The MagicTradeBot Bot Instance is a cross-platform executable that supports Windows, Linux, and macOS. It is designed to run standalone or alongside multiple instances, with configuration handled through a central .yaml file.
Each bot instance connects to the MagicTradeBot Management App API for authentication, trade execution, and real-time market scanning. This document explains configuration parameters and secure communication best practices.
📄 YAML Configuration Structure
The core configuration for each bot instance is stored in a config.yaml file. Below is a reference layout:
server:
# Name
botName: "Bybit_Mainnet_Trading_Bot" # Unique name for the bot instance
# LICENSE KEY
licenseKey: "hRnWOLo91ESUiZ8SkN986w" # Required to activate and validate the bot instance
# DEMO MODE SETTING
isDemo: true # true = simulation mode; false = live trading
# API CONFIGURATION
api: "https://localhost:7225/" # URL of MagicTradeBot Management API
# EXECUTION CONTROL
refreshRate: 5 # Market scan interval in seconds
totalConcurrentTrades: 0 # Max simultaneous trades (0 = unlimited)
# RISK MANAGEMENT (0 = disabled)
maxLoss: 0 # Bot will stop if cumulative losses reach this threshold
maxProfit: 0 # Bot will stop if cumulative profits reach this threshold
# ACCOUNT SETTINGS
exchangeId: 0 # Account ID to trade on (retrieved from Management App)
# TEMPLATE SETTINGS
templateId: 0 # Template ID for dedicated strategy (0 = default)
# TRADING STRATEGY
strategy: 0 # Strategy ID (see list below)
strategyMaxCount: 55 # Max progression steps (0 = unlimited)
# STRATEGY REFERENCE:
# 0: No strategy
# 1: Martingale 2: Reverse Martingale
# 3: Fibonacci 4: Fibonacci Reverse
# 5: 3-2-6-3 6: 3-2-6-3 Reverse
# 7: D'Alembert 8: D'Alembert Reverse
timeZone: "UTC" # Timezone for scheduling and trade operations
# SYSTEM SETTINGS
debug: true # Enable verbose logging
🔐 Secure Communication Guidelines
Since bot instances interact with the Management API to fetch symbols, scan markets, and execute trades, securing this communication is critical. Below are key practices to enforce:
1. Use HTTPS for API Endpoints
- Ensure the
apifield in the config uses an HTTPS URL - Use valid TLS certificates (e.g., via Let’s Encrypt) to encrypt traffic
- Reject all insecure HTTP connections to the Management App
2. Enforce JWT Authentication
- During startup, the bot instance requests a JWT token by supplying credentials
- Upon validation, the Management App returns a token that is attached to every subsequent request via the
Authorizationheader - Tokens should have a short expiration time and be stored securely in memory
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
3. Restrict Access with IP Whitelisting
- Restrict access to the Management API to known IP addresses where bot instances run
- Implement firewall rules to block unauthorized external access
4. Protect API Keys and License Keys
- Never hardcode secrets into source code or expose them in logs
- Load secrets via environment variables or encrypted secrets manager
- Rotate license keys and exchange API credentials periodically
5. Isolate Each Bot Instance
- Assign each bot a unique
botNameand deploy in isolated containers or environments - Limit permissions per bot instance if using OS-level ACLs
6. Monitor and Audit API Usage
- Enable audit logging on the Management App
- Log all JWT authentication attempts and invalid access patterns
- Set up alerting via Sentry, Pushover, or LogDNA for anomaly detection
✅ Recommendations
- 📌 Use strong passwords and encrypted communication between all services
- 📌 Isolate bot infrastructure from public network exposure
- 📌 Apply software updates to both Management and Bot Apps regularly
- 📌 Schedule automated backups of bot configurations and trading history