One Button Capital's report for August 2022 is live.
Research

API Crypto Trading: How It Works And Is It Secure?

Download Report

How to use API keys for crypto trading bots and the security of API asset management

Thank you for signing up for our newsletter!
You have already signed up for our newsletter.
Research
One Button Capital
August 17, 2022
Aug 17

In this article, we will explain how platforms like One Button Capital can make trades on your exchange account (Binance, FTX, Kraken, etc.) with API and security and potential vulnerabilities around it.

What is API?

API (Application Programming Interface) is a set of programming instructions that allows two software programs to interact.

API is like a language that lets different software apps talk to each other.

In the case of One Button Capital, it allows our software to optimize and effectively manage your crypto portfolio directly on your exchange account.

Why is it needed?

The API is needed for external services to perform actions on your account. One Button Capital uses API for the following:

  • Fetch your account data (asset balance, trade history, open orders)
  • Place orders and execute trades
  • Cancel orders

API is a direct link between One Button Capital and your exchange account.

API is commonly used amongst modern asset managers and Robo-advisors because it enhances financial management in 3 ways:

  1. You have more control over your capital. You no longer need to send your funds to an external party to use their investment strategies. Instead, the funds can stay and be managed directly in your exchange account. Additionally, you can disable API integration and withdraw access to your assets at any moment.
  2. You have more transparency over your capital. Since the trading is executed on your exchange account, you see exactly what happens with your assets. Therefore, you can easily verify the PnL, drawdown, and other data of an external asset manager.
  3. It simplifies the user experience. To use a certain trading strategy or work with an asset manager, you just create and link your API key in 5 minutes. No need for extensive paperwork and other operational overhead.

How does it work?

Using automated trading through API is significantly easier compared to traditional asset management. The strategy activation process is fully automatic and takes 5–10 minutes to complete. In the case of One Button Capital, all you have to do is to sign up for an OBC account, connect your cryptocurrency exchange with an API key, and choose the allocation size in USDT or USDC. That’s it, the rest will be taken care of by the software. You can view the product demo here.

After activating your One Button Capital account from an email invitation, simply follow the onboarding process on the website to link your API key. Here is the tutorial on how to connect your Binance API key to One Button Capital.

So how exactly One Button Capital trades on my exchange?

The API trading process involves a series of steps to ensure a) the safety of the connection and user’s assets, b) the accuracy of data, and c) the consistency of service.

Here is how the API trading process looks step-by-step at One Button Capital

  1. Every 4 hours, an AI model (strategy) scans the market and generates the output (buy/sell/hold signal) and % of the portfolio to trade. The signal is subsequently sent to the trading bot linked to the user’s exchange account.
  2. To ensure safety, the bot then performs various security checks and validates that the signal was indeed generated by the model associated with the bot.
  3. After all the checks are passed, the bot sends a request to the user’s exchange account to place a trade.
  4. After the successful trade, the bot fetches the data from the user’s account (trade history, balance, and position sizes) and updates the AI model.

A few things worth noting:

  • The AI models and trading bots are stored and operated on One Button Capital servers.
  • The user data and funds are stored and managed on the servers/wallets of an exchange.
  • The requests sent by a model to a trading bot and from a trading bot to an exchange are end-to-end encrypted to avoid leaking sensitive data.

What are the limitations and the capacity of Binance API?

For Binance there are three different types of limits, all of which are subject to change at any time:

  1. Hard-limits
  2. ML (Machine Learning) Limits
  3. WAF (Web Application Firewall) Limits

The Hard-Limits specifically are:

  • 1,200 request weight per minute (keep in mind that this is not necessarily the same as 1,200 requests)
  • 50 orders per 10 seconds
  • 160,000 orders per 24 hours

Additionally, Binance does not restrict you in the volume you can trade in a day. On some markets, you are allowed to make a market order up to 306 BTC, which is more than enough for 99.999% of crypto holders.

