API keys provide full access to your account without the need for logging in or two-factor authorization. As such, it is important that you only enable the API on your account when you intend to use it and that you disable the API if you stop using it. You should use a unique API key for each bot, 3rd-party service, or application. Always delete API keys that you are no longer using.
When you create an API key, it is best to minimize its permissions as much as possible. If you will not be using the API key for trading, uncheck the Enable Trading checkbox. Only check the Enable Withdrawals checkbox if you will be using this API key for withdrawals.
Setting up IP access restriction helps protect your account should your API key and secret fall into the hands of an attacker. These restrictions limit the IP addresses (that’s the network location) that Poloniex will use for an API key. When enabled, Poloniex will ignore API requests it receives using an API key from an IP address that is not in the key’s trusted IPs list. Note that IP access restriction is difficult to use if you do not have a fixed IP (ie: it varies over time). To configure trusted IPs:
- Bots: use the IP address of your bot. If you are unsure of it, contact your ISP or hosting provider to find out if you have a fixed IP address and what that address is.
- 3rd-party services: ask the 3rd-party service if they have a fixed-range of IP addresses that they use.
- Applications: contact the application author to find if they have a fixed-range of IP addresses. Applications that claim that they run “locally” typically use the IP address of your computer/phone. You’ll need to check with your ISP or mobile provider to find out if you have a fixed IP address and what that address is.