API Security Checklist for OKX Quant Bots

Number-one rule · ahead of every other setting

When you create an API key, tick only "Trade," never "Withdraw."

A quant script only needs to place orders and query — it never touches withdrawal. As long as the key has no withdraw permission, even if your apiKey, Secret and Passphrase trio all leaked one day, whoever got them could at most place wild orders in your account (already bad), but could not move your coins out. Tick withdrawal and a leak is like handing over the keys to your safe. Get this one wrong and nothing else below matters.

Completion 0/7

Nothing ticked yet. Start with the permission in the "number-one rule."

Permissions and access scope

Least privilege: enable only "Trade," never "Withdraw" When you create an API key on OKX, tick only "Read" and "Trade," and turn "Withdraw / Transfer" all the way off. This is the single most effective thing you can do to cut theft risk: with no withdraw permission, a leaked key still can't move your money. Critical

Bind an IP allowlist, permitting only your server / home IP Bind the key to the fixed IP of the machine running your script, and accept requests only from it. Even if the key leaks, another machine can't use it. If your IP changes a lot, keep your credentials well guarded first, and add the allowlist as soon as it settles. Critical

Account and key isolation

Run the bot in a sub-account, isolating main-account funds Open a dedicated sub-account on OKX just for the script, and only fund it with this slice of quant capital. If the script errors or a key is compromised, only the sub-account's small amount gets burned — your main holdings aren't dragged in.

Properly store the apiKey + Secret + Passphrase trio The Secret and Passphrase are shown only once at creation. Don't screenshot and upload them, don't paste them into a chat window, and never write them in plaintext in code or commit them to Git. Use environment variables or a local config file that isn't synced — a leak of any one of the three is dangerous.

Long-term maintenance and scam defense

Rotate regularly, and delete keys you no longer use Every key is a potential exposure. Rotate them every so often, and delete the old ones, the ones spun up for a temporary test, and the ones no longer running. A pile of keys whose purpose you long forgot is a landmine you set for yourself.

Beware "managed-account / I'll set the bot up for you" scams Anyone asking you to hand them full-permission API (especially with withdrawal), or asking for your Secret/Passphrase to "set it up for you" or "carry you to easy profits," can almost certainly be judged a scam. Legitimate quant only ever needs you to run a least-privilege key locally yourself — no exceptions. Critical

Enable 2FA on the account and set an anti-phishing code This is the account-level foundation beneath the API. Turn on two-factor authentication (2FA), and set an anti-phishing code on OKX, so phishing emails and fake sites have a harder time fooling you. If the account itself is breached, even the most careful API setup can't save it. Foundation

Note: these are concrete measures that genuinely lower theft and mishap risk — not a guarantee of absolute safety. Ticking all seven only means you've crossed the minimum security threshold expected before opening an API to run quant. This checklist is for information reference only and is not investment advice of any kind. Crypto asset prices swing violently, quant and automated trading don't guarantee profit, so only use funds you can afford to lose.

Want to see exactly how and why to set each one? Read these two: OKX API risk control, hands-on · OKX API quant from scratch

About this checklist: why these seven

Running quant over an API means handing part of your account's controls to a stretch of script and a pair of keys. Unlike a login password, API credentials are made for a program to use, so they have more ways to leak — logs, screenshots, an accidental push to a public repo. That makes the security setup at the key-creation step more worth your time than the strategy itself, because it decides "how bad the worst case can get."

Of the seven, the real floor is the ones marked "Critical." "Trade-only, no withdraw" is the number-one rule: quant never needs withdrawal at any point, so turn it off and a leaked key still can't move your money. The "IP allowlist" locks the key to the one IP your script runs on. "Beware managed-account scams" is a different class of risk — not a technical hole, but someone directly tricking you into handing over a full-permission key, and the losses from that class are often the worst. Skip any one of these and the risk level is completely different.

The rest narrow the exposure further: isolate funds in a sub-account, store the trio of credentials properly and keep them out of the code, rotate and delete old keys regularly, and turn on 2FA and an anti-phishing code at the account level. Ticking all of them only means you've reached the basic security floor — not absolute safety; but missing any one is a real opening. This tool doesn't collect your ticks — it counts purely in your browser and resets to zero when you close the page.

API security self-check

Permissions and access scope

Account and key isolation

Long-term maintenance and scam defense

Done with the checklist? Go create a clean key