Non-Custodial Trading: Why Your API Keys Should Never Leave Your Exchange

In 2024 alone, over $1.8 billion was lost in crypto exchange hacks and platform collapses. FTX taught the world an expensive lesson: if you do not hold your keys, you do not hold your coins. But when it comes to trading bots, most people do not think about custody at all. They hand over API keys, deposit funds into bot platforms, and hope for the best.

This article explains the critical difference between custodial and non-custodial trading platforms, how API keys actually work, and what security standards you should demand from any trading bot you use.

Custodial vs. Non-Custodial: What Is the Difference?

Custodial Platforms

A custodial trading bot requires you to deposit your cryptocurrency into the bot platform's wallets. The platform holds your funds and trades on your behalf from their own accounts.

The risks are enormous:

• Platform risk: If the company gets hacked, goes bankrupt, or is run by bad actors, your funds are gone. There is no recourse.
• Counterparty risk: You are trusting an unknown entity with your money. Most crypto bot companies are unregulated startups with no audited financials.
• Regulatory risk: Custodial platforms may be classified as money transmitters, which creates legal exposure for both the platform and users.
• No transparency: You cannot verify that trades are actually being executed. The platform could be running a Ponzi scheme, paying early investors with deposits from new users.

Non-Custodial Platforms

A non-custodial trading bot never touches your funds. Your money stays on your exchange (Bybit, Binance, OKX, etc.) at all times. The bot connects to your exchange account via API keys that have trading permissions only — no withdrawal permissions.

The advantages:

• Your funds never leave the exchange. Even if the bot platform is compromised, attackers cannot withdraw your money.
• Full transparency. Every trade appears in your exchange's trade history. You can verify everything.
• You can revoke access instantly. Delete the API key on your exchange and the bot loses all access immediately.
• No lock-ups. Your capital is always available. You can trade manually alongside the bot.

The golden rule of crypto trading bots: if a platform asks you to deposit funds into their wallets, walk away. There is no legitimate reason a trading bot needs custody of your money.

How API Keys Actually Work

API keys are the mechanism that makes non-custodial trading possible. Here is how they work:

1. You create an API key on your exchange (e.g., Bybit). During creation, you specify permissions: "read" (view balances and positions), "trade" (place and cancel orders), and "withdraw" (send funds off the exchange).
2. You disable withdrawal permission. This is critical. With only read and trade permissions, the API key can place orders but cannot move funds off the exchange.
3. You provide the API key and secret to the bot platform. The bot uses these credentials to authenticate with the exchange's API and execute trades on your behalf.
4. Every API call is signed with HMAC-SHA256, proving the request came from someone who holds the secret key. The exchange verifies the signature before executing any action.

Most exchanges also support IP whitelisting. You can restrict the API key to only work from specific IP addresses. Even if someone steals your API key, they cannot use it from a different server.

AES-256 Encryption: How Your Keys Should Be Stored

When you give your API keys to a trading bot platform, those keys need to be stored somewhere. How they are stored makes all the difference.

What Bad Platforms Do

• Store API keys in plain text in a database
• Use weak encryption (MD5, SHA-1) or home-grown crypto
• Store the encryption key in the same database as the encrypted data
• Log API keys in application logs

What Good Platforms Do

• AES-256 encryption at rest: The industry standard for symmetric encryption. Even if an attacker gains database access, the encrypted keys are useless without the master key.
• Separate key management: The encryption master key is stored in a different system (environment variable, hardware security module, or key vault) — never in the same database.
• Encryption in transit: All API communication uses TLS 1.3. Your keys are encrypted during transmission between your browser and the server.
• No logging of sensitive data: API keys never appear in application logs, error reports, or monitoring dashboards.

DeepAlpha encrypts every API key with AES-256-CBC before storing it in the database. The encryption key is derived from a per-user salt and a server-side master secret that is never stored alongside the data. Even our own team cannot read your API keys in plain text.

Security Checklist: What to Look For

Before trusting any trading bot with your API keys, verify the following:

1. Non-custodial architecture. The platform should explicitly state that funds remain on your exchange.
2. No withdrawal permission required. If a bot asks for withdrawal-enabled API keys, it is a red flag.
3. AES-256 encryption for key storage. Ask how keys are stored. If they cannot answer clearly, move on.
4. TLS/HTTPS everywhere. Check that the dashboard uses HTTPS with a valid certificate.
5. IP whitelisting support. The platform should tell you which IP addresses to whitelist on your exchange.
6. Two-factor authentication. The platform itself should support 2FA for login.
7. Transparent trade history. You should be able to verify every trade on your exchange's own interface.
8. API key revocation. You should be able to instantly revoke access by deleting the key on your exchange.

Why DeepAlpha Is Non-Custodial

We built DeepAlpha as a non-custodial platform from day one because there is no ethical alternative. Taking custody of user funds introduces risk that cannot be justified. Our platform:

• Connects to 12 exchanges via read + trade API keys only
• Never requests withdrawal permissions
• Encrypts all API keys with AES-256 before storage
• Uses TLS 1.3 for all communications
• Provides full trade transparency through your exchange's interface
• Allows instant access revocation by deleting the API key on your exchange

Your money stays where it belongs: on the exchange you chose, under your control, with your withdrawal passwords and 2FA protecting it. We just place the trades.

← Back to Blog