Why self-hosted is safer

Your keys. Your machine. No cloud servers to hack.

Cloud-based trading bots store your API keys on their servers. If their infrastructure is breached, every user is affected at once. TradingBot takes a fundamentally different approach: it runs on your computer, and your API keys never leave your device.

Cloud bot incidents

These are real events that affected real users of cloud-hosted crypto bots:

  • 3Commas (Dec 2022) — API keys leaked. Attackers used stolen keys to execute unauthorized trades on user accounts across multiple exchanges. Total losses estimated at $14.8M.
  • 3Commas (Oct 2022) — Users reported unauthorized trades months before the official acknowledgment. The platform initially denied any breach.
  • Cryptohopper phishing (2019) — Fake Cryptohopper website distributed malware that stole exchange API keys and crypto wallet data from thousands of users.
  • Coinmama (2019) — 450,000 user records exposed in a data breach affecting the cloud trading platform.

With a self-hosted bot, none of these attacks would have had any effect. There is no central server storing API keys that can be breached.

Cloud vs self-hosted

Cloud botsTradingBot (self-hosted)
API key storage On their servers On your device only
Breach impact All users affected Only your machine
Withdrawal risk Some require withdrawal permission Withdrawals always disabled
Third-party access Company employees, contractors Nobody except you
Network attack surface Public API + web dashboard No exposed ports — optional dashboard runs on localhost only
Data in transit Keys sent to their cloud Keys go directly to exchange
Transparency Closed source, trust required Single binary, verifiable behavior
Uptime dependency Their servers must be online Runs on your machine

How TradingBot protects you

  1. Local execution — the bot runs on your computer. API keys are stored in an encrypted file on your disk and are never sent to any third-party server.
  2. Withdrawals disabled — TradingBot requires trade-only API keys. Even if someone accessed your key, they cannot withdraw funds from your exchange account.
  3. Localhost-only dashboard — the optional web dashboard (Pro) binds to localhost with token-based auth. No public ports, no external access. Primary control is via your private Telegram chat.
  4. Encrypted storage — API keys are encrypted with a passphrase you set. Without the passphrase, the key file is unreadable.
  5. Direct exchange connection — the bot communicates directly with Binance/OKX APIs over HTTPS. No middleman proxy or relay server.
  6. Built-in risk controls — max order size, max position size, daily loss limit. If a limit is breached, the bot auto-switches to close-only mode.
  7. Telegram whitelisting — only your Telegram chat ID can control the bot. Unauthorized messages are rejected.

Security by design

🔒

Zero trust architecture

No cloud servers, no third-party access. Your API keys exist only on your machine. The attack surface is limited to your own device.

🛡

Trade-only permissions

TradingBot requires API keys with trading permission only. Withdrawal is always disabled. Even in a worst-case scenario, funds cannot leave your exchange account.

💬

Private Telegram control

No public endpoints. You control the bot through an encrypted Telegram chat bound to your personal chat ID. Optional web dashboard runs on localhost only.

⚠️

Automatic risk limits

Built-in circuit breaker: max order size, max position per symbol, daily loss cap. The bot stops itself when limits are breached.

Common questions

Can the bot withdraw my funds?

No. TradingBot requires API keys without withdrawal permission. The exchange enforces this at the API level — no software can bypass it.

What if my computer is compromised?

API keys are encrypted with your passphrase. Without it, the file is unreadable. Additionally, since withdrawal is disabled on the API key, an attacker cannot move funds off your exchange account. For extra safety, use a dedicated machine or VPS that only runs the bot.

Does TradingBot phone home?

The bot contacts only two endpoints: your exchange API (Binance/OKX) for trading, and an optional license verification endpoint. No telemetry, no analytics, no data collection.

Is the bot open source?

The bot is distributed as a compiled binary. The behavior is fully verifiable through Telegram logs, order journals, and trade history that the bot writes locally.

How does this compare to running a bot on a VPS?

Running on a VPS you control is equivalent in security to running on your own computer — the key factor is that you own the server, not a third-party bot provider. TradingBot works on any machine: your laptop, a home server, or a VPS.

Can I run TradingBot on my phone?

TradingBot is a compiled binary for desktop and server platforms (Windows, macOS, Linux). It cannot run directly on iOS or Android.

However, you don't need it on your phone — and that's actually an advantage:

  • Full control from Telegram. Every feature — DCA settings, buy/sell, TP/SL, alerts, reports — is accessible from the Telegram app on your phone. You manage the bot the same way whether it runs on your laptop or a remote server.
  • 24/7 uptime without draining your battery. An affordable VPS for $3–5/month runs the bot around the clock with stable internet and zero battery impact on your phone.
  • No app store middlemen. Cloud bot competitors force you through their app or web dashboard — which means your API keys live on their servers. With TradingBot, the binary runs on hardware you control, and Telegram is just the remote control.
  • Instant notifications. Telegram pushes order fills, alerts, and errors to your phone in real time — exactly like a native app, but without the security trade-offs.
  • No background kills. Mobile operating systems aggressively kill background processes to save battery. A trading bot that gets killed mid-strategy is dangerous. Running on a dedicated machine or VPS eliminates this risk entirely.

Bottom line: your phone is the remote control, not the engine. The bot runs where it's safe and stable — your PC, home server, or VPS — and you manage everything from Telegram on any device.

Get started FAQ Docs
Not financial advice. No profit guarantees. Trading is risky.