KuCoin — Operator Guide: API Key Safety & Session Management

API keys: least privilege and IP whitelisting

When issuing API keys, limit scopes to exactly what the integration needs (read-only, trade-only, no withdrawals when feasible). Use IP whitelisting to bind keys to known infrastructure and rotate keys regularly. Treat keys like credentials—don’t embed them in public code or untrusted environments.

Session management & monitoring

Periodically list active sessions and review the device and location metadata. Kick unrecognized sessions immediately and rotate your credentials. Consider setting up notifications for new session creation or suspicious login patterns and have a runbook for response.

Automation safety

• Run bots on isolated infrastructure with limited network exposure.
• Use role-based access on team accounts and avoid shared, personal logins.
• Implement rate limits and dry-run modes to reduce accidental legs of trading logic.

Audit trails and backups

Keep logs of API key creation, rotation, and session revocations. For teams, use an approved secret manager to store keys securely and require multi-person approval for high-impact actions like withdrawal-enabled key creation.

Reminder: This is guidance for operators and is not an official KuCoin document. It’s educational and contains no credential-collecting forms.