API keys are the most sensitive credentials you’ll use on Flows.Trading. Proper handling is critical.
How API Keys Are Protected #
Encryption at rest:
- API keys are encrypted immediately upon entry.
- Never stored in plaintext anywhere in the system.
Limited visibility:
- API keys are never displayed after initial entry (only the first/last few characters may be shown for identification).
- You cannot view your full API key or secret after saving it.
Access control:
- Only your authenticated session can use your API keys.
- Keys are never transmitted to other users or third parties.
Your Responsibilities #
- Never share your API keys with anyone, including support staff.
- Use IP whitelisting on your exchange to restrict access.
- Rotate keys regularly (quarterly recommended).
- Revoke keys immediately if you suspect compromise.
■ Try it now: Review your connected brokers and verify that all API keys have the minimum required permissions—no withdrawals enabled.
