Premium · Protect Your Assets
Harden the bot. Keep the keys.
An automated trading desk is only as safe as its weakest credential. This is the security playbook the firm runs on — keys, accounts, wallets, the machine, and the humans bots can't defend against.
🔑
API Keys & Secrets
- Never in source or chat — use a secrets manager / 1Password CLI
- Disable withdrawals on every trading key
- IP-whitelist the key to your machine's public IP
- Separate read-only keys from trade keys
- Rotate on any suspicion;
chmod 600 local credential files
🏦
Broker & Exchange Accounts
- Hardware 2FA (YubiKey) — not SMS
- Withdrawal address allow-lists where supported
- Unique 20+ char password per venue
- Alerts on every login and transfer
- Paper-first: the firm's executors hard-block
mode != "paper"
🪙
Crypto Wallets
- Cold storage for anything you're not actively trading
- Seed phrase offline, never photographed or typed into a site
- Verify every contract before approving — revoke stale allowances
- A dedicated "hot" wallet with only working capital
🖥️
Your Bot & Its Machine
- Least-privilege: the bot account can't touch withdrawals
- Outbound firewall (LuLu / Little Snitch) — know what phones home
- Full-disk encryption + auto-lock
- Logs without secrets; alerts on crash and on unexpected orders
- A kill switch you can hit from your phone
🎣
Phishing & Social Engineering Highest risk
The bots can't defend against a human being tricked. This is where most real money is lost.
- Assume every "urgent" DM, email, or support call about your account is fake until proven otherwise
- Never click broker/exchange links from messages — type the URL yourself
- No legitimate venue ever asks for your password, seed phrase, or 2FA code
- Slow down: urgency is the attack. Verify on a second channel before acting
Security is a posture, not a checklist you finish once. Revisit it whenever you add a venue, a key, or a new bot. This is educational guidance, not professional security advice.