This article is for everyone that uses API keys to perform actions on their Bitvavo account. You can create API keys once you have setup 2FA on your account. This article will provide you with recommendations on how to securely use Bitvavo's API.
API key creation
API keys give access to your account, in order to view information, trade assets or withdraw assets on your behalf. During the creation of your API key, you have to decide which permissions to give your API key and if whitelisting IP's is feasible.
If you do not provide IP addresses, your API key can be used from anywhere. This might be useful if you don't know your IP address in advance, or your IP changes a lot. The fact that your key can be used from anywhere is bad from a security perspective. If an attacker gains access to your API credentials, he's in. If you had whitelisted your IP address, the attacker has to go to the additional trouble of making sure the requests originates from your IP address, which is more difficult.
Permissions: View information
This permission is the least powerful. Keys with only this permission enabled have no funds at risk.
Permissions: Trade digital currencies
Only enable this if you intent to trade digital currencies with the key. A potential attack vector is repeatedly buying/selling your assets on illiquid markets to transfer funds from your account to an attackers account.
Permissions: Withdraw currencies
Only enable this if you intent to withdraw digital currencies with the key. Be aware that API withdrawals bypass 2FA. If you need this functionality, make sure to whitelist allowed addresses. By setting up whitelisted addresses, you can only withdraw to addresses you have approved.
Once you have created your credentials, store your key and secret in a safe place. Do not share these with anyone!
Once you have created the credentials, make sure to store your secret in a secure way. This means that you do not transmit it unencrypted or hardcode them in your code. A possible solution is to use environment variables, or specific secret managers, depending on which environment you operate in.
Best practices for secure handling of API keys boil down into three principles:
- Whitelist all actions. Only allow access from whitelisted IPs and only allow withdrawals to preapproved withdrawal addresses.
- Least privilege. Only grant permissions to keys that you actually need.
- Proper secret management. Don't hardcode secrets in your code, don't e-mail/IM them and don't store them unencrypted.