API Keys – Make Sure You Handle Them Right

Reading Time: 2 minutes
  • API keys are a great source of data for crypto traders and can be extremely useful
  • They have settings that can allow third-party access to your exchange portfolio
  • Mismanaged API keys were behind the Ledger hack in June 2020 where 272,000 customer records were stolen

API keys can be a great tool for cryptocurrency traders, allowing their trading data to be used for a wide variety of uses. The most common use of API keys is to ensure that your crypto portfolio app of choice is always up to date with your latest trades, but there are a whole host of other uses for crypto API data depending on your level of technical ability. However, as the Ledger data breach last year showed, mismanaging API keys can have very serious consequences.

API Key Access Needs Careful Consideration

When setting up your API keys there are various levels of access you can grant them. If you want to use your API keys in conjunction with a crypto portfolio tracker then you should grant ‘read-only’ access or the equivalent. This ensures that the tracker can only pull data through the API but can’t push data to it, meaning it can’t make any changes to the source of the data. In crypto terms this means that it can’t make any trades or withdrawals from the exchange to which your API keys are connected.

Some applications require read and write access in order to function properly, such as those that allow you to trade through them. A popular example is 3commas, which allows users to follow calls of others and execute predetermined trades. This requires users to grant 3commas permission to trade on their behalf. There is nothing inherently wrong with this, but it introduces a further element of risk – if someone gets hold of your API keys they can execute trades on your behalf and perhaps even move funds.

You should therefore only grant write access to API keys if you are one hundred percent confident in the security measures of the app that will be using them. You should also treat the secret key that comes with the API keys setup like your private key for your crypto wallet and never write it down or store it insecurely.

Ledger Breach Down to Mismanaged API Keys

A good example of how powerful (or destructive) API keys can be, we need look no further than last year’s massive Ledger data breach. Over one million customer email addresses and 272,000 the addresses and phone numbers were stolen in June last year when a third-party’s API key was misconfigured.

We don’t know exactly how the keys were misconfigured, but the fact that an API mismanagement led to Ledger’s entire customer database being stolen shows just how important they are and how much care you should take when setting them up.