← Back to blog

Why Your API Keys Are Not Safe on Cloud Platforms

Mar 16, 2026

Every cloud-based trading bot requires your exchange API keys. You paste them into a web form, and they are stored on a server you do not control. From that moment, you are trusting a third party with the credentials to your exchange account.

What an API key can do

An exchange API key with trade permission can:

  • Place orders — buy or sell any asset on your account
  • Cancel orders — remove your existing limit orders
  • Read balances — see all your holdings
  • Read trade history — access your full transaction record

Even without withdrawal permission, an attacker with your API key can drain your account by executing trades: buying illiquid tokens at inflated prices, effectively transferring your funds to accounts they control. This is exactly what happened in the 3Commas breach.

How cloud platforms store keys

Cloud trading services typically store API keys in a centralized database. Even with encryption, the decryption keys must exist on the same infrastructure to actually use the API keys for trading. This means:

  • An attacker who gains access to the server can potentially decrypt all stored keys
  • An insider with database access can read the keys
  • A vulnerability in the web application can expose the key storage
  • A misconfigured backup or log file can leak plaintext keys

Encryption at rest helps, but it is not a complete solution when the same system that encrypts the keys also needs to decrypt them for regular operation.

Real incidents

The risk is not theoretical. Here are documented cases:

  • 3Commas (Dec 2022) — API keys leaked from their systems. Attackers executed unauthorized trades. Losses estimated at $14.8M. The platform denied the breach for months.
  • Cryptohopper (2019) — Phishing campaigns targeted users with fake login pages. Because users expected to enter API keys on a web platform, phishing felt natural.
  • Coinmama (2019) — 450,000 user records exposed in a breach of the cloud platform.

The self-hosted alternative

With a self-hosted bot, your API keys are stored encrypted on your own machine. They are never transmitted to any third-party server. The bot connects directly to the exchange API from your IP address.

This eliminates the entire category of "cloud breach" attacks. There is no centralized database of keys to steal. An attacker would need to compromise your individual machine, which is orders of magnitude harder than breaching a web service.

How to protect your API keys

  1. Never enable withdrawals — create API keys with trade permission only
  2. IP-whitelist — restrict API keys to the IP of your trading machine
  3. Use a self-hosted bot — keys stay on your device, no third party involved
  4. Rotate keys periodically — even if keys are local, rotation limits exposure from any compromise
  5. Use a dedicated machine — running the bot on a VPS or dedicated device reduces the risk of incidental malware

The bottom line

Your API keys are the credentials to your exchange account. Sending them to a cloud platform adds a layer of risk that provides no security benefit. A self-hosted bot keeps your keys where they belong: on a machine you control.

Security details Get started