TVSBot
Security · API Safety

Binance API Key Security
Disable Withdraw, IP Whitelist, 2FA

2026-06-03·9 min read·Must read

The first thing you do when you start using a bot, SaaS, or any automation tool is create an API Key. But 90% of people make the same mistake: they grant too many permissions. This guide covers three critical settings that cap your maximum loss if your API Key ever gets compromised.

After reading you will know: (1) why you must disable Withdraw, (2) how to set up an IP whitelist, (3) which SaaS platforms you can trust, and (4) what to do if a key leaks.

1. Why an API Key Is More Dangerous Than Your Password

The biggest difference between an API Key and a password:

  • Password: a login goes through 2FA, KYC risk control, and email confirmation on withdrawals — multiple layers of defense.
  • API Key: an attacker with the key can call the API directly, bypassing 2FA and email verification.

So an API Key is essentially handing the keys over to a machine. How many doors that key can open depends entirely on which permissions you grant it.

2. The Three Critical Settings

(1) Disable Withdraw Permission — Most Important

When you create an API Key on Binance, it asks you which permissions to enable:

  • Enable Reading (view account, view positions) — required
  • Enable Spot & Margin Trading — required for auto trading, optional if you only watch the market
  • Enable Futures — required if you want to place futures orders
  • Enable Withdrawals absolutely never check this!
  • Permits Universal Transfer — transfers between accounts; recommended to leave unchecked
Why disabling Withdraw matters so much
Even if your API Key is 100% compromised, the attacker can only use it to place orders — sell BTC for USDT, open fake positions to wash volume, and so on. But they cannot move funds out. That gives you time to spot the anomaly and disable the key, keeping losses contained. Enabling Withdraw is like handing the attacker the safe deposit key as well.

(2) IP Whitelist

On the Binance API Key settings page you can fill in "Restrict access to trusted IPs only." Once set, only requests from those IPs will be accepted.

Common scenarios:

  • Running your own bot on a VPS → enter the VPS's static IP
  • Using a SaaS platform → enter the IP published by the platform (TVSBot displays it in your dashboard)
  • Testing from your own computer → your home IP (changes frequently, not recommended)
What if you skip the IP whitelist
Binance will still let it work, but without this layer of protection. Anyone anywhere in the world can hit the API once they have the key. At a minimum, set a whitelist on your "production" keys; testing keys can be more relaxed.

(3) Enable 2FA on the Main Account

This isn't directly about API, but it's related. Recommendations:

  • Use YubiKey or Google Authenticator for 2FA on the main account, not SMS (vulnerable to SIM swap)
  • Require 2FA verification when creating each API Key
  • Whitelist withdrawal addresses (restrict withdrawals to addresses you preset)
  • Enable "unusual login email notifications"

3. Step-by-Step: Creating an API Key

Using Binance as the example (OKX, Bybit, and others are similar):

  1. Log in to Binance → click your avatar in the top right → API Management
  2. Create API → choose System generated (HMAC, most common)
  3. Fill in the Label (e.g. tvsbot-prod) so it's easy to identify later
  4. Complete 2FA verification
  5. You'll receive the API Key and Secret Key. The Secret is shown only once, so copy it immediately into a password manager (such as 1Password or Bitwarden).
  6. Click Edit restrictions next to that key:
    • Yes — Enable Reading (required)
    • Yes — Enable Spot & Margin Trading (auto spot/margin orders)
    • Yes — Enable Futures (auto futures orders)
    • No — Enable Withdrawals (never enable)
    • No — Permits Universal Transfer (skip unless needed)
  7. Restrict access to trusted IPs only → enter the SaaS platform IP (or VPS IP)
  8. Save changes

4. How to Choose a Trustworthy SaaS Platform

Two architectural choices matter most:

DimensionCustodial (bad)Non-custodial (good)
API Key storagePlatform stores plaintext / weak encryptionStrong encryption (e.g. Fernet AES-128)
Fund flowFunds held in platform walletFunds always stay in your exchange account
Single point of failurePlatform breach → all users hitPlatform breach → only encrypted keys leak (still need master key to decrypt)
Representative case3Commas (hacked for $22M)TVSBot, TradingView built-in trading panel
Lessons from the 2022 3Commas incident
A custodial SaaS pooled roughly 1 million API keys in one place. When it was breached, 100,000 keys leaked, and 44 confirmed victims lost $14.8M. For a deeper analysis see Why 3Commas Was Stolen for $22M.

5. Traffic Lights: A Trust Checklist for Platforms

Use these questions to quickly assess whether a SaaS is safe:

  • Green — Does the documentation describe the encryption scheme (Fernet / KMS / HSM)?
  • Green — Can you set an IP whitelist?
  • Green — Is there a warning about the Withdraw permission (telling users not to enable it)?
  • Green — Is there a bug bounty program?
  • Green — Is there a public security page or third-party audit report?
  • Red — Does it ask you for Withdraw permission? — walk away
  • Red — Are funds held in a "platform wallet" instead of an exchange? — custodial, high risk
  • Red — Does it skip the encryption details and just say "we're very secure"? — don't trust it

6. What to Do If Your API Key Leaks

The moment you suspect a leak (a virus on your computer, a breached SaaS, an accidental push to GitHub), do this immediately:

  1. Binance API Management → find the key → Delete
  2. Review recent orders and withdrawal history for anomalies
  3. If Withdraw was enabled and you see suspicious withdrawals → contact Binance support and file a police report immediately
  4. Create a new key (this time make sure Withdraw is disabled and IP whitelist is set)
  5. Store the new key in a password manager — never paste it into docs, Slack, or email again

7. Advanced: Multi-Key, Multi-Account Segregation

A more advanced setup: split your funds across multiple accounts or sub-accounts, each with its own API Key. That way, a problem with one key only affects the funds in that account.

  • Main account: holds most of the funds; no API Key created
  • Sub-account A: runs strategy 1, with its own key and IP whitelist
  • Sub-account B: runs strategy 2, with a separate key
  • Use Universal Transfer (manually) to move funds between sub-accounts

This is overkill for small balances, but strongly recommended once you have six figures (USD) or more on the line.

Get started

Ready to ship what you just learned?

TVSBot uses a non-custodial architecture — your API key is stored encrypted with Fernet AES-128, and the platform never holds funds directly. Full security page at /security.

Start free trial

8. TVSBot's Security Mechanisms (Transparent Disclosure)

The specific things we do:

  • Fernet AES-128 encryption: API keys stay encrypted in the DB at all times; the master key is stored only in environment variables, physically separated from the DB.
  • Withdraw detection: we regularly scan the permissions on your keys. The moment Withdraw is found enabled, we disable that key immediately and send you an email notification.
  • Order-only recommendation: every piece of documentation emphasizes disabling Withdraw.
  • Bug bounty: report a serious security vulnerability for up to a $5,000 reward.

Details on the /security page.

Related reading