- Creating an API key
- Configuring an API key (permissions/settings)
- Using an API key
- API key two factor authentication (2FA)
API keys are one of the primary components of API authentication; they are the API equivalent of your Kraken account's username and password.
API keys are required to call any of the account specific (aka private) API endpoints, namely the account management, trading, and funding, and staking endpoints. API keys are not required to call the market data (aka public) API endpoints, as the market data endpoints are not associated with any specific Kraken account.
API keys can be used by any software that interacts with our markets and accounts, such as our REST API command line clients, some mobile apps, trading platforms like Cryptowatch, third party trading bots, and many other products/services.
- Sign in to your Kraken account
- Open the account menu (click on your name in the upper-right corner of the page)
- Select the Security option
- Select the API option
- Click the Add key link (you will be able to configure your API key in the next steps)
API keys have several settings and options that must be configured before the API key can be used, notably the name/description and access permissions.
The key description is essentially the name of the API key, and can be almost anything that you prefer, as long as the description is unique (different from the descriptions of any other API keys on the same account).
By default, the key description will be populated with something like "api-key-1605316109249". This default description can be kept or changed in favour of a more descriptive name (such as "Trading Key", "Account Management Key", "Python API Key 6", or "Mobile App Key", for example).
The key permissions determine which account specific (private) API endpoints the API key is allowed to call:
- Query Funds is required for the API endpoints that query the account balance information, such as Balance and TradeBalance.
- Deposit Funds is required for the funding endpoints related to deposits, such as DepositMethods and DepositAddresses.
- Withdraw Funds is required for the funding endpoints related to withdrawals, such as WithdrawInfo, Withdraw and WithdrawCancel.
Orders & Trades
- Query Open Orders & Trades is required for the API endpoints that query already existing orders and margin positions, such as OpenOrders, QueryOrders and OpenPositions.
- Query Closed Orders & Trades is required for the endpoints that query previously closed/cancelled orders and margin positions, such as ClosedOrders, QueryOrders and QueryTrades.
- Modify Orders is required for the trading endpoints that place new orders, such as AddOrder, EditOrder, and AddOrderBatch.
- Cancel/Close Orders is required for the trading endpoints that cancel open or pending orders, such as CancelOrder, CancelAll, and CancelOrderBatch.
- Query Ledger Entries is required for the API endpoints that retrieve historical account data from the account ledger, namely Ledgers and QueryLedgers.
- Export Data is required for the endpoints that export (download) the account ledger, namely AddExport, RetrieveExport, ExportStatus and RemoveExport.
- Access WebSockets API is required to retrieve an authentication token for the WebSocket API via the GetWebSocketsToken endpoint.
As an example of using API key permissions correctly, consider an API key that is provided to a third party for trading purposes. Such an API key would definitely require Modify Orders and Cancel/Close Orders permissions, would probably require Query Open Orders & Trades permission, but would almost certainly not require Withdraw Funds permission.
Configuring the permissions appropriately would allow the API client to make trades for the account, but would prevent the API client from accessing any account information or performing funding tasks.
The remaining API key settings are only required for more advanced configurations, hence they can usually be kept at their default values:
- Nonce Window is a setting used to overcome networking issues that might cause API requests to arrive out of order, by providing a short time frame (1 second, 10 seconds, etc.) during which API requests with an invalid nonce (a nonce value lower than a previously used nonce value), will not cause an invalid nonce error.
- IP whitelisting is a security feature that restricts API key use to specific client side IP addresses.
- Key Expiration can be used to create an API key that only works for a specific amount of time, such as a key that is only valid for 1 week.
- Query Start/End Date/Time is a setting that restricts historical account data requests to a specific time frame, such as a key that could retrieve trading history from this year, but not from any previous years.
Once the API key settings have been configured appropriately, the new API key can be created by clicking on the Generate key button.
IMPORTANT: The API key, Private key, and QR code should be treated the same way as your username/password. Please save them in a password manager if you need to access them again later. Do not save them in an unencrypted format!
API keys consist of a public and private key pair, both of which must be provided to the API client software.
It can be used in three ways:
- The key pair can be copied and pasted as plain text directly into the API client code. Example: The method used by our PHP API client.
- The key pair can be copied and pasted into plain text files that the API client can access. Example: The method used by our command line API client.
- The key pair values can be imported into our mobile app for iOS and Android by scanning the QR code (as shown above) with the mobile camera. There is a full guide here.
Note: The private key is also known as the API secret (or just as the secret) by some API client software.
API keys already provide a secure way to authenticate API access to a Kraken account, but their security can be enhanced even further by adding two-factor authentication (2FA).
API key 2FA can be added to an already existing API key via the Security page and can use either a static password or Google Authenticator.
Note: Adding 2FA to an API key also requires that the API client supports 2FA (provides the 2FA data for each call to the private API methods), otherwise an unexpected error would be returned instead of the desired API output.
Read more about how 2FA works for API keys here.