API keys provide full access to your account without the need for logging in or two-factor authorization. As such, it is important that you only enable the API on your account when you intend to use it and that you disable the API if you stop using it. You should use a unique API key for each bot, 3rd-party service, or application. Always delete API keys that you are no longer using.
When you create an API key, it is best to minimize its permissions as much as possible. If you will not be using the API key for trading, uncheck the Enable Trading checkbox. Only check the Enable Withdrawals checkbox if you will be using this API key for withdrawals.
Setting up IP access restriction helps protect your account should your API key and secret fall into the hands of an attacker. These restrictions limit the IP addresses (that’s the network location) that Poloniex will use for an API key. When enabled, Poloniex will ignore API requests it receives using an API key from an IP address that is not in the key’s trusted IPs list. Note that IP access restriction is difficult to use if you do not have a fixed IP (ie: it varies over time). To configure trusted IPs:
- Bots: use the IP address of your bot. If you are unsure of it, contact your ISP or hosting provider to find out if you have a fixed IP address and what that address is.
- 3rd-party services: ask the 3rd-party service if they have a fixed-range of IP addresses that they use.
- Applications: contact the application author to find if they have a fixed-range of IP addresses. Applications that claim that they run “locally” typically use the IP address of your computer/phone. You’ll need to check with your ISP or mobile provider to find out if you have a fixed IP address and what that address is.
“When including multiple IP addresses in the IP access restriction, please be sure that the IPs are comma-separated.
Example: XXX.XX.XXX, XX.XXX.XX.XXX”
Additional API Protection for Customers
Our Trust & Security Team is committed to providing the most secure experience possible for our customers. Today, we’re announcing the latest measure we’re taking to better protect our API traders.
At least once every quarter beginning in September 2020, we’ll perform a review on inactive API keys. We will then notify any customers who have such API keys, and customers will have a period of time following our notification to take action before we disable the API keys on their behalf.
Learn more about How to Create an API/Secret Key Set
Learn more about API Frequently Asked Questions (FAQs)
Learn more about Poloniex API CCXT Partnership