Portfolio Monitoring and Risk
Read-Only Crypto API Keys: What They Protect and How to Verify Permissions
2026-07-10 · BlockMind Research Team
Key takeaway: A provider-scoped read-only exchange API key can expose balances and account history but cannot place trades or withdraw funds. That sharply reduces financial authority, not all risk. Verify the exchange's own permission screen, disable every write scope, protect the credential like a password, and revoke it when no longer needed or after suspected exposure.
Portfolio trackers need data, not control. The safest exchange connection is therefore the narrowest credential that can read the required balances and transactions without trading, transferring, withdrawing, or changing account settings.
This is part of the wider AI portfolio monitoring trust boundary. Monitoring becomes more useful with current holdings, but portfolio context should not require execution authority.
What is a read-only crypto API key?
An API key is a credential an application uses to authenticate requests to an exchange. “Read-only” describes the permissions attached to that credential, not the secrecy of the key itself.
A properly scoped read-only key may be able to retrieve:
- balances;
- positions and margin status;
- deposits and withdrawals history;
- orders and trades history;
- ledgers and transaction history;
- account or portfolio identifiers.
It should not be able to:
- place, edit, or cancel orders;
- transfer assets between accounts where that is a write operation;
- add withdrawal addresses;
- withdraw assets;
- change security or user settings.
The precise boundary is provider-specific. Trust the exchange's current permission documentation and the key-creation screen, not a generic tutorial.
Provider permission matrix
Checked against official documentation on July 10, 2026:
| Provider | Read scope | Trade/write scope to leave off | Withdrawal/transfer scope to leave off | Useful security control |
|---|---|---|---|---|
| Coinbase Exchange | View | Trade, Manage | Transfer | Required IP allowlist for Exchange API keys |
| Kraken | Query funds, orders/trades, ledger as needed | Modify/close trades, earn or other unnecessary actions | Withdraw funds; add/update withdrawal address | Permission-specific keys; API-key 2FA available |
| OKX | Read | Trade | Withdraw | IP address binding |
| Binance | Account/user-data access needed by tracker | TRADE and other write permissions | Withdrawal-related authority | Endpoint-type restrictions and IP allowlist |
Coinbase's permission documentation is particularly explicit: View reads endpoints, Trade posts orders, and Transfer can transfer value, including withdrawals. Kraken exposes separate query, trade-modification, and withdrawal permissions. OKX separates Read, Trade, and Withdraw. Binance says keys can be restricted by secure endpoint type and trading is not enabled by default.
Interfaces and names can change. Recheck the official page while creating the key.
The READ verification protocol
R — Requirements first
Write down what the application needs before opening the exchange settings:
- balances only;
- balances plus transaction history;
- open positions;
- tax lots or ledger history;
- specific portfolio or subaccount;
- sync frequency;
- source IPs, if allowlisting is supported.
If the use case is portfolio analysis, trade and withdrawal authority are not requirements.
E — Exchange-native scope
Create the key inside the exchange's official authenticated interface. Do not follow links from unsolicited messages or search ads. Verify domain, account, and subaccount.
Select only read/query permissions. Some exchanges separate several query scopes; enable only those needed for the documented import. Take a screenshot or write down the final scope without capturing the secret.
A — Access controls and application trust
- Enable strong MFA on the exchange and connected application.
- Use IP allowlisting when the application's documented infrastructure supports stable addresses.
- Create a separate key per application instead of reusing one.
- Give the key a descriptive name and creation date.
- Check how the application stores and processes credentials.
- Confirm how to delete imported data and revoke access.
- Never paste API secrets into chat, email, tickets, source code, or shared documents.
Kraken's API security guidance recommends encrypted storage or a reputable password manager, minimal permissions, API-key 2FA where available, and deleting keys that are no longer relevant. NIST's least-privilege principle likewise says processes should receive only the access necessary for assigned tasks.
D — Detect and decommission
After connection:
- confirm the app shows the intended account and no others;
- review key usage where the exchange exposes it;
- inspect exchange activity and security notifications;
- rotate or recreate the key according to your risk policy and provider guidance;
- revoke it before deleting the application account, when no longer needed, or immediately after suspected exposure;
- verify that revocation breaks the sync.
Deleting a portfolio inside an app may not revoke the exchange key. Delete it at the exchange.
The read-only proof test
Do not accept a “read-only” label until all four statements are true:
- The exchange permission screen shows no order-placement or trade-modification scope.
- It shows no transfer, withdrawal, or withdrawal-address-management scope.
- It shows no account-security or broad management scope.
- The app's documented use case requires only the selected query permissions.
If a provider offers one combined permission that includes actions beyond the use case, it is not provider-scoped read-only even if the application promises to behave read-only.
BlockMind's connection boundary—and the Firi exception
For Binance, Coinbase, Kraken, OKX, KuCoin, MEXC, Crypto.com, and Bitstamp, BlockMind instructs users to create provider-scoped read-only keys with trading and withdrawals disabled. BlockMind uses these connections only to read balances and positions and cannot initiate trades, withdrawals, or transfers.
Firi is the explicit exception: Firi does not offer a provider-scoped read-only API key. BlockMind stores the provided credentials encrypted and enforces balance-only behavior in the application, but the exchange itself does not restrict that key to reading. That means the credential deserves greater caution and faster revocation after suspected compromise.
The canonical provider list and current setup details live in Connect your portfolio. The broader data-handling boundary is in Trust and security.
Read-only does not mean risk-free
Privacy risk
Balances, positions, trade history, deposits, withdrawals, and account relationships are sensitive. They can reveal net worth, strategies, counterparties, and behavior.
Credential risk
An API secret is still a secret. A service compromise, phishing attack, browser extension, malware, log, screenshot, or exposed support ticket can leak it. Misconfigured permissions turn the same leaked credential into a financial threat.
Data-integrity risk
Read-only access prevents the app from writing to the exchange. It does not guarantee that imported balances, transaction history, cost basis, or asset mappings are complete. Exchange APIs can omit product types or historical activity.
Account-linking risk
Combining wallets and exchanges in one tracker creates a high-value map of holdings. Review the provider's privacy, retention, deletion, and breach practices.
Social-engineering risk
Scammers may impersonate support and ask for a key, QR code, remote screen access, seed phrase, or “verification” payment. A legitimate portfolio connection never requires your wallet seed phrase or private key.
A blast-radius worksheet
Inventory one row per credential:
| Key | Account scope | Read data visible | Write scopes | IP restriction | Created | Last used | Revoke trigger |
|---|---|---|---|---|---|---|---|
| Tracker A | Spot portfolio | Balances + ledger | None | Yes/no | Date | Date | App removal or exposure |
| Tax tool B | Main account | Full history | None | Yes/no | Date | Date | Filing complete/review date |
| Bot C | Trading subaccount | Balances + orders | Trade | Yes/no | Date | Date | Strategy stop or anomaly |
Worked hypothetical
A user has three services connected to the same exchange:
- Portfolio tracker: read balances and ledger.
- Tax tool: read full transaction history.
- Old bot: read and trade.
The user stopped using the bot six months ago but left its key enabled. The portfolio tracