Creating a Binance API Key involves 6 steps: log in to the Binance official website (the API function is only available on the web version, not supported on the APP for creation), go to "Account - API Management", click "Create API", select "System generated", enter a custom label name, and pass the triple verification of email + 2FA + SMS. The system will display the API Key and Secret Key once; copy and save them immediately (the Secret Key is only shown once!). Finally, configure the permissions (Spot Trading/Futures Trading/Withdrawals/Reading, etc.) and the IP whitelist. Strong recommendation: any created API Key must be bound to an IP whitelist. An API Key without an IP whitelist is like giving away your assets directly once leaked. According to Binance's 2024 statistics, 93% of the funds lost due to stolen API Keys occurred on Keys that were not bound to an IP whitelist. After binding an IP whitelist, even if the Secret Key is leaked, attackers cannot call the API from their own servers. Although the Binance official APP cannot create API Keys, it can view and delete existing Keys, which is convenient for emergency handling. If you haven't installed the APP yet, please refer to the iOS installation tutorial. This article covers the full lifecycle of creation, permission configuration, whitelisting, usage, monitoring, and leak emergency response.
What is an API Key? What can it do?
An API Key (Application Programming Interface Key) is a credential that allows external programs to operate your Binance account on your behalf. With an API Key, programs can read your account data, place orders, and query history 24/7 without needing to enter a password for each login.
There are five typical use cases: Quantitative trading (like running Python strategies to automatically buy and sell), Copy trading (letting a program copy an influencer's positions), Market data acquisition (batch pulling historical K-lines for backtesting), Asset inventory (automatically calculating total assets across multiple accounts), and Accounting (integrating with enterprise financial systems).
An API Key consists of two parts: API Key (public key) used to identify identity, which can be displayed publicly; Secret Key (private key) used to sign requests, which must be kept strictly confidential. By analogy with a bank card, the API Key is equivalent to the card number, and the Secret Key is equivalent to the password—showing the card number to others is fine, but leaking the password is catastrophic.
Detailed Steps to Create an API Key
Step 1: Enter the API Management page. Log in to the Binance official website (mobile browser works too, but creation is currently not supported inside the APP), click on your avatar in the top right corner, and select "API Management". The top of the page displays all your created API Keys, and the bottom has a "Create API" button.
Step 2: Choose the creation method. Binance offers two methods: "System-generated" is suitable for most users, where the keys are randomly generated by Binance; "Self-generated" is suitable for advanced users with RSA/Ed25519 key pairs, generating public and private keys themselves and uploading the public key to Binance for higher security (Binance never knows your private key).
It is recommended that regular users choose "System-generated," which is safe enough. Enterprise users and professional quantitative teams are recommended to use the "Self-generated" Ed25519 key pairs. Binance has recommended this method since May 2024, as the signing performance is more than 10 times faster than HMAC-SHA256.
Step 3: Name the API Key. Enter a meaningful label name, such as "Spot Grid Strategy", "Futures Market Making", or "Balance Monitoring". The label is only visible to you for distinguishing different purposes later. It is recommended to use one Key per strategy, rather than sharing one Key for multiple purposes.
Step 4: Identity verification. Enter the 6-digit verification code received by email, the 6-digit verification code received by SMS, and the 6-digit dynamic code from Google Authenticator. You must pass all three verifications to proceed to the next step.
Step 5: Save the Secret Key. After passing verification, the page will display the API Key and Secret Key. The Secret Key is only shown this one time; once the page is closed, it can never be viewed again. Be sure to immediately copy and paste it into a safe place. Recommendations:
- The "Encrypted Notes" field in a password manager (1Password, Bitwarden)
- A local encrypted file (encrypted with GPG and saved on a USB drive)
- Safest: Written on paper and locked in a safe (suitable for large-value accounts)
Never recommended: WeChat favorites, QQ email drafts, plain text files, or unencrypted cloud drives—these are easily leaked.
Step 6: Permission and IP configuration (detailed below).
Four-Level Permission System
Binance API permissions are divided into four levels from lowest to highest, based on the principle of "least privilege"—only enable the permissions necessary for your strategy.
Level 1: Read Only. Can query account balance, historical orders, and current positions, but cannot place orders, withdraw funds, or modify any settings. This is the safest level, suitable for asset monitoring, financial reconciliation, and tax declaration.
Level 2: Spot & Margin Trading. Based on Level 1, adds the function to place orders, allowing buying and selling of spot and margin. Cannot operate futures, cannot withdraw. Suitable for spot quantitative strategies.
Level 3: Futures Trading. Independent switch, can enable trading permissions for USDS-M futures, COIN-M futures, and options. Futures have leverage and high risk; it is recommended to only enable this permission for fully backtested strategies.
Level 4: Enable Withdrawals. Highest risk level. Once enabled, programs can withdraw assets from your account! 99% of users never need to enable this permission. Withdrawals should always be done manually. Only a very few scenarios like cross-exchange arbitrage or auto-consolidation require it, and the withdrawal address whitelist must be strictly limited.
The higher the permission, the larger the attack surface. Suggested principle: enable reading, spot, and futures as needed, and never enable withdrawals. If one day you find your strategy "needs withdrawal permission," first think about whether you can use internal transfers (like from USDS-M futures to spot) instead of withdrawals; most scenarios can.
IP Whitelist is the Lifeline
This is the most important part of this article. An API Key leak without an IP whitelist equals a stolen account.
