Where should I store exchange API keys for maximum security?

For maximum security, MagicTradeBot strongly recommends storing all exchange API credentials using environment variables, not directly inside configuration files such as application.yaml.

Environment variables provide a safer, production-grade way to manage sensitive credentials while reducing the risk of accidental exposure.

---

Why environment variables are the safest option

Storing API keys in environment variables offers several security advantages:

• Credentials are not stored in files that may be committed to Git, backed up, or shared
• Secrets are kept outside the application codebase
• Different environments (demo, staging, production) can use different keys without changing files
• Environment variables automatically override YAML values, preventing accidental misuse

MagicTradeBot is designed to read API keys from environment variables first, and only fall back to YAML values if variables are not set.

---

Supported environment variables by exchange

MagicTradeBot supports secure environment-based credentials for all officially supported exchanges:

Binance

BINANCE_API_KEY
BINANCE_API_SECRET

Bybit

BYBIT_API_KEY
BYBIT_API_SECRET

OKX

OKX_API_KEY
OKX_API_SECRET
OKX_PASSPHRASE

Bitget

BITGET_API_KEY
BITGET_API_SECRET
BITGET_PASSPHRASE

Hyperliquid (wallet-based)

HYPERLIQUID_PRIVATE_KEY

---

Best practices for API key security

To ensure maximum protection:

• ✅ Always whitelist your server’s public IP in the exchange API settings
• ✅ Disable withdrawal permissions on all bot API keys

• ✅ Enable only:

  • Trade (required)
  • Read / Account Info (optional)
• ❌ Never store API keys in public repositories
• ❌ Never share API keys via email or chat

---

Platform-specific setup recommendations

• Linux / macOS Use shell exports or .env files with restricted permissions
• Windows Use system environment variables or PowerShell setx
• Docker / Cloud deployments Use Docker secrets, environment injection, or cloud secret managers

🔐 Environment variables are the industry standard used by professional trading platforms, cloud services, and enterprise-grade systems.

---

What happens if API keys are stored in application.yaml?

MagicTradeBot allows API keys in application.yaml only for local testing or demo environments.

However, this is not recommended for live trading because:

• Files can be copied or leaked
• Accidental commits may expose keys
• Server access may reveal credentials

---

✅ Key takeaway

• Environment variables are the most secure and recommended method
• They isolate sensitive data from code and configuration files
• MagicTradeBot automatically prioritizes them over YAML settings
• Following this approach significantly reduces security risks

📎 Related Topics

• Should I whitelist my server IP for exchange API keys?
• What API permissions are required for MagicTradeBot to work?
• Why should withdrawal permissions never be enabled for bot API keys?
• Can MagicTradeBot work without storing API keys in application.yaml?
• How do environment variables override API keys in the config file?