API keys are one of the components of API authentication, they are the API equivalent of a username and password.
API keys are required to call any of the private API methods, namely the account management, trading, and funding methods. API keys are not required to use the public API methods (the market data methods) as the public methods do not need access to a Kraken account.
Creating An API Key
- Sign in to your Kraken account.
- Click on your name in the upper-right corner of the page.
- Click on "Security" and then "API".
- Click on the "Add key" button.
Configuring An API Key
API keys have several configuration options that must be setup before an API key can be used, notably the Key Description and Key Permissions.
The Key Description is essentially the name of the API key, and can be almost anything that you prefer, as long as the description is unique (different from the descriptions of any other API keys on the same account).
By default, the Key Description will be populated with something like "api-key-1605316109249". This default description can be kept or changed in favour of a more descriptive name (such as "Trading Key", "Account Management Key", "Python API Key 6", or "Mobile App Key", for example).
The Key Permissions determine which private API methods the API key is allowed to use:
- Query Funds is required for the account management methods that query the account balance information, such as Balance and TradeBalance.
- Deposit Funds is required for the funding methods related to deposits, such as DepositMethods and DepositAddresses.
- Withdraw Funds is required for the funding methods related to withdrawals, such as WithdrawInfo, Withdraw, and WithdrawCancel.
Orders & Trades
- Query Open Orders & Trades is required for the account management methods that query already existing orders and positions, such as OpenOrders, QueryOrders, and OpenPositions.
- Query Closed Orders & Trades is required for the account management methods that query previous closed/cancelled orders and positions, such as ClosedOrders, QueryOrders, and QueryTrades.
- Modify Orders is required for the trading method that places new orders, namely AddOrder.
- Cancel/Close Orders is required for the trading method that cancels open (pending) orders, namely CancelOrder.
- Query Ledger Entries is required for the account management methods that retrieve historical account data from the account ledger, namely Ledgers and QueryLedgers.
- Export Data is required for the account management methods that export the account ledger, namely AddExport, RetrieveExport, ExportStatus, and RemoveExport.
- Access WebSockets API is required to retrieve an authentication token for the WebSocket API private feeds/endpoints.
As an example of using API key permissions correctly, consider an API key that is provided to a third party for trading purposes. Such an API key would definitely require Modify Orders and Cancel/Close Orders permissions, would possibly require Query Open Orders & Trades permission, but would almost certainly not require Withdraw Funds permission.
Configuring the permissions appropriately would allow the API client to make trades for the account, but would prevent the API client from accessing any account information or performing funding tasks.
Other Settings (Nonce Window, Key Expiration, Query Start/End Date)
The remaining API key settings are only required for more advanced configurations, hence they can usually be left at their default values:
- Nonce Window is a short time frame (1 second, 10 seconds, etc.) during which API requests with an invalid nonce, specifically a nonce value lower than a previously used nonce value, will not cause an invalid nonce error (EAPI:Invalid nonce). The main goal of the nonce window is to overcoming network inconsistencies.
- Key Expiration is for creating an API key that only works for a user-specified amount of time.
- Query Start/End Date/Time is for specifying a time frame for which historical account data can be queried using that particular API key.
Once the API key settings have been configured appropriately, the new API key can be generated by clicking on the "Generate key" button. After scanning the QR code and/or saving the Public and Private keys, make sure to click "Save" or the key will not be valid.
IMPORTANT: The "Private Key" and QR code will only be visible once after first generating it! Please save it in a password manager if you need to access it again later. Do not save it in an unencrypted format!
The "Private Key" and QR code should be treated the same way as your password! If they get into the wrong hands, your account can be compromised.
Using an API Key
API keys consist of a public/private key pair, both of which must be provided to the API client software.
It can be used in 3 ways:
- The key pair can be copied and pasted as plain text directly into the API client code.
- Example: The method used by our PHP API client.
- The key pair can be copied and pasted into plain text files that the API client can access.
- Example: The method used by our command line API client.
- The key pair values can be imported into our mobile app for iOS and Android by scanning the QR code (as shown above) with the mobile camera. There is a full guide here.
Note: The private key is also known as the API secret (or just as the secret) by some API client software.
2FA For API Key
API keys already provide a secure way to authenticate API access to a Kraken account, but their security can be enhanced even further by adding two factor authentication (2FA).
API key 2FA can be added to an already existing API key via the Security page and can use either a static password or Google Authenticator.
Note: Adding 2FA to an API key also requires that the API client supports 2FA (provides the 2FA data for each call to the private API methods), otherwise an unexpected error would be returned instead of the desired API output.
Read more about how 2FA works for API keys here.