Security checklist for 3Commas API keys

DATE PUBLISHED: JAN 2, 2023
5 MIN
DATE UPDATED: JUN 29, 2023

3Commas is constantly improving and adding new safety and security layers to your API keys. Below you will find steps our tech team has taken recently to make 3Commas more secure and actions what you can do to make sure your API keys are safe.

Introducing Sign Center

Sign Center is a secure API keys storage that is isolated at both infrastructure and access levels to ensure the security of our systems. When 3Commas makes a trade request with an exchange, 3Commas servers ask the Sign Center to sign a transaction that needs to be executed, very similar to how you would have Metamask or Ledger sign a transaction.

Bringing in API Key IP Whitelisting

We are expanding the list of IP whitelisting functionality to exchanges. When you create an API key at your exchange, you can specify an IP whitelist. The IP whitelist can be used to restrict the API key to certain IP addresses, thereby blocking any trading activity outside 3Commas. The created API key can’t be added to any other account on 3Commas, which makes any attempt to steal API keys pointless as they simply cannot be used.

Presenting Fast Connect

The exchanges that are focusing on better serving traders are including Fast Connect to their tech roadmaps. Fast Connect can help users quickly authorize specific account permissions, create API keys, and automatically connect to third-party API link platforms.

Fast Connect allows you to log in to your exchange account via the quick connect function on 3Commas platform. It can automatically generate API keys and bind to our platform, ​​so you can start using 3Commas services without manually creating API keys.

Revoking old keys by partner CEXes

Since becoming aware of the supposed hacker's post on December 28, 2022, we have requested that Binance, KuCoin and other supported exchanges revoke all keys that were connected to 3Commas. 

For those who have not updated their API keys after December 28, we strongly recommend doing so. If you need help with updating your API keys, please check our guide.

Is 3Commas safe now?

At the moment of writing we have seventeen partner exchanges accessible to our traders. While our tech team is in process of introducing maximum layers of security for each of those, we would like to give you more transparency. Below you will find a table that will help you make informed decisions on connecting new API keys.

We've worked hard to introduce whitelisting to more exchanges and we will be updating the table below to keep you informed about the new launches.

New API keys secured by

Old API keys

Sign center

IP Whitelisting

Fast Connect, subject, to dev roadmap of exchanges

Revoked by exchange on our request

Binance

✔️

✔️

✔️

✔️

OKX

✔️

✔️

✔️

✔️

KuCoin

✔️

✔️

✔️

Coinbase Pro

✔️

✔️

✔️

Binance TR

✔️

✔️

✔️

Binance US

✔️

✔️

✔️

Bitfinex

✔️

✔️

✔️

Bitstamp

✔️

✔️

✔️

Bittrex

✔️

✔️

✔️

Bybit

✔️

✔️

✔️

✔️

Crypto.com

✔️

✔️

✔️

Deribit

✔️

✔️

✔️

Gate.io

✔️

✔️

✔️

✔️

Gemini

✔️

✔️

Huobi

✔️

✔️

✔️

Kraken

✔️

✔️

✔️

*Since Coinbase Pro has disabled the creation of new trading API keys, connecting and editing Coinbase Pro accounts is not available for now. Please follow the guide to whitelist your current API connection.

Stopping use of a specific CEX

In case you want to stop using a specific exchange account with 3Commas and select another one, there's a few things you need to be aware of and to check:

  • Any trading history from within 3Commas for this account will be deleted
  • Any configured bots and SmartTrade templates for this account will be deleted
  • Any active bot deals, SmartTrades or orders created within 3Commas for this exchange account will need to be canceled
  • If you configured any custom TradingView alerts that used this account, they will need to be deleted on your TradingView.com account.

Once you've checked the above, you can proceed to the https://apps.3commas.io/accounts page. Simply find the account to remove, click the Options button, then choose "Delete".

Important: Please remember to log-in to your exchange's website and delete the API key, otherwise it will remain active and is a security risk.