Security and API keys
How Coinrule stores your exchange API keys and what security practices to follow.
Coinrule stores your exchange API keys encrypted in Postgres using Fernet symmetric encryption — keys are decrypted only by the execution engine at runtime and are never logged or exposed via any API response. This article covers the credential storage model, supported authentication methods, and API key best practices.
How your credentials are stored
Exchange API keys and secrets are stored encrypted in Postgres using Fernet symmetric encryption. The encryption key is managed as an environment secret and is never stored alongside the credential data. Keys are decrypted by the execution engine at runtime for order placement and are never logged or returned via any API response.
Coinrule never stores your exchange password or 2FA codes — connection is always via API key or wallet signature.
Authentication
Coinrule uses Privy for authentication. Supported login methods:
- Email + passcode (passwordless one-time code)
- Google OAuth
- Apple
- MetaMask or another EVM wallet (used by DeFi / Hyperliquid users)
Session management
Sessions are managed by Privy. To sign out of all devices, sign out from Settings → Account → Sign out.
API key best practices
See API key permissions and security for guidance on scoping keys to minimum permissions, IP restrictions, and rotation schedule.