Portfolio Monitoring and Risk

Read-Only Crypto API Keys: What They Protect and How to Verify Permissions

2026-07-10 · BlockMind Research Team

Key takeaway: A provider-scoped read-only exchange API key can expose balances and account history but cannot place trades or withdraw funds. That sharply reduces financial authority, not all risk. Verify the exchange's own permission screen, disable every write scope, protect the credential like a password, and revoke it when no longer needed or after suspected exposure.


Portfolio trackers need data, not control. The safest exchange connection is therefore the narrowest credential that can read the required balances and transactions without trading, transferring, withdrawing, or changing account settings.

This is part of the wider AI portfolio monitoring trust boundary. Monitoring becomes more useful with current holdings, but portfolio context should not require execution authority.

What is a read-only crypto API key?

An API key is a credential an application uses to authenticate requests to an exchange. “Read-only” describes the permissions attached to that credential, not the secrecy of the key itself.

A properly scoped read-only key may be able to retrieve:

  • balances;
  • positions and margin status;
  • deposits and withdrawals history;
  • orders and trades history;
  • ledgers and transaction history;
  • account or portfolio identifiers.

It should not be able to:

  • place, edit, or cancel orders;
  • transfer assets between accounts where that is a write operation;
  • add withdrawal addresses;
  • withdraw assets;
  • change security or user settings.

The precise boundary is provider-specific. Trust the exchange's current permission documentation and the key-creation screen, not a generic tutorial.

Provider permission matrix

Checked against official documentation on July 10, 2026:

ProviderRead scopeTrade/write scope to leave offWithdrawal/transfer scope to leave offUseful security control
Coinbase ExchangeViewTrade, ManageTransferRequired IP allowlist for Exchange API keys
KrakenQuery funds, orders/trades, ledger as neededModify/close trades, earn or other unnecessary actionsWithdraw funds; add/update withdrawal addressPermission-specific keys; API-key 2FA available
OKXReadTradeWithdrawIP address binding
BinanceAccount/user-data access needed by trackerTRADE and other write permissionsWithdrawal-related authorityEndpoint-type restrictions and IP allowlist

Coinbase's permission documentation is particularly explicit: View reads endpoints, Trade posts orders, and Transfer can transfer value, including withdrawals. Kraken exposes separate query, trade-modification, and withdrawal permissions. OKX separates Read, Trade, and Withdraw. Binance says keys can be restricted by secure endpoint type and trading is not enabled by default.

Interfaces and names can change. Recheck the official page while creating the key.

The READ verification protocol

R — Requirements first

Write down what the application needs before opening the exchange settings:

  • balances only;
  • balances plus transaction history;
  • open positions;
  • tax lots or ledger history;
  • specific portfolio or subaccount;
  • sync frequency;
  • source IPs, if allowlisting is supported.

If the use case is portfolio analysis, trade and withdrawal authority are not requirements.

E — Exchange-native scope

Create the key inside the exchange's official authenticated interface. Do not follow links from unsolicited messages or search ads. Verify domain, account, and subaccount.

Select only read/query permissions. Some exchanges separate several query scopes; enable only those needed for the documented import. Take a screenshot or write down the final scope without capturing the secret.

A — Access controls and application trust

  • Enable strong MFA on the exchange and connected application.
  • Use IP allowlisting when the application's documented infrastructure supports stable addresses.
  • Create a separate key per application instead of reusing one.
  • Give the key a descriptive name and creation date.
  • Check how the application stores and processes credentials.
  • Confirm how to delete imported data and revoke access.
  • Never paste API secrets into chat, email, tickets, source code, or shared documents.

Kraken's API security guidance recommends encrypted storage or a reputable password manager, minimal permissions, API-key 2FA where available, and deleting keys that are no longer relevant. NIST's least-privilege principle likewise says processes should receive only the access necessary for assigned tasks.

D — Detect and decommission

After connection:

  • confirm the app shows the intended account and no others;
  • review key usage where the exchange exposes it;
  • inspect exchange activity and security notifications;
  • rotate or recreate the key according to your risk policy and provider guidance;
  • revoke it before deleting the application account, when no longer needed, or immediately after suspected exposure;
  • verify that revocation breaks the sync.

Deleting a portfolio inside an app may not revoke the exchange key. Delete it at the exchange.

The read-only proof test

Do not accept a “read-only” label until all four statements are true:

  1. The exchange permission screen shows no order-placement or trade-modification scope.
  2. It shows no transfer, withdrawal, or withdrawal-address-management scope.
  3. It shows no account-security or broad management scope.
  4. The app's documented use case requires only the selected query permissions.

If a provider offers one combined permission that includes actions beyond the use case, it is not provider-scoped read-only even if the application promises to behave read-only.

