Optimize 2025 Grid Bot performance with automatic backtesting
JAN 31, 2023
8 MIN
- All
- Analytics
- Technical Analysis
- Trading
- Blockchain
- DeFi
- Guides
- Company News
- Educational
- Opinion
- Price Predictions
- Tools
- Market News
- News
- Trading cases
- Practical guides
- Exchanges
- Trading signals
- Cryptocurrency
- Crypto bots
- Other
Become a crypto master
Become a crypto master
Learn everything about crypto,
trading and bots
Learn everything about crypto,
trading and bots
2025 Security checklist for 3Commas API keys
DATE PUBLISHED: JAN 2, 2023
DATE UPDATED: APR 18, 20258 MIN
3Commas is constantly improving and adding new safety and security layers to your API keys. Below you will find steps our tech team has taken recently to make 3Commas more secure and actions what you can do to make sure your API keys are safe.
Introducing Sign Center
Sign Center is a secure API keys storage that is isolated at both infrastructure and access levels to ensure the security of our systems. When 3Commas makes a trade request with an exchange, 3Commas servers ask the Sign Center to sign a transaction that needs to be executed, very similar to how you would have Metamask or Ledger sign a transaction.
Bringing in API Key IP Whitelisting
We are expanding the list of IP whitelisting functionality to exchanges. When you create an API key at your exchange, you can specify an IP whitelist. The IP whitelist can be used to restrict the API key to certain IP addresses, thereby blocking any trading activity outside 3Commas. The created API key can’t be added to any other account on 3Commas, which makes any attempt to steal API keys pointless as they simply cannot be used.
Presenting Fast Connect
The exchanges that are focusing on better serving traders are including Fast Connect to their tech roadmaps. Fast Connect can help users quickly authorize specific account permissions, create API keys, and automatically connect to third-party API link platforms.
Fast Connect allows you to log in to your exchange account via the quick connect function on 3Commas platform. It can automatically generate API keys and bind to our platform, so you can start using 3Commas services without manually creating API keys.
Revoking old keys by partner CEXes
Since becoming aware of the supposed hacker's post on December 28, 2022, we have requested that Binance, KuCoin and other supported exchanges revoke all keys that were connected to 3Commas.
For those who have not updated their API keys after December 28, we strongly recommend doing so. If you need help with updating your API keys, please check our guide.
Is 3Commas safe now?
At the moment of writing we have seventeen partner exchanges accessible to our traders. While our tech team is in process of introducing maximum layers of security for each of those, we would like to give you more transparency. Below you will find a table that will help you make informed decisions on connecting new API keys.
We've worked hard to introduce whitelisting to more exchanges and we will be updating the table below to keep you informed about the new launches.
New API keys secured by | Old API keys | |||
|---|---|---|---|---|
Sign center | IP Whitelisting | Fast Connect, subject, to dev roadmap of exchanges | Revoked by exchange on our request | |
Binance | ✔️ | ✔️ | ✔️ | ✔️ |
OKX | ✔️ | ✔️ | ✔️ | ✔️ |
KuCoin | ✔️ | ✔️ | ❌ | ✔️ |
Coinbase Pro | ✔️ | ✔️ | ❌ | ✔️ |
Binance TR | ✔️ | ✔️ | ❌ | ✔️ |
Binance US | ✔️ | ✔️ | ❌ | ✔️ |
Bitfinex | ✔️ | ✔️ | ❌ | ✔️ |
Bitstamp | ✔️ | ✔️ | ❌ | ✔️ |
Bittrex | ✔️ | ✔️ | ❌ | ✔️ |
Bybit | ✔️ | ✔️ | ✔️ | ✔️ |
Crypto.com | ✔️ | ✔️ | ❌ | ✔️ |
Deribit | ✔️ | ✔️ | ❌ | ✔️ |
Gate.io | ✔️ | ✔️ | ✔️ | ✔️ |
Gemini | ✔️ | ❌ | ❌ | ✔️ |
Huobi | ✔️ | ✔️ | ❌ | ✔️ |
Kraken | ✔️ | ✔️ | ❌ | ✔️ |
*Since Coinbase Pro has disabled the creation of new trading API keys, connecting and editing Coinbase Pro accounts is not available for now. Please follow the guide to whitelist your current API connection.
Stopping use of a specific CEX
In case you want to stop using a specific exchange account with 3Commas and select another one, there's a few things you need to be aware of and to check:
- Any trading history from within 3Commas for this account will be deleted
- Any configured bots and SmartTrade templates for this account will be deleted
- Any active bot deals, SmartTrades or orders created within 3Commas for this exchange account will need to be canceled
- If you configured any custom TradingView alerts that used this account, they will need to be deleted on your TradingView.com account.
Once you've checked the above, you can proceed to the https://apps.3commas.io/accounts page. Simply find the account to remove, click the Options button, then choose "Delete".
Important: Please remember to log-in to your exchange's website and delete the API key, otherwise it will remain active and is a security risk.
2025 Update: Strengthening API Key Protection in a Changing Threat Landscape
As automated crypto trading becomes more sophisticated, with professionals increasingly relying on tools like the ai crypto trading bot or auto trading bot crypto setups, securing API keys has become mission-critical. In 2025, threat actors continue targeting API connections as potential entry points into trading accounts. To support professional traders and asset managers using the 3Commas software provider, we’ve updated our API security checklist to reflect current best practices.
1. Limit API Permissions Based on Role-Specific Use Cases
Modern multi-account strategies—especially when run through automated crypto trading software—demand tighter access controls. For example, a team member focused solely on analytics doesn’t need access to execute trades. Limiting permissions per user role not only enforces security but also aligns with institutional oversight policies.
2. Rotate Keys Quarterly or After Any Workflow Change
Regular key rotation is no longer optional. Traders deploying ai bot crypto trading systems or operating complex grid and DCA bots should schedule quarterly API key rotations, especially after switching strategies or restructuring connected services.
3. Use IP Whitelisting With Care
Most major exchanges and automated trading bot cryptocurrency software now support IP exemption lists. When using cloud services or third-party VPS to operate a crypto trading bot, ensure all IPs are registered and current. This is especially important if you're running a bot to trade crypto remotely or automating execution across multiple venues.
4. Avoid Reusing Keys Across Services
Avoid using the same API key for multiple tools—whether for a crypto trading signal bot, portfolio dashboard, or tax software. Assigning unique keys to each integration reduces your attack surface and helps isolate issues if a single service becomes compromised.
5. Monitor API Usage and Configure Alerts
If your exchange supports API monitoring, use it. Especially when managing ai based crypto trading bots or any automated crypto trading bot, it’s critical to detect anomalies quickly. Alerts for unauthorized pair access or trade execution outside normal parameters can serve as early warnings of compromise.
Final Note
Whether you’re deploying a cryptocurrency auto trading bot across multiple exchanges or using a lightweight auto trade cryptocurrency setup, secure API key management is essential. 3Commas, as a software provider, remains committed to delivering robust features that support encrypted key storage, permission control, and safe automation.
