MagicTradeBot is designed with minimum-permission access in mind. It only requires the permissions that are strictly necessary to execute trades, manage risk, and monitor account state.
The bot does not require full account access and never needs withdrawal permissions.
Required API permissions (Futures trading)
For MagicTradeBot to operate correctly with futures trading, the following permissions are required:
✅ Trade (Required)
This is the only mandatory permission.
It allows the bot to:
- Open LONG and SHORT futures positions
- Close positions (manual, TP, SL, emergency close)
- Place DCA orders
- Execute partial closes and take-profit logic
Without this permission, no trades can be executed.
✅ Read / Account Info (Recommended)
This permission is highly recommended but optional.
It allows the bot to:
- Fetch available balance
- Monitor open positions
- Track unrealized and realized PnL
- Validate leverage, margin, and position status
- Support advanced strategies that depend on balance awareness
Some intelligent features may be limited if this permission is disabled.
Optional permissions used in specific scenarios
Depending on your configuration, MagicTradeBot may also interact with:
Leverage & margin settings
- Used when
SetLeverageStartupor similar features are enabled - Requires trading permission (covered by Trade access)
- Used when
No additional permissions are required beyond Trade and Read.
🚫 Permissions that should NEVER be enabled
For security reasons, never enable the following permissions on your bot API key:
- ❌ Withdrawals
- ❌ Asset transfers
- ❌ Sub-account management
- ❌ API key management
MagicTradeBot does not use these permissions under any circumstance.
Exchange compatibility
All officially supported exchanges support the required permission model:
- Binance
- Bybit
- OKX
- Bitget
- Hyperliquid
The permission naming may differ slightly across exchanges, but the functional requirement remains the same:
Trade + Read access only
Best-practice security checklist
- ✅ Enable Trade permission
- ✅ Enable Read / Account Info permission
- ❌ Disable Withdrawals
- ✅ Whitelist your server IP
- ✅ Store API keys using environment variables
✅ Key takeaway
MagicTradeBot requires minimal and safe API permissions:
- Trade (mandatory)
- Read / Account Info (recommended)
This limited access model ensures:
- Secure trading
- Reduced attack surface
- Protection against unauthorized fund movements
📎 Related Topics
- Where should I store exchange API keys for maximum security?
- Should I whitelist my server IP for exchange API keys?
- Why should withdrawal permissions never be enabled for bot API keys?
- Can MagicTradeBot work without storing API keys in application.yaml?
- How do environment variables override API keys in the config file?