BlockMind's connection boundary—and the Firi exception

For Binance, Coinbase, Kraken, OKX, KuCoin, MEXC, Crypto.com, and Bitstamp, BlockMind instructs users to create provider-scoped read-only keys with trading and withdrawals disabled. BlockMind uses these connections only to read balances and positions and cannot initiate trades, withdrawals, or transfers.

Firi is the explicit exception: Firi does not offer a provider-scoped read-only API key. BlockMind stores the provided credentials encrypted and enforces balance-only behavior in the application, but the exchange itself does not restrict that key to reading. That means the credential deserves greater caution and faster revocation after suspected compromise.

The canonical provider list and current setup details live in Connect your portfolio. The broader data-handling boundary is in Trust and security.

Read-only does not mean risk-free

Privacy risk

Balances, positions, trade history, deposits, withdrawals, and account relationships are sensitive. They can reveal net worth, strategies, counterparties, and behavior.

Credential risk

An API secret is still a secret. A service compromise, phishing attack, browser extension, malware, log, screenshot, or exposed support ticket can leak it. Misconfigured permissions turn the same leaked credential into a financial threat.

Data-integrity risk

Read-only access prevents the app from writing to the exchange. It does not guarantee that imported balances, transaction history, cost basis, or asset mappings are complete. Exchange APIs can omit product types or historical activity.

Account-linking risk

Combining wallets and exchanges in one tracker creates a high-value map of holdings. Review the provider's privacy, retention, deletion, and breach practices.

Social-engineering risk

Scammers may impersonate support and ask for a key, QR code, remote screen access, seed phrase, or “verification” payment. A legitimate portfolio connection never requires your wallet seed phrase or private key.

A blast-radius worksheet

Inventory one row per credential:

KeyAccount scopeRead data visibleWrite scopesIP restrictionCreatedLast usedRevoke trigger
Tracker ASpot portfolioBalances + ledgerNoneYes/noDateDateApp removal or exposure
Tax tool BMain accountFull historyNoneYes/noDateDateFiling complete/review date
Bot CTrading subaccountBalances + ordersTradeYes/noDateDateStrategy stop or anomaly

Worked hypothetical

A user has three services connected to the same exchange:

  • Portfolio tracker: read balances and ledger.
  • Tax tool: read full transaction history.
  • Old bot: read and trade.

The user stopped using the bot six months ago but left its key enabled. The portfolio tracker and tax tool cannot trade; the dormant bot can. The largest preventable blast radius comes from the unused trade-enabled key, not the two active read-only keys. The correct security task is credential inventory and revocation—not disconnecting the useful read-only data first.

This worksheet is qualitative. It does not estimate breach probability.

API key vs wallet address vs seed phrase

Credential/dataWhat it normally enablesSafe for a balance tracker?
Public wallet addressView public on-chain activityYes, with privacy tradeoffs
Provider-scoped read-only API keyView permitted exchange dataAppropriate when required and trusted
Trade-enabled API keyPlace or modify ordersNot needed for portfolio tracking
Withdrawal-enabled API keyMove assetsNever needed for portfolio tracking
Seed phrase/private keyControl and sign for wallet assetsNever share with a tracker

If an application asks for a seed phrase to “import balances,” stop.

Connection and revocation checklist

  • Official exchange domain and account confirmed
  • Use case and required query fields written down
  • Separate key created for this application
  • Trade disabled
  • Transfers and withdrawals disabled
  • Address management and broad management disabled
  • Scope limited to correct portfolio/subaccount where supported
  • IP allowlist configured if compatible
  • MFA enabled on exchange and app
  • Secret stored only through the intended secure entry path
  • First sync reconciled against source account
  • Key added to credential inventory
  • Revocation tested or procedure documented
  • Review/revocation trigger scheduled

For tracker selection, compare how providers connect and reconcile data in Best Crypto Portfolio Trackers. For a full data-quality review after connection, use the crypto portfolio health check.

Limitations and counterevidence

Provider documentation and interfaces change. Some connections use OAuth rather than an API key, and OAuth scopes require the same least-privilege review. IP allowlisting may not work with a service that does not publish stable egress addresses. A provider's “read” permission may expose more account history than you expect.

Read-only reduces authority; it does not guarantee the third party's security, privacy, accuracy, or availability. Evaluate the application as well as the key.

The Bottom Line

Read-only crypto API keys are the right default for portfolio tracking because the job is observation, not execution. Prove the scope in the exchange UI, protect the secret, inventory every connection, and remove dormant credentials.

The decisive question is not “Does the app call itself read-only?” It is “What actions will the exchange authorize for this exact key?”

This article is for research and education, not personalized security or financial advice.

Sources

  1. Coinbase Exchange: API key permissions
  2. Kraken: API key permission reference
  3. Kraken: API key security practices
  4. OKX: API key permissions and IP binding
  5. Binance: API request security and endpoint permissions
  6. NIST SP 800-171 Rev. 3: Least privilege
  7. BlockMind: Connect your portfolio
  8. BlockMind: Trust and security