Skip to content

API key permissions and security

Best practices for scoping API keys to the minimum permissions Coinrule needs — and nothing else.

Updated 2026-05-29·3 min read

Coinrule needs exactly three API key permissions to operate: read balances, place spot or perpetual orders, and read order history. This article explains how to scope keys correctly, restrict them by IP address, rotate them safely, and respond immediately if a key is ever compromised.

What permissions does Coinrule need?

Coinrule only needs three things from an API key:

  1. Read balances — to show portfolio values and check if there's enough capital to open a position
  2. Place spot/perp orders — to execute strategy rules
  3. Read order history — to populate the trade history and P&L tracking

That's it. Never enable:

  • Withdraw funds
  • Transfer between accounts
  • Sub-account management (unless specifically needed)
  • Margin loan creation

How are API keys stored?

API keys and secrets are stored encrypted in Postgres (Account.connection_details) using Fernet symmetric encryption. Keys are decrypted by the execution engine at runtime and never logged or transmitted in plaintext. Coinrule's infrastructure never stores your exchange password.

Should I restrict my API key by IP?

Most exchanges let you restrict an API key to specific IP addresses. Doing this dramatically reduces the risk of a key being misused if it's ever leaked.

Coinrule's outbound IP addresses are shown in the connection guide for each exchange. IP-restricted keys are strongly recommended for production use.

How often should I rotate my key?

Rotate your API key:

  • Every 90 days as a routine hygiene practice
  • Immediately after any security incident or if you suspect the key was exposed
  • After leaving a shared machine or removing a team member who had access

To rotate:

  1. Create a new key on the exchange with the same permissions
  2. On Coinrule: go to /connect, edit the account, and paste the new key
  3. Verify the new key is working
  4. Delete the old key on the exchange

Why use a separate key for each service?

Never reuse an API key across multiple platforms. If you use both Coinrule and another automated trading service, create separate keys for each. This makes rotation and revocation clean.

What if my key is compromised?

If you suspect a key has been compromised:

  1. Revoke the key immediately on the exchange (this is instant)
  2. Coinrule's active agents will pause with an "Exchange error" status within ~60 seconds
  3. Reconnect with a fresh key when you're ready to resume

Was this article helpful?

Trading involves risk. Past performance is not indicative of future results. Never trade with funds you cannot afford to lose. Coinrule does not provide financial advice.

Still stuck?

Contact support