API key security
Last updated: March 2026
How we store your keys
API keys are encrypted at rest using AES-256 encryption before being stored in the database. The encryption keys are stored separately from the database. Keys are never logged.
Recommended permissions
Always use the minimum permissions needed:
| Permission | Recommendation |
|---|---|
| Read | ✓ Enable |
| Spot trading | ✓ Enable |
| Futures trading | Only if you trade futures |
| Margin trading | Only if you use margin |
| Withdrawals | ✗ Never enable |
| Internal transfers | ✗ Never enable |
IP whitelisting
Most exchanges let you restrict API keys to specific IP addresses. This is highly recommended — even if your key were exposed, it couldn’t be used from an unknown IP. Contact [email protected] for VersaTrader’s current server IP.
Best practices
- Use a dedicated API key for VersaTrader — don’t reuse keys across services
- Enable IP whitelisting where possible
- Rotate keys every 3–6 months
- Never share API keys in screenshots or support chats (redact them first)
If you suspect a problem
- Immediately revoke the API key from your exchange dashboard
- Check your order history for any unexpected activity
- Create a new API key and re-add it in VersaTrader
- Contact us at [email protected]
VersaTrader will never ask for withdrawal permissions. If something claims to be VersaTrader and requests withdrawal access, do not proceed.