What Is an Exchange API Key and What Can It Access?

Updated July 13, 2026 5 min read

Somewhere behind every automated trading tool or portfolio tracker is a string of characters most people never look at closely: an API key, quietly deciding what that outside program is allowed to do with an account.

The short answer

An exchange API key is a set of credentials that lets outside software connect to an account without logging in through the regular username and password. What that software can actually do — view balances, place trades, or withdraw funds — depends entirely on the permissions assigned to that specific key when it was created.

What an API key actually is

API stands for application programming interface, which is simply a defined way for two pieces of software to communicate. An exchange’s API lets external programs, like trading bots, tax software, or portfolio dashboards, request information or take actions on an account programmatically, instead of a person clicking through a website. The API key and its accompanying secret function like a login credential built specifically for machine-to-machine access rather than a person typing in a password.

The permissions attached to a key

Most exchanges let account holders choose exactly what a given key can do at the time it’s created, rather than granting blanket access by default. Typical permission levels include:

Why permission scope matters so much

A key with only read-only or trading permissions limits the damage if that key is ever exposed, because the connected software still can’t move funds anywhere else. A key with withdrawal permission enabled, on the other hand, could let anyone who obtains it drain the account outright. Limiting API key permissions to only what a given tool actually needs is one of the most effective ways to reduce that exposure, since most everyday tools, like a tax tracker pulling an order history report, only ever need read-only access to function.

Other safeguards worth understanding

Many exchanges pair API keys with additional restrictions, such as limiting which IP addresses are allowed to use a given key, or requiring an address whitelist so that even a withdrawal-enabled key can only send funds to pre-approved destinations. These layered restrictions matter because a key, unlike a password entered by a person, sits embedded in software that could be compromised, misconfigured, or run on a server outside the account holder’s direct control.

What happens if a key is exposed

If an exchange detects unusual activity tied to a compromised key, an account freeze or lock is one possible response while the situation gets reviewed. Revoking and regenerating the affected key immediately, checking exactly what permissions it had, and reviewing recent account activity are the standard steps once exposure is suspected, since API keys can typically be deleted and replaced without affecting the underlying account itself.

The takeaway

An API key is only as powerful as the permissions attached to it. Understanding that distinction, and granting a key nothing beyond what a specific tool genuinely requires, turns a potentially high-risk piece of access into something far more contained.