3Commas Security
We’ve created this security checklist to help you ensure you use our software responsibly — and with maximum confidence about your security while trading using the 3Commas.
How does 3Commas work?
3Commas is a non-custodial software. You can use your 3Commas account to trigger and orchestrate actions on your connected exchange accounts. But, you cannot withdraw funds either directly from 3Commas or via 3Commas.
How does 3Commas connect to your exchange accounts?
3Commas connects to your exchange accounts using API keys. We offer three important pillars of security around API connections. Depending on the exchange, you can access some or all of these when you trade with us:
Sign Center
Sign Center is a secure API key storage isolated at both infrastructure and access levels to ensure the security of our systems. When 3Commas makes a trade request with an exchange, 3Commas servers ask the Sign Center to sign the transaction. This protocol is similar to how Metamask or Ledger signs a transaction.
When you create an API key with your exchange, you can specify an IP whitelist. The IP whitelist can be used to restrict the API key to certain IP addresses. You can use this tool to specifically authorize official 3Commas IP addresses — and block any others. Your created API key can’t be added to any other account on 3Commas — which means they cannot be used to initiate trades with your exchange account if the request doesn’t come from your 3Commas account.
Fast Connect
Exchanges that are focusing on better serving traders are beginning to offer Fast Connect. Fast Connect can help users quickly authorize specific account permissions, create API keys, and automatically connect to third-party API link platforms.
Fast Connect allows you to log in to your exchange account via the quick connect function on 3Commas software. It can automatically generate API keys and bind to our software, so you can start using 3Commas’ services without manually creating API keys.
Transactional access only
Our system tells your exchange account to start and close deals. It has zero access to withdraw or transfer fiat or cryptocurrencies. Your login information for your exchange is never revealed to our system. No backdoor or cache can be exploited because the API deliberately does not have the functionality to request any of your personal information from the exchange.
How does 3Commas secure user data?
On top of using the three key secure connection protocols explained above, 3Commas secures user data with tools from security services provider Cloudflare, including:
Web Application Firewall
DDOS attack protection
SSL/TLS encryption between visitors and origin servers
What can you do to keep your data safe?
When working with an exchange:
- Secure your exchange account with two-factor authentication (2FA).
- Save 2FA backup keys in a safe place.
- Use a strong and unique password/email for your exchange account.
- Don’t store secure API keys in a shared or accessible document.
- Don’t send your API keys via a message to yourself or anyone.
- Use separate API keys for different services.
- Connect exchange via Fast Connect if possible.
- Always be wary of phishing emails and ensure the authenticity of the sender — especially check those from your exchange providers.
- Set up alerts, like the one 3C Pro subscribers use on Binance that can send them messages any time there's an external trade.
Official 3Commas web and email addresses you can interact with:
- 3Commas Official URLs:
https://3commas.io
https://app.3commas.io
https://help.3commas.io
https://feedback.3commas.io
https://status.3commas.io - 3Commas Official Email Addresses:
[email protected]
[email protected]
[email protected]
[email protected] (Coinpayments are a payment processing service; you will receive messages from this address if you purchase a subscription using Cryptocurrency)
When creating an account on 3Commas:
- If connecting to 3Commas using a web browser, ensure the address is either https://3commas.io or https://app.3commas.io in your browser address bar.
- If you have created your 3Commas account with Facebook, Google or Apple ID, be sure to enable 2FA on said services. Follow the instructions for Facebook, Google and Apple.
- If you have created your 3Commas account with an email address and password:
1. Use an email address you are checking regularly (not a “spam address”)
2. Use a strong and unique password different from your email address.
3. Verify your email address (you will receive a link once you are registered).
4. Enable 2FA for your account in Settings.
When using 3Commas:
- Hide your balance when you are sharing screenshots or your interface is viewable by others.
- Log out from 3Commas if you are giving access to your device to anyone else.
- Secure your device with a password or PIN, and don’t leave it unlocked.
- Don’t share your email_token in TradingView commands.
When working with mobile devices:
- Secure your smartphone with a PIN code or biometric measure.
- Never give your device to anyone while the trading app is opened or when your Google Authenticator app is accessible.
- Always ensure that your backup codes are retrievable in the event your phone is lost or stolen.
Stopping use of a specific CEX
In case you want to stop using a specific exchange account with 3Commas and select another one, there's a few things you need to be aware of and to check:
- Any trading history from within 3Commas for this account will be deleted.
- Any configured bots and SmartTrade templates for this account will be deleted.
- Any active bot deals, SmartTrades or orders created within 3Commas for this exchange account will need to be canceled.
- If you configured any custom TradingView alerts that used this account, they will need to be deleted on your TradingView.com account.
- Once you've checked the above, you can proceed to the https://apps.3commas.io/accounts page. Simply find the account to remove, click the Options button, then choose ‘Delete’.
Important: Please remember to log in to your exchange's website and delete the API key, otherwise it will remain active and could become a security risk.
Sign center | IP Whitelisting | Fast Connect* | |
Binance | ✔️ | ✔️ | ✔️ |
OKX | ✔️ | ✔️ | ✔️ |
KuCoin | ✔️ | ✔️ | ❌ |
Binance TR | ✔️ | ✔️ | ❌ |
Binance US | ✔️ | ✔️ | ❌ |
Bitfinex | ✔️ | ✔️ | ❌ |
Bitstamp | ✔️ | ✔️ | ❌ |
Bybit | ✔️ | ✔️ | ✔️ |
Gate.io | ✔️ | ✔️ | ✔️ |
Gemini | ✔️ | ❌ | ❌ |
HTX | ✔️ | ✔️ | ❌ |
Kraken | ✔️ | ✔️ | ❌ |
Coinbase Advanced | ✔️ | ✔️ | ✔️ |
Bitget | ✔️ | ✔️ | ❌ |
*Fast Connect is a subject to development roadmap of partner exchanges
3Commas’ continuing commitment to trader security
We take software and data security very seriously at 3Commas. Blockchain and cryptocurrency services are tempting targets for malicious attacks — which is why we operate under the assumption that malicious actors may be trying to compromise our software and the community it serves at all times.
The measures and protocols we explain on this page are testament to our continuously evolving efforts to those who might seek to exploit our customers — and give you the best possible security and protection.
Important: Following security measures is vital in cryptocurrency trading. Always remember that $100 worth of a token may grow into a fortune someday. Treat every penny with respect.
