What Is an API Key
An API key is a set of platform-generated credentials consisting of an API Key and a Secret Key. With these credentials, third-party programs can query your balance, place trades, fetch market data, and more — all without requiring you to manually log in.
Think of an API key as a "limited-function spare key." Your login password is the master key that can do everything; an API key can only do what you've authorized.
Who Needs API Keys
Quantitative traders are the primary user group. If you've built an automated trading system, you need API access to communicate with Binance's servers for executing buy and sell orders.
Users of third-party trading tools also need API keys. Market analysis platforms, copy-trading services, and tax calculation tools all require API access to read your account data.
Additionally, developers building applications within the Binance ecosystem need API keys to call Binance's data endpoints.
Prerequisites
Your Binance account must have completed identity verification (KYC) and have two-factor authentication (2FA) enabled — either Google Authenticator or SMS verification. Accounts without 2FA cannot create API keys.
Step-by-Step Creation Guide
Step 1: Go to the API Management Page
Log in to the Binance website, click the user icon in the upper right corner, and select "API Management" from the dropdown. You can also navigate directly to the API management page.
Step 2: Choose API Key Type
Binance offers two types: system-generated keys and self-generated keys (RSA or Ed25519). For most users, "System Generated" is the right choice. If you're an advanced developer familiar with asymmetric cryptography, self-generated keys offer higher security.
Step 3: Set a Label
Enter a label for your API key — something like "Quant Strategy A" or "Market Monitor." This label just helps you distinguish between different API keys and has no functional impact.
Step 4: Complete Security Verification
The system will require two-factor verification, which may include some combination of email verification code, SMS code, and Google Authenticator code. Follow the prompts to complete verification.
Step 5: Save Your Secret Key
After creation, the page displays your API Key and Secret Key. This is critically important: the Secret Key is shown only once and can never be viewed again. You must save it immediately in a secure location — a password manager, or written down and locked away. If you lose your Secret Key, your only option is to delete the API key and create a new one.
Permission Settings Explained
Read Permission
The most basic permission — allows API access to query account balances, positions, order history, and similar data. If you only need to connect market analysis or tax tools, this is the only permission you need.
Spot and Margin Trading Permission
Enables the API to place and cancel orders on spot and margin markets. Quantitative trading programs typically require this permission.
Futures Trading Permission
Allows the API to trade on USDT-margined and coin-margined futures markets. Enable this only if your quant strategy involves futures.
Withdrawal Permission
Allows the API to initiate withdrawals. This is the most sensitive permission — unless you have a very specific use case and robust security measures in place, it's strongly recommended to leave this disabled. If your API key is compromised and withdrawal permission is enabled, an attacker could transfer your assets out.
Security Best Practices
Always Set an IP Whitelist
This is the single most important security measure. In the API management page, bind specific IP addresses to each API key. Once set, only requests from whitelisted IPs will be executed. If your program runs on a server with a static IP, this is a must.
If you don't set an IP whitelist, Binance will limit the key's validity to 90 days, requiring recreation after expiry. Keys with an IP whitelist have no expiration.
Principle of Least Privilege
Only enable permissions you actually need. If you only need to read data, don't enable trading. If you only do spot trading, don't enable futures. Never enable all permissions "for convenience."
Don't Hardcode Keys in Source Code
API keys should never be written directly into code, especially if your code is uploaded to public platforms like GitHub. Use environment variables or separate configuration files, and ensure config files are excluded from version control.
Rotate Keys Regularly
Replace your API keys every few months — delete the old ones and create new ones. This limits the exposure window if a key is compromised at any point.
Monitor API Activity
Binance provides API call logs. Check periodically for anomalies like requests from unfamiliar IPs or unusual trading activity during odd hours.
API Rate Limits
Binance imposes rate limits on API calls. The spot API has a request weight limit of 1,200 per minute and an order rate limit of 100 per 10 seconds. Futures APIs have similar limits. Exceeding these limits results in temporary IP bans, and severe violations may lead to API access suspension.
When developing quant programs, implement proper rate limiting with request queues and backoff mechanisms to avoid hitting these limits.
Common Questions
How many API keys can I create? Regular users can create up to 30 API keys — more than enough for most people.
What if I forgot my Secret Key? You can only delete the API key and create a new one. There's no way to recover a lost Secret Key.
My API key suddenly stopped working? Check that the IP whitelist is correct, permissions are complete, and the key hasn't expired (keys without IP binding expire after 90 days). If everything checks out, you may have hit a rate limit — wait a few minutes and try again.
Summary
API keys are the bridge between your Binance account and external programs. The creation process is simple, but security configuration is critical. Remember three core principles: set an IP whitelist, minimize permissions, and protect your Secret Key. Follow these, and you can safely use API keys to enhance your trading efficiency.