthorized login appears on your exchange

3. Monitor API Usage #

Your exchange provides API activity logs. Check them regularly:

  • Look for unknown IP addresses

  • Unexpected order placements

  • Odd login times

  • Failed authentication attempts

If anything looks suspicious, revoke the key immediately.

4. Use Separate Keys for Each Application #

Never reuse API keys between platforms.

Using one dedicated key per app:

  • Makes revocation easier

  • Avoids unpredictable behavior across services

  • Reduces exposure if one service is compromised

5. Secure Your User Environment #

This is the most overlooked security point—and the most important.

Even with perfect API configuration, you are vulnerable if your computer or network is compromised.

You are responsible for maintaining a secure environment:

  • Install reputable antivirus/anti-malware protection

  • Keep your operating system fully updated

  • Use a secure network (avoid public Wi-Fi for trading)

  • Protect your exchange account with strong passwords

  • Always enable Two-Factor Authentication (2FA)

💡 Pro Tip:
Even if someone steals your API key, 2FA prevents them from logging into your exchange account.

Permission Verification Checklist #

After connecting your broker, confirm that everything works correctly:

  1. Check balance accuracy
    Ensure your balances match exactly what you see on the exchange.
  2. Test order placement
    Place a small test order (market or limit) and verify execution.
  3. Confirm history synchronization
    Past trades should appear automatically in your Journal.
  4. Test order modification
    Try modifying or cancelling a limit order.

If anything fails, double-check your API permissions on the exchange and reconnect the broker.

⚠️ Final Security Notice (Important Liability Disclaimer) #

Flows.Trading uses secure communication standards and does not store your API keys without encryption.
However, the security of your device, network, and operating environment is entirely your responsibility.

If your computer is infected with malware, keyloggers, remote-access software, or compromised browsers, your API keys—and your exchange account—may be at risk.

To protect yourself:

  • Use a secure, private computer

  • Avoid installing untrusted software or browser extensions

  • Keep your system protected with antivirus/anti-malware

  • Do not trade from shared or public devices

  • Enable 2FA on your exchange accounts

Flows.Trading cannot be held responsible for unauthorized access caused by an unsecured or compromised user environment.

What are your Feelings