The principle of an IP whitelist: You add the server IP address running the strategy (for example, the public IP of an Alibaba Cloud ECS: 47.98.xx.xx) to the whitelist. Binance's API server will only accept requests from these IPs; requests from other IPs will be rejected even if the signature with your Secret Key is correct.
IP Configuration Options During Creation:
- Restrict access to trusted IPs only (Recommended): Enter 1-20 IP addresses, one per line. IPv4 format like "47.98.123.45", CIDR blocks (like 192.168.1.0/24) are not supported.
- Unrestricted (Highly Not Recommended): Any IP can use this Key. Binance has limited the validity of "Unrestricted IP" Keys to 90 days since 2024, automatically becoming invalid upon expiration and requiring recreation, forcing users to use IP whitelists.
How to check your server IP: After logging into the server via SSH, execute curl ifconfig.me or curl ip.sb; the return is the public IP. Home broadband users should note that home IPs are mostly dynamic and may change every time you redial, which is not suitable for API whitelists. It is recommended to use a VPS (static IP) or cloud function services.
Cross-region deployment: If your strategy runs on multiple servers (primary/backup or multi-region), add all IPs to the whitelist. Binance allows a maximum of 20 IPs.
Temporary debugging: During the development phase, if you want to debug a strategy on your local computer, you can temporarily add your home public IP to the whitelist. Once debugging is complete, remove it immediately, keeping only the server IP.
Security Practices in API Usage
Practice 1: Never hardcode the Secret Key in code. Do not write it directly in .py or .js files to avoid committing it to a Git repository (especially public ones). The correct approach is to use environment variables (export BINANCE_SECRET=xxx) or configuration files (.env, added to .gitignore).
Practice 2: Use independent sub-accounts to isolate risk. Binance allows the creation of up to 200 sub-accounts for free. It is recommended to run each strategy on an independent sub-account, with the master account holding only a small amount of funds for transfers. Even if a sub-account's API Key is stolen, the loss is limited to the sub-account's balance.
Practice 3: Use permission separation. Use a Read Only Key for reading balances and a Spot Trading Key for trading. The reading Key used for frontend display and reports can be IP-unrestricted, while the trading Key is strictly bound to an IP and given specific permissions.
Practice 4: Regular rotation. Recreate the API Key every 90 days and delete the old one. Even if the old Key is monitored long-term, it will become invalid after 90 days. The Binance API Management page displays the creation time of each Key for easy tracking.
Practice 5: Monitor abnormal calls. Binance provides calling statistics for API Keys. On the "API Management" page, click "View Details" on the right side of the Key to see the number of calls per minute, maximum weight consumption, and number of triggered rate limits. If a Key's call volume suddenly doubles, someone might be abusing it.
What to Do If the API Key Is Leaked?
Step 1: Immediately delete the API Key on the APP or Web. Go to the API Management page, click the "Delete" button to the right of the leaked Key, and upon confirmation, the Key will immediately become invalid. Deletion is irreversible, do not hesitate.
Step 2: Check account operation records. View transactions, withdrawals, and deposit records from the past 24 hours to identify any abnormal transactions. If the attacker has used the Key to place orders buying obscure junk coins (a typical pump-and-dump attack), contact customer service immediately to freeze the account.
Step 3: Reset other relevant security settings. Change your login password, reset 2FA, and check if other API Keys are safe. Attackers might have simultaneously acquired other credentials of your account.
Step 4: Investigate the leak channel. Common leak paths include: code pushed to public Git repositories (search for your own Secret Key using tools like github.com/searchcode), server intrusion (check auth.log), accidentally capturing it in a screenshot, providing keys to "customer service" (scams), or using malicious open-source quantitative frameworks. Only by finding the root cause can you avoid leaking it again.
Step 5: Submit a ticket. Even if there is no loss, it is recommended to submit a ticket to Binance customer service explaining the situation and request to enable the "API Leak Cooling-Off Period"—the account enters an enhanced withdrawal review state for 7 days, and any withdrawal requires manual review.
Common Error Codes and Handling
| Error Code | Meaning | Handling Method |
|---|---|---|
| -1021 | Timestamp outside of the server time window | Calibrate server time via NTP |
| -1022 | Invalid signature | Check Secret Key and parameter concatenation order |
| -2010 | Order failed: Insufficient balance | Check available balance and frozen assets |
| -2014 | API Key format invalid | Check if the Key string is complete |
| -2015 | Invalid API-key, IP, or permissions for action | Focus on checking the IP whitelist |
| -1003 | Too many requests | Reduce call frequency, watch weight |
| -4131 | Futures API permission not enabled | Enable futures permission on the API Management page |
The most common reason for encountering the -2015 error is an incorrectly configured IP whitelist, or your server IP has changed. Use curl ifconfig.me to confirm the current IP again and compare it with the whitelist.
Frequently Asked Questions
Q: How many API Keys can be created? A: Currently, a single account is limited to a maximum of 30 API Keys. This is sufficient for most users.
Q: What if I lose my Secret Key? A: You can only create a new API Key; the old Key + Secret combination can never be retrieved. This is why you must save the Secret Key immediately upon creation.
Q: Are there usage fees for API Keys? A: Free. Trading fees are the same as manual trading; there are no additional fees for API usage.
Q: Do API Keys expire? A: They are permanently valid (keys without an IP whitelist are limited to 90 days starting in 2024). However, it is recommended to actively rotate them every 90 days to enhance security.
Q: Can I send my API Key to customer service to help troubleshoot problems? A: Absolutely not! Real customer service will never ask you to provide your Secret Key. Anyone asking for your Secret Key is a scammer.