API keys are one of the components of API authentication; they are the API equivalent of a username and password.
API keys are required to call any of the private API methods, namely the account management, trading, and funding methods. API keys are not required to use the public API methods (the market data methods) as the public methods do not need to access a Kraken account.
Creating an API Key
API keys are created via the Settings → API tab of account management, by clicking on the "+ Generate New Key" button.
Configuring an API Key
API keys have several configuration options that must be setup before an API key can be used, notably the Key Description and Key Permissions.
The Key Description is essentially the name of the API key, and can be almost anything that you prefer, as long as the description is unique (different from the descriptions of any other API keys on the same account).
By default, the Key Description will be populated with "#1", "#2", "#3", and so on. This default description can be kept or changed in favour of a more descriptive name (such as "Trading Key", "Account Management Key", "Python API Key 6", etc.).
The Key Permissions determine which private API methods the API key is allowed to use:
- Query Funds is required for the account management methods that query the account balance information, such as Balance and TradeBalance.
- Deposit Funds is required for the funding methods related to deposits, such as DepositMethods and DepositAddresses.
- Withdraw Funds is required for the funding methods related to withdrawals, such as WithdrawInfo, Withdraw, and WithdrawCancel.
Orders & Trades
- Query Open Orders & Trades is required for the account management methods that query already existing orders and positions, such as OpenOrders, QueryOrders, and OpenPositions.
- Query Closed Orders & Trades is required for the account management methods that query previous closed/cancelled orders and positions, such as ClosedOrders, QueryOrders, and QueryTrades.
- Modify Orders is required for the trading method that places new orders, namely AddOrder.
- Cancel/Close Orders is required for the trading method that cancels open (pending) orders, namely CancelOrder.
- Query Ledger Entries is required for the account management methods that retrieve historical account data from the account ledger, namely Ledgers and QueryLedgers.
- Export Data is required for the account management methods that export the account ledger, namely AddExport, RetrieveExport, ExportStatus, and RemoveExport.
As an example of using API key permissions correctly, consider an API key that is provided to a third party for trading purposes. Such an API key would definitely require Modify Orders and Cancel/Close Orders permissions, would possibly require Query Open Orders & Trades permission, but would almost certainly not require Withdraw Funds permission.
Configuring the permissions appropriately would allow the API client to make trades for the account, but would prevent the API client from accessing any account information or performing funding tasks.
Other Settings (nonce window, key expiration, etc.)
The remaining API key settings are only required for more advanced configurations (such as overcoming network inconsistencies, or an API key that only works for a short amount of time, etc.), hence these additional configuration options can usually be left at their default values.
Once the API key settings have been configured appropriately, the new API key can be generated by clicking on the "Generate Key" button.
Using an API Key
API keys consist of a public/private key pair, both of which must be provided to the API client software.
The API Key and Private Key values can be copied and pasted as text directly into the API client code (the method used by our PHP API client) or into text files that the API client can access (the method used by our command line API client), or the key values can be imported into the API client via the graphical QR code (the method often used by mobile phone apps).
Note that the private key is also known as the API secret (or just as the secret) by some API client software.
API Key 2FA
API keys already provide a secure way to authenticate API access to a Kraken account, but their security can be enhanced even further by adding two factor authentication (2FA).
API key 2FA can be added to an already existing API key via the Security tab of account management and can use either a static password or Google Authenticator.
Note that adding 2FA to an API key also requires that the API client supports 2FA (provides the 2FA data for each call to the private API methods), otherwise an unexpected error would be returned instead of the desired API output.