Linking a crypto exchange to any third-party app feels like handing over the keys to your money. It's the right instinct — but with one rule, an API key is one of the safer ways to track your balances. Here's exactly what's going on, and how to do it without losing sleep.
The short answer
A read-only API key cannot move, trade, or withdraw a single coin. It can only read your balances. The risk in API keys comes from two things: granting permissions you don't need, and trusting an app that stores them carelessly. Get both right and you're safe.
What an API key actually allows
Exchanges don't hand out one all-powerful key. Every key is scoped to a set of permissions you choose when you create it — usually some combination of:
- Read — see balances and positions. This is all a net-worth tracker needs.
- Trade — place and cancel orders.
- Withdraw — move funds off the exchange.
A tracker only ever needs Read. If you never enable Trade or Withdraw, the key is physically incapable of touching your money — even if the app (or its database) were compromised, the worst anyone could do is see your balances.
The one rule: read-only, always
When you create the key, enable only the read permission and nothing else. Here's where to find it on the major exchanges:
| Exchange | Enable only |
|---|---|
| Binance | "Enable Reading" |
| Coinbase | A read-only Advanced Trade key |
| Kraken | "Query Funds" |
| Bitstamp | "Account balance" |
| Bitvavo | "View" |
| Bitpanda | Read-only by default |
| Bybit | "Wallet" + "Earn" read access |
If an app ever asks you for trade or withdrawal permissions just to track your portfolio, walk away — there's no good reason for it.
Extra belt-and-suspenders
Read-only is the big one, but most exchanges let you go further:
- Withdrawal address whitelist — even on your own keys, lock withdrawals to addresses you pre-approve.
- IP allowlist — if the exchange supports it, restrict the key to the server that actually uses it.
- Rotate keys periodically, and delete any you no longer use.
Where the keys live matters as much as their scope
A read-only key can't move money — but it can reveal your balances, so how an app stores it still matters. Before you connect, check that the app:
- Encrypts keys at rest, with the encryption key kept outside the database (so a stolen database file is useless on its own).
- Never shows the key again after you save it, and never writes it to logs or API responses.
- Ideally, doesn't put your data in one big shared database with every other user — one breach there exposes everyone at once.
On-chain wallets are even safer
For self-custodied crypto, you don't need a key at all. A tracker can read an on-chain wallet from its public address — that's data anyone can already see on the blockchain. There's nothing secret to leak, and nothing that could ever authorise a transaction.
How Krosos handles it
Krosos requires read-only keys, full stop — it can see your balances but can never trade, withdraw, or move a cent. Keys are encrypted at rest with a key that lives outside the database, are never displayed again after you save them, and never appear in logs. And because every customer runs in their own isolated instance rather than a shared database, your credentials aren't sitting next to thousands of strangers'. On-chain wallets connect by public address only — no keys at all. You can read the full security story here.
Bottom line
A read-only API key plus an app that stores it properly is a safe way to keep your net worth up to date. Never grant trade or withdrawal access, prefer public-address tracking for on-chain holdings, and pay attention to how an app protects what you give it. Do that, and "connecting my exchange" stops being scary.