Can MagicTradeBot work without storing API keys in application.yaml?

Yes. MagicTradeBot is designed to work fully without storing API keys in application.yaml, and this is the highly recommended approach.

In fact, for live trading and production environments, using environment variables instead of YAML files is the preferred and safest setup.

---

How MagicTradeBot loads API credentials

MagicTradeBot follows a secure loading order:

1. Environment variables (highest priority – recommended)
2. Values defined in application.yaml (fallback only)

If API credentials are found in environment variables, the bot completely ignores the values in application.yaml.

This means:

• You can leave API fields empty in YAML
• No secrets are stored in configuration files
• The bot will still connect and trade normally

---

Why environment variables are preferred

Using environment variables provides multiple advantages:

• 🔐 Improved security – credentials are not stored in files
• 🧩 Cleaner configuration – YAML remains non-sensitive
• 🚀 Production-ready – standard for servers, Docker, and cloud
• 🔄 Easy rotation – change keys without editing config files
• 🛑 Prevents accidental leaks via Git or backups

MagicTradeBot was built with this approach in mind from day one.

---

Example: API fields in application.yaml

You can safely keep them empty:

Exchange:
  APIKEY: ""
  APISECRET: ""
  Passphrase: ""

As long as environment variables are set correctly, the bot will authenticate successfully.

---

Supported environment variables

MagicTradeBot supports environment variables for all officially supported exchanges, including:

• BINANCE_API_KEY / BINANCE_API_SECRET
• BYBIT_API_KEY / BYBIT_API_SECRET
• OKX_API_KEY / OKX_API_SECRET / OKX_PASSPHRASE
• BITGET_API_KEY / BITGET_API_SECRET / BITGET_PASSPHRASE
• HYPERLIQUID_PRIVATE_KEY

---

What happens if neither YAML nor environment variables are set?

• In demo mode, the bot will still run (no exchange connectivity)
• In live trading mode, the bot will fail to authenticate and stop execution
• Clear startup logs will indicate missing credentials

---

✅ Key takeaway

• MagicTradeBot does not require API keys in application.yaml
• Environment variables are fully supported and strongly recommended
• This approach provides maximum security with zero functional trade-offs

📎 Related Topics

• Where should I store exchange API keys for maximum security?
• Should I whitelist my server IP for exchange API keys?
• What API permissions are required for MagicTradeBot to work?
• Why should withdrawal permissions never be enabled for bot API keys?
• How do environment variables override API keys in the config file?