Importing API Keys

This document explains how to import API keys into Cryptowatch for use with our trading interface.

We currently support this feature for six exchanges:

  • Kraken
  • Poloniex
  • Bitfinex
  • Coinbase (GDAX)
  • Bitstamp

You can import keys to your account in Account > API Keys.

Security

We do our best to keep API keys secure. We have never had a database breach of any kind. All API keys are encrypted in motion and at rest. You can permanently revoke your keys from our database at any time.

Key Permissions

Every exchange has its own interface for generating API keys, and part of this is choosing key permissions. It's best practice to select as few permissions as needed.

For your sake, when generating API keys for Cryptowatch - do not grant withdrawal permissions. This is never enabled by default, but please be sure to never enable it by mistake. Cryptowatch only needs permissions to do the following:

  • query your funds, orders, and trades
  • open orders
  • cancel orders

Allowing any other permissions on your key is putting yourself at more risk than needed.

Best Practices

Follow these best practices to minimize your risk:

  1. When generating an API key for a third party application like Cryptowatch, never "back up" your key in any way. There is no reason to back up an API key. You can always generate a fresh one. Unless you are personally using the key in code that you're running, you have no reason to store it anywhere.

  2. When generating a key, simply copy it from the exchange's website into the Cryptowatch interface and close original tab where you generated it.

  3. Generate a fresh key for each application. The key you import to Cryptowatch should not be used anywhere else. This allows you to disable them individually should you choose to.

  4. When generating keys, do so in a browser with no extensions installed (or with extensions disabled)

Errors

There are three possible error states for an API key. If our application determines a key to have an error, it will stop trying to use the key and you will have to replace it with a fresh one.

Invalid Key

This state means the exchange is rejecting your API key as invalid. It's possible the key has been deleted or expired.

To resolve this error: Replace the key with a freshly generated one.

Unprivileged Key

This state means the exchange is rejecting your API key as lacking proper permissions.

To resolve this error: Replace the key with a freshly generated one, with the permissions required. See the Key Permissions section above.

Key Not Exclusive

This state means the exchange is returning nonce errors. A nonce error indicates the key is also being used somewhere else - either by a different application, program, script, or some other means.

To resolve this error: Replace the key with a freshly generated one, which you only use for Cryptowatch. This is good practice in general.