search

Security & Trust

Your API keys are sensitive. Here's exactly how we protect them—and why you can trust us with them.

hashtag
The Most Important Thing

TokenBot cannot withdraw your funds. Ever.

When you create API keys for TokenBot, you only enable "trade" permissions. Withdrawal permissions stay OFF. Even if someone stole your API key from us (which our security prevents), they couldn't move your money.

Your funds stay on your exchange, under your control.

hashtag
How We Protect Your API Keys

hashtag
Encryption at Rest

Your API keys are encrypted using 256-bit AES encryption before being stored. This is the same standard used by banks and governments.

Even if someone accessed our database, they'd see encrypted gibberish—not your actual keys.

hashtag
Encryption in Transit

All communication between your browser and TokenBot uses TLS 1.3 encryption. Data traveling over the internet is protected from interception.

hashtag
Secure Infrastructure

TokenBot runs on AWS (Amazon Web Services) with:

  • Encrypted storage volumes

  • Private network isolation

  • Regular security patches

  • Multi-region redundancy

hashtag
No Human Access

Our staff cannot see your raw API keys. The encryption happens automatically, and we don't have the ability to decrypt them for viewing.

hashtag
What API Keys Can and Cannot Do

When you create API keys, you choose their permissions. Here's what TokenBot needs:

hashtag
Required Permissions

Permission
Why We Need It

Read

See your open orders and positions

Trade

Place buy and sell orders

hashtag
NOT Required (Keep These OFF)

Permission
Why OFF

Withdraw

TokenBot never needs to move your funds

Transfer

No need to move between accounts

Futures (sometimes)

Only if you trade futures

hashtag
Best Practices for API Keys

Follow these guidelines to maximize security:

hashtag
1. Never Enable Withdrawal

Even though TokenBot doesn't need it, some people enable all permissions by default. Don't. Always keep withdrawal OFF.

hashtag
2. Use IP Whitelisting (When Available)

Many exchanges let you restrict API keys to specific IP addresses. If you know TokenBot's IP range (we can provide it), whitelist only those IPs.

hashtag
3. Create Dedicated Keys

Don't reuse API keys across services. Create a separate key specifically for TokenBot. If you ever want to revoke access, you can delete just that key.

hashtag
4. Rotate Keys Periodically

Every few months, create new keys and update them in TokenBot. Delete the old keys on your exchange. This limits exposure if old keys were compromised.

hashtag
5. Use Strong Exchange Security

  • Enable 2FA on your exchange account

  • Use a unique, strong password

  • Check login history regularly

hashtag
What Happens If We Get Hacked?

Let's address the worst-case scenario directly.

If TokenBot were breached:

  1. Attackers would find encrypted API keys (useless without decryption keys)

  2. Even if decrypted, keys cannot withdraw funds

  3. We'd detect the breach and notify all users immediately

  4. You could revoke your API keys on each exchange in minutes

Bottom line: Even a breach couldn't result in stolen funds.

hashtag
You're Always in Control

hashtag
Revoking Access

Want to stop using TokenBot? Here's how to fully disconnect:

  1. Log into each exchange

  2. Go to API management

  3. Delete the keys you gave to TokenBot

That's it. The keys stop working immediately. TokenBot can no longer interact with your account.

hashtag
Deleting Your Account

When you delete your TokenBot account:

  • All your API keys are permanently deleted from our systems

  • Your trading history is removed

  • Your personal information is erased

We don't keep your data after you leave.

hashtag
Our Security Practices

hashtag
Regular Audits

We conduct security audits to identify and fix vulnerabilities before they can be exploited.

hashtag
Penetration Testing

External security researchers test our systems, trying to find weaknesses. We fix anything they find.

hashtag
Bug Bounty Program

Security researchers who discover vulnerabilities can report them responsibly and receive recognition.

hashtag
Incident Response

We have documented procedures for responding to security incidents, including immediate user notification.

hashtag
Comparing Security Models

Model
Fund Safety
Example

Custody (they hold funds)

⚠️ Platform can lose/steal

FTX, Mt. Gox

Smart contract

⚠️ Contract bugs = lost funds

Various DeFi hacks

API key (no withdraw)

✅ Funds stay on exchange

TokenBot

TokenBot's model is the safest because we never have access to move your money.

hashtag
Frequently Asked Questions

hashtag
Can TokenBot staff see my trades?

Our systems can see trade data (to copy them), but individual staff members don't have dashboards showing your activity. Data access is logged and restricted.

hashtag
What if an exchange gets hacked?

That's on the exchange, not TokenBot. We recommend spreading funds across multiple exchanges—which TokenBot makes easy to manage.

hashtag
Is my personal information secure?

Yes. We store minimal personal data, all encrypted. We never sell data to third parties.

hashtag
How do I report a security issue?

Email [email protected]. We take all reports seriously and respond promptly.

hashtag
Summary

Concern
Answer

Can TokenBot withdraw my money?

No

Are my API keys encrypted?

Yes, 256-bit AES

Can staff see my keys?

No

Can I revoke access instantly?

Yes, delete keys on exchange

What if TokenBot gets hacked?

Keys are encrypted, can't withdraw anyway

hashtag
Next Steps

Feel confident about security?

Get started with TokenBot →arrow-up-right

Still have questions?

Join our Discord for support →arrow-up-right

PreviousTransparency: Why Referral Links?NextFrequently Asked Questions

Last updated

Was this helpful?