Learn

How to create Binance and OKX API keys for a trading bot

Updated 2026-06-17 · Educational — not financial advice

A trading bot needs permission to place orders on your exchange, but it does not need to hold your money or be able to withdraw it. You grant that permission with an API key: a scoped credential you can create — and revoke — without touching your password. The goal is least privilege: enough access to trade, nothing more. This guide covers creating a trade-only key on both Binance and OKX. For a deeper look at the Binance-specific settings, see how to create a trade-only Binance API key.

Creating a trade-only API key on Binance

1. Open API Management in your Binance account and create a new API key. Give it a label tied to the specific tool so you can revoke it in isolation later.
2. Enable Enable Spot & Margin Trading — spot is what a grid bot uses.
3. Leave Enable Withdrawals turned off. This is the single most important setting.
4. Add an IP access restriction if the tool has a stable outbound address.
5. Copy the secret once and store it securely — Binance shows it only at creation.

Creating a trade-only API key on OKX

OKX works the same way in principle, with one extra credential: a passphrase you choose yourself.

1. In OKX, go to your profile menu and open API (API keys live under your account settings, not the trading screen).
2. Create a new V5 API key. Set a passphrase you can remember — you will need the key, the secret and this passphrase to authenticate. Treat it as a second secret.
3. For permissions, select Trade (and Read if it is listed separately). Do not select Withdraw.
4. Bind the key to a trusted IP where you can. OKX lets you restrict a key to specific IP addresses at creation.
5. Save the API key, secret and passphrase securely. As with Binance, the secret is shown only once.

Why "no withdrawal" is the rule

Across both exchanges, withdrawal is the one permission that lets funds leave your account. Without it, the worst a compromised key can do is place trades — bad, but bounded and recoverable. A tool that asks for withdrawal rights is asking for the keys to the vault; a grid bot has no reason to. Pairing "trade only" with an IP allowlist means a stolen key is both limited in what it can do and useless from anywhere else.

Good hygiene after you create the key

• One key per tool, clearly labelled, so you can revoke surgically.
• Rotate keys periodically, and immediately if anything looks off.
• Never paste a secret into a chat, a URL, or a screenshot. Prefer tools that encrypt keys at rest and never log them.
• Re-check permissions occasionally — exchanges sometimes add new scopes to existing keys.

How this maps to GRIDVULCAN

GRIDVULCAN connects to Binance and OKX with exactly this model: you paste a trade-only key (plus the passphrase on OKX), your funds stay in your own exchange account, and the credentials are encrypted and bound to your account so a stolen database row cannot be reused elsewhere. It is the same least-privilege idea, enforced in the architecture. For the bigger picture on custody, see what a non-custodial grid trading bot means.