> For the complete documentation index, see [llms.txt](https://docs.tokenbot.com/home/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.tokenbot.com/home/08-security-and-trust.md). # Security & Trust **Your API keys are sensitive. Here's exactly how TokenBot protects them—and why the CLI-first design keeps you in control.** *** ## The Most Important Thing **TokenBot cannot withdraw your funds. Ever.** When you create API keys for TokenBot, you only enable "trade" permissions. Withdrawal permissions stay OFF. Even if someone obtained your API key, they couldn't move your money. Your funds stay on your exchange, under your control. *** ## Your Identity Is a Keypair, Not a Password There is no TokenBot password to phish, reuse, or leak. When you run `tokenbot init`, the CLI generates a **secp256k1 keypair** on your machine: * Your **private key** never leaves your computer. It's encrypted with a passphrase you choose (using scrypt for key derivation and a NaCl secretbox / XSalsa20-Poly1305 for encryption) and stored at `~/.tokenbot/config.json` with `0600` permissions. * Your **public key** is registered with TokenBot. * Every request the CLI makes is **cryptographically signed** with your private key. The server verifies the signature, the timestamp, and a one-time nonce — so requests can't be forged or replayed. If you lose your passphrase, you lose access — by design. Nobody at TokenBot can recover it for you. *** ## Where Your Exchange Keys Live (The Hybrid Model) TokenBot deliberately gives you two independent places to keep exchange API keys, and they are **never mirrored**: ### Local keys — they never leave your machine `tokenbot keys add` encrypts your exchange credentials and stores them at `~/.tokenbot/keys.json` (encryption keyed from your own identity). These keys are used **only** by local commands such as `tokenbot balance`, which builds a CCXT client in your terminal and talks to the exchange directly. **The server never sees these keys.** This is the strongest option: your credentials physically stay on your computer. ### Server-side accounts — only when you opt in If you want the automated trading and market-making engines to work for you, you register an exchange account with `tokenbot exchange add`. Those credentials are sent to TokenBot and stored **encrypted in AWS Secrets Manager**, used only by the scheduled server-side engines. You choose which model to use. Many users keep keys local for manual work and only register accounts when they want automation. *** ## How We Protect Server-Side Data ### Encryption at Rest Server-side exchange credentials are stored in **AWS Secrets Manager** with encryption at rest. Even with database access, an attacker sees encrypted material, not raw keys. ### Encryption in Transit All communication with TokenBot's APIs uses **TLS**, and every CLI request is additionally **signed** with your private key. Data is protected in transit and authenticated end to end. ### Secure Infrastructure TokenBot runs on AWS with: * Encrypted storage * Private network isolation * Regular security patches * Scheduled, least-privilege execution for the bots *** ## What API Keys Can and Cannot Do When you create API keys, you choose their permissions. Here's what TokenBot needs: ### Required Permissions | Permission | Why We Need It | | ---------- | --------------------------------------------- | | **Read** | See your open orders, positions, and balances | | **Trade** | Place buy and sell orders | ### NOT Required (Keep These OFF) | Permission | Why OFF | | ----------------------- | --------------------------------------- | | **Withdraw** | TokenBot never needs to move your funds | | **Transfer** | No need to move between accounts | | **Futures (sometimes)** | Only if you trade futures | *** ## Best Practices for API Keys ### 1. Never Enable Withdrawal Even though TokenBot doesn't need it, some people enable all permissions by default. Don't. Always keep withdrawal OFF. ### 2. Prefer Local Keys for Manual Work If you only need commands like `tokenbot balance`, store keys locally with `tokenbot keys add` so they never touch a server. ### 3. Use a Strong Passphrase Your `~/.tokenbot` files are encrypted with your passphrase. Choose a strong, unique one, and back it up somewhere safe — it can't be recovered. ### 4. Use IP Whitelisting (When Available) Many exchanges let you restrict API keys to specific IP addresses. For local keys, whitelist your own IP. For server-side accounts, contact us for the bot IP ranges. ### 5. Create Dedicated Keys & Rotate Them Create a separate API key specifically for TokenBot, and rotate it periodically. If you ever want to revoke access, delete just that key on your exchange. ### 6. Use Strong Exchange Security * Enable 2FA on your exchange account * Use a unique, strong password * Check login history regularly *** ## What Happens If We Get Hacked? Let's address the worst-case scenario directly. **If TokenBot's servers were breached:** 1. **Local keys are not there to steal** — they live only on your machine. 2. Server-side credentials are encrypted in AWS Secrets Manager. 3. Even decrypted, keys cannot withdraw funds. 4. We'd detect the breach and notify affected users. 5. You could revoke your API keys on each exchange in minutes. **Bottom line:** Even a breach couldn't result in stolen funds. *** ## You're Always in Control ### Revoking Access Want to stop using TokenBot? To fully disconnect: 1. **Log into each exchange** 2. **Go to API management** 3. **Delete the keys** you created for TokenBot The keys stop working immediately. ### Removing Local Data ```bash tokenbot logout ``` This deletes your local config and encrypted key store (`~/.tokenbot/config.json` and `~/.tokenbot/keys.json`). ### Deleting Your Account To remove your server-side account and data, contact . We don't keep your data after you leave (subject to legal retention requirements). *** ## Our Security Practices ### Regular Audits & Penetration Testing We conduct security reviews and engage external researchers to find and fix vulnerabilities before they can be exploited. ### Bug Bounty Security researchers who discover vulnerabilities can report them responsibly. Email ****. ### Incident Response We have documented procedures for responding to security incidents, including user notification. *** ## Comparing Security Models | Model | Fund Safety | Example | | ----------------------------- | ----------------------------- | ------------------ | | **Custody (they hold funds)** | ⚠️ Platform can lose/steal | FTX, Mt. Gox | | **Smart contract** | ⚠️ Contract bugs = lost funds | Various DeFi hacks | | **API key (no withdraw)** | ✅ Funds stay on exchange | TokenBot | TokenBot's model is among the safest because we never have the ability to move your money — and with local keys, we may not hold your credentials at all. *** ## Frequently Asked Questions ### Can TokenBot staff see my keys? Local keys: no — they're encrypted on your machine and never transmitted. Server-side credentials: stored encrypted in AWS Secrets Manager; access is restricted and logged. ### What if an exchange gets hacked? That's on the exchange, not TokenBot. We recommend spreading funds across multiple exchanges—which TokenBot makes easy to manage. ### Is my personal information secure? We store minimal personal data, encrypted. We never sell data to third parties. ### How do I report a security issue? Email . We take all reports seriously and respond promptly. *** ## Summary | Concern | Answer | | ------------------------------- | -------------------------------------------------------- | | How do I authenticate? | A secp256k1 keypair — no passwords | | Can TokenBot withdraw my money? | No | | Where do my exchange keys live? | Locally encrypted, or (opt-in) in AWS Secrets Manager | | Can staff see my local keys? | No — they never leave your machine | | Can I revoke access instantly? | Yes, delete the keys on your exchange | | What if TokenBot gets hacked? | Keys are encrypted (or local), and can't withdraw anyway | *** ## Next Steps Feel confident about security? ```bash npm install -g tokenbot && tokenbot init ``` Still have questions? Email or follow [@TokenBotV2 on X](https://x.com/tokenbot). --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.tokenbot.com/home/08-security-and-trust.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.