API Key Security

Generating API keys on your account could give permission to anyone that has access to the public key, private key or QR code to conduct sensitive actions on your Kraken account. API keys are equivalent to your Kraken username and password.

Kraken’s API Keys are often used to connect a third party service such as a trading bot or a crypto portfolio manager to a Kraken account. These services are thereby entrusted to access the account and could make trades on behalf of the account owner.

Configuring an API key allows you to limit the permissions you provide to services that are accessing your Kraken account via API.

Viewable information via API:

  • Account balance and margin status

  • Current orders, positions and trades

  • Historical orders, positions and trades

  • Deposit/Withdrawal transactions (only limited information)

  • Account history (previous transactions, balance histories, etc.)

Possible actions via API:

  • Place and cancel trading orders

  • Deposits

  • Withdrawals

  • And more!


For security purposes Kraken will never share the following information:

  • Passwords

  • Two-factor authentication

  • Account owners name

  • Contact information (address, phone, etc.)

  • Verification documents (ID, proof of address, etc.)

Kraken may also decide to disable API keys or revoke API key trading permissions. While we do so for a variety of reasons, one typical reason would be several months of dormancy. We typically attempt to notify clients in advance before disabling or revoking API keys, though we may not do so for a various factors, including security or regulation.

Unfortunately, no amount of security by Kraken can make up for inadequate personal security. We recommend that you review the following steps to improve your personal security situation:

  • Save your API keys in a reputable password manager or encrypted format.

  • Use API key 2FA when the option is available.

  • Ensure third party services store your API keys securely.

  • Secure third party service accounts with 2FA.

  • Regularly create new API keys with minimal permissions.

  • Regularly delete API keys that are no longer relevant.



¿Necesita más ayuda?