API keys: run a bot without giving up custody
API keys are what allow a bot to trade without ever touching your funds. Learn what they are, which permissions to grant, and how to use them safely.
If there's one concept that makes it possible to use a trading bot without handing over custody of your funds, it's the API key. It's the technical bridge between CodeBot and your exchange account — and, when properly configured, it lets the bot trade for you while keeping your money firmly under your control. This article explains what API keys are, which permissions to grant, and how to use them safely.
What an API key is
API stands for "application programming interface." In practice, it's the channel through which one program talks to another. An API key is a pair of credentials — usually a public key and a secret key — that you generate in your exchange dashboard to authorize an external application to interact with your account in a controlled way.
The big advantage over handing out your login and password is fine-grained control. A login and password grant total access. An API key, on the other hand, can be limited to doing only certain things. That granularity is what lets you authorize a bot to trade without authorizing it to withdraw.
The permissions that matter
When you create an API key, the exchange typically offers a set of permissions you can toggle on or off. To use a non-custodial bot like CodeBot, the ideal configuration is clear:
- Read: allow it. The bot needs to see your balance and your positions.
- Trade (spot/derivatives, as applicable): allow it. This is what lets the bot place buy and sell orders.
- Withdraw: do NOT allow it. This is the one permission that should never be granted to a bot.
With withdrawal disabled, even if the key fell into the wrong hands, there would be no way to transfer your funds out of the account. The possible damage is limited to trades inside the account itself — and you can shut everything down by revoking the key.
The golden rule is simple: grant trade, deny withdrawal. A trading bot never needs withdrawal permission to do its job.
Security best practices
Setting the permissions correctly is the most important step, but there are other practices that reinforce security when working with API keys. They apply to any tool, not just CodeBot:
- Create a dedicated key for the bot, separate from any other integrations you use.
- Confirm that withdrawal permission is disabled before activating the key.
- If your exchange supports it, restrict the key to a list of authorized IPs.
- Store the secret key carefully — it's shown only once, at creation.
- Review your active keys periodically and revoke any you're no longer using.
Revoking is instant and in your hands
One of the most reassuring aspects of the API key model is that the power to switch things off never leaves you. If at any point you want to stop the bot, just log in to your exchange dashboard and revoke the key. Access is cut off immediately, with no withdrawals to approve, no support tickets to open, no waiting periods. It's the equivalent of pulling the plug — and only you have a hand on the cord.
That reversibility is what separates, in practice, authorizing from depositing. When you deposit into a custodial platform, getting your money back depends on them. When you authorize via API key, removing the authorization depends only on you.
How CodeBot uses your keys
CodeBot uses your API key strictly for what it was designed for: reading the state of your account and sending trade orders according to the strategy. Because the system is non-custodial by design, it doesn't ask for — and has no use for — withdrawal permission. All of the bot's work happens within the limits you set when creating the key, and every trade is recorded in your exchange's history for you to verify.
Conclusion
API keys are the technology that makes non-custodial automated trading possible. Properly configured — trade enabled, withdrawal denied — they allow a bot like CodeBot to work for you without ever laying a hand on your money. Add solid security practices and the power to revoke access at any moment, and you have an arrangement where automation and control coexist. In the end, that's what this is all about: letting the robot trade while custody stays with the person it belongs to — you.
This content is educational and does not constitute investment advice. Trading cryptocurrencies involves risk of loss and no results are guaranteed.