How to Set Up a Binance API Key for Trading Bots: The Complete 2026 Security Guide

By Tommy Tietze, CEO of ArrowTrade AG

Your Binance account holds 10,000 USD. You want to connect a trading bot. The bot needs an API key to trade on your exchange. And right here, at this exact step, you determine whether your setup is secure or an open barn door.

Most tutorials online show you how to create an API key. Click here, click there, done. What they don't show: which permissions you must never activate, why an IP whitelist isn't optional (it's mandatory), and what happens when you make a mistake during configuration.

This guide walks through the entire setup step by step, with a focus on security. At the end you'll find a checklist with eight points that you should go through after every setup.

Why You Need a Dedicated Bot API Key

Binance lets you use multiple API keys at the same time. Yet many users rely on a single key for everything: manual trading, portfolio apps, tax tools, and the bot. That's like a master key that opens every door in the building. If someone gets the key, they have access to everything.

The clean solution: create a separate API key for each purpose. The bot gets its own key with exactly the permissions it needs. Nothing more, nothing less.

Benefits:

• If the bot key gets compromised, your other integrations remain unaffected

• You can delete and recreate the bot key at any time without disrupting other connections

• You can see in the Binance overview which key is used by which system

• You can set different IP whitelists per key

Name the key so you can identify it immediately. For example "unCoded-Bot-VPS-Frankfurt" or "TradingBot-Hetzner-01". Not "API Key 1" or "test".

What an API Key Can and Cannot Do

A Binance API key is essentially a username-password pair for machine access. It consists of two parts: the API Key (public, sent with every request) and the Secret Key (private, stored locally only and used to sign requests).

What matters is which rights you give the key. Binance offers four main permissions.

Read: The key can read account information. Balance, open orders, trade history. This is a basic requirement that almost always needs to be active.

Spot Trading: The key can place buy and sell orders on the spot market. This is the permission a spot trading bot needs.

Futures Trading: The key can trade on the futures market, meaning with leverage. For a spot-only bot like unCoded, this permission is not needed and should stay deactivated.

Withdrawal: The key can initiate withdrawals from your account. This permission must never be activated when you're using the key for a trading bot.

That is the most important sentence in this entire article: Withdrawal permission stays deactivated. Always. No legitimate bot needs the right to withdraw funds from your account. If a provider requests withdrawal permissions, that's an immediate disqualification.

With withdrawal permission deactivated, the API key can trade (buy and sell), but it cannot pull money from your Binance account. Even if someone steals the key, they cannot initiate a withdrawal. They could place unauthorized trades, yes, but your capital stays in your account.

Step 1: Check Login and 2FA

Before creating an API key, make sure your Binance account is properly secured.

• Two-factor authentication (2FA) must be active. Binance supports Google Authenticator, SMS, and hardware keys (YubiKey). Google Authenticator or a hardware key are the most secure options.

• Anti-phishing code should be enabled. This is a personal code that Binance displays in every legitimate email. If the code is missing, the email is fake. You can find the setting under Security Settings.

• Check whether withdrawal whitelist is activated. This ensures withdrawals can only go to pre-approved addresses. It's an additional security layer that works independently of the API key.

All three measures protect your account at the account level, before the API key even comes into play.

Step 2: Create the API Key

Navigate to your profile icon (top right) in your Binance account and select "API Management". Click "Create API".

Binance asks you for the type. Choose "System Generated" (not "Self-Generated", which is for advanced use cases with your own RSA key pair).

Assign a descriptive label name. Examples:

• "unCoded-Spot-VPS-Frankfurt"

• "TradingBot-Production-Hetzner"

• "unCoded-Test-Netcup"

After confirming via 2FA, Binance shows you the API Key and the Secret Key. The Secret Key is displayed only once. Copy it immediately and store it securely. If you lose the Secret Key, you have to delete the entire API key and create a new one.

Where to store the Secret Key? In a password manager (Bitwarden, 1Password, KeePass). Not in a text file on your desktop. Not in an email to yourself. Not in a Google Doc.

Step 3: Set Permissions Correctly

Immediately after creating the key, Binance opens the permissions page. This is where you set the rights.

For a spot trading bot like unCoded:

• Enable Reading:

  Activate

• Enable Spot & Margin Trading:

  Activate

• Enable Futures:

  Leave deactivated

• Enable Withdrawals:

  Leave deactivated

• Enable Internal Transfer:

  Leave deactivated

If you're unsure, only activate "Reading" and "Spot & Margin Trading". Everything else stays off. Fewer permissions mean less attack surface.

A common mistake: some users activate "Spot & Margin Trading" and forget that this also unlocks margin trading. For a pure spot bot, this is not a problem as long as the bot itself doesn't place margin orders. unCoded trades exclusively on the spot market and uses no leverage.

Step 4: Set Up the IP Whitelist

This is the step that most tutorials skip. And that's exactly why it's so important.

An IP whitelist means: your API key only works from specific IP addresses. Every request from a different IP gets blocked by Binance. This reduces the attack surface massively. Even if someone knows your API key and Secret Key, they can't use them unless they operate from the whitelisted IP.

How to find your VPS IP:

There are two ways. The easiest: log into the management panel of your VPS provider. With Netcup you'll find the IP in the SCP (ServerControlPanel), with Hetzner in the Cloud Console under the respective server. The public IPv4 address is displayed right on the overview page.

Alternatively via SSH: connect to your server and enter the following command:

• curl ifconfig.me

This returns the public IPv4 address. Enter this IP in the whitelist field on Binance.