How to create an API key?

See API tutorials for Binance/Binance.US, Kraken, Bitpanda Pro, and Bitvavo.

How secure is API trading?

While API keys open the door to data analysis, trading bots, and other automation, crypto traders may not be fully aware of the risks associated with sharing API credentials with non-trustworthy third parties.

API Security

As a user, you can set different levels of permissions for your API keys.

To ensure the safety of your assets, don’t enable withdrawal/deposit access when linking your API key to an external platform. The bots need trade-only API access to function sufficiently.

API keys are stored encrypted in the One Button Capital database. In case anyone ever gets access to the database, all they would see is a random string of characters without any meaning.

Example with a random API key.

The API keys are not visible on the One Button Capital app interface. So if anyone gets access to your app account, they cannot access your keys.

The bots can only execute trades on the markets they were assigned to. If the bot receives a buy/sell signal to trade on another market pair, this signal will be ignored.

The bots are limited to the position size assigned to them. If the bot receives a buy/sell signal to trade with a higher size than it currently holds, the signal will be ignored.

In case there is irregular trading activity noticed on an exchange account (the daily volume is 10x higher than the bot position size), a user will be immediately notified by email and Telegram.

To generate a new API key, you need to use 2FA (2-factor authentication).

The newly generated API secret can only be viewed once. If later you want to view existing API credentials, you can only see an API key. API secret is hidden forever.

Further security tips

There is a slight chance that a user himself may expose an API key. Therefore:

  • Never store your API keys on shared accounts or databases
  • Never store your API keys in a non-encrypted text format
  • Never write and store your API keys on paper or another physical medium
  • If you lost access to your API key, delete it, and create a new one

Even if after all the security precautions, a malicious actor gained access to the API keys, a) they cannot withdraw any funds b) they are limited by the API restrictions described in the paragraph above. Additionally, if using the One Button Capital platform, the affected user will be automatically notified and can disable the API key immediately.

Whitelist API Trading Symbol
If you are certain on which market pairs you want your AI to trade, you can use the API trading symbol whitelist function on Binance to restrict sub-account's Spot/Margin trading to the Master Account selected trading pairs only.

That will further enhance the security of your account and ensure that there will be no trading outside your chosen market pairs through the API.

IP whitelist
Another safety measure to secure your funds from hacks is to use an IP whitelist function on your exchange. That will restrict your API to accepting trades only from the IP addresses in the list.

For maximum security and convenience, we will email you our list of IPs once you register on the One Button trading app. Those are the IP addresses we use on our servers to run the trading AIs. You can then add them to the ‘trusted IPs only’ tab when creating an API key.

Conclusion

Using an Application Programming Interface (API) as a middleman in your crypto trading gives you more control and transparency over your capital. It also simplifies the user experience and makes automation trading a lot easier.

You can connect your exchange to the One Button Capital app via an API key following a couple of steps. API keys are stored encrypted in the One Button Capital database and our software performs several security checks before executing any actions via your API.

Disclaimer: This article is for informational purposes only

Download Report

More Posts:

We regularly prepare insightful reports and case studies about crypto trading and the blockchain industry.

Sign up for our newsletter

Sign up for an account and get
access to the Transformer AI
Please, enter a correct email
Request Access
I'm an institutional investor
image
You have successfully signed up for OB Trader!

We sent you a link to complete your sign-up.
Check your inbox, verify your email, and unlock all functionalities of your OB Trader account.

Join our communities!
You have requested access for OB Trader!

You have requested access for One Button Capital!

You were added to our waitlist. You will get an email within 3-5 days If you are shortlisted.

Follow us
Oops! Something went wrong. Please, try again.
Oops! Something went wrong while submitting the form.
Back

One Button Capital investment inquiry

Submit your inquiry through this form
Thank you! Your submission has been received and the team will get back to you within 1-3 business days.
Oops! Something went wrong while submitting the form.