How to set up the whitelist on Binance:

On the API key detail page, you'll find the section "Restrict access to trusted IPs only". Click "Restrict" and enter your VPS IP. You can add multiple IPs if you have a backup server or a second location.

What happens without an IP whitelist:

Without a whitelist, the API key works from any IP address worldwide. That's convenient, but dangerous. If the key gets stolen (through a leak, a compromised machine, or a man-in-the-middle attack), the attacker can use the key immediately. With a whitelist, they get an error message.

Binance also displays a warning when you create an API key without an IP whitelist. That warning exists for a good reason. Don't ignore it.

Step 5: Enter the API Key in unCoded

Once your API key is created, the permissions are set, and the IP whitelist is active, you connect the key to unCoded.

The entry happens during installation. When you install unCoded on your VPS and start the bot for the first time, a setup wizard guides you through the configuration. During this process you'll be asked for two things:

• Your API Key (the public part)

• Your Secret Key (the private part)

Both keys are stored exclusively on your own server where the software runs. They are never transmitted to an external server at any point. This is the non-custodial aspect: your key stays with you, on your infrastructure.

After entry, unCoded automatically verifies the connection to Binance. You'll see the connection status and your Binance account balance in the dashboard. Once the connection is established, you can select your trading pair, configure the strategy parameters, and start the bot.

If the connection fails, check three things:

• Is your VPS IP entered in the Binance whitelist?

• Is the Spot Trading permission activated?

• Did you copy the Secret Key correctly (no spaces at the beginning or end)?

Security Checklist After Setup

These eight points should be reviewed after every API key setup. Even if you've done everything correctly, a systematic check is worth the effort.

1. Withdrawal permission is deactivated

2. IP whitelist is active and contains only your VPS IP

3. 2FA is active on your Binance account (Google Authenticator or hardware key)

4. Anti-phishing code is enabled in Binance Security Settings

5. The Secret Key is stored in a password manager, not in a text file

6. The API key has a descriptive name that identifies the system

7. You haven't activated any additional permissions the bot doesn't need

8. The connection in the unCoded dashboard shows "Connected" and the correct balance

If all eight points are met, your setup is securely configured.

Common Errors and Troubleshooting

Two problems that occur most frequently during setup.

"API not correct" during connection or first trade

This message usually has one of two causes. Either the Spot Trading permission is not activated, or your VPS IP is not entered in the Binance whitelist. Go back to Binance API Management, open the key, and check both. The Spot Trading permission must be set to "Enable Spot & Margin Trading", and your VPS IP must match the whitelist exactly. Changes to permissions and the whitelist take effect immediately on the Binance side, you don't need to re-enter the key in unCoded.

If the IP doesn't match: check your server's current IP in your VPS provider's management panel or via SSH with curl ifconfig.me. With some cloud providers, the IP changes after a server restart. In that case, enter the new IP in the Binance whitelist.

API settings won't save

Sometimes you set all permissions correctly and click save, but the settings revert afterwards. This is a known bug on the Binance side. In this case, there's only one fix: delete the affected API key completely and create a new one. Run through steps 2 to 4 again. It takes five minutes and reliably solves the problem.

"API Key Invalid" during unCoded setup

The cause is almost always a copy error. The API Key or Secret Key wasn't fully copied, or invisible characters (spaces, line breaks) were included. Solution: paste the key in a text editor, check for visible spaces at the beginning or end, then copy and paste again.

When to Renew Your API Key

An API key has no expiration date on Binance. It stays valid until you delete it. Still, there are situations where you should create a new key.

If you suspect the key has been compromised. For example because you accidentally shared it in a chat, committed it to a public repository, or stored it on an untrusted device. In this case: delete the key immediately, create a new one.

When you switch VPS providers. New server means new IP. You can either update the whitelist or create a fresh key. A fresh key is the cleaner approach.

When you switch bots or set up a second bot. One key per system. Don't use the same key for two different systems.

As a general hygiene measure every six to twelve months. Even without a specific concern, regular key rotation reduces the risk of long-term compromise.

FAQ

Can the bot withdraw money with my API key? No, as long as the withdrawal permission is deactivated. The key can only trade (buy and sell), but cannot initiate a withdrawal. This restriction is enforced directly by Binance, not by the bot software.

What happens if someone steals my API key? With an active IP whitelist, the attacker can't use the key because Binance blocks every request from a non-whitelisted IP. Without a whitelist, they could place unauthorized trades, but not initiate a withdrawal (with withdrawal permission deactivated). In both cases: delete the key immediately and create a new one.

How often should I renew my API key? Every six to twelve months as a general hygiene measure. Immediately if you suspect compromise. When switching VPS providers. When setting up a new bot.

Do I need a separate key for each bot? Yes. One key per system. This prevents a compromised bot from endangering other systems, and it makes the overview in Binance API Management much clearer.

What do the individual permissions mean? Read: view balance and trade history. Spot & Margin Trading: place buy and sell orders on the spot market. Futures: trade on the futures market (with leverage). Withdrawal: withdraw funds from the account. Internal Transfer: move funds between sub-accounts.

Does the key work without an IP whitelist? Yes, technically it works. But without a whitelist, the key is usable from any IP address in the world. That's a significant security risk. Binance actively warns you about this. Always set up the whitelist.

How long is a Binance API key valid? Indefinitely. The key stays active until you manually delete it. There is no automatic expiration date.

Can I use the same key for Spot and Futures? Technically yes, if both permissions are activated. But it's not recommended. For different trading modes, you should use separate keys with only the necessary permissions each. This minimizes the attack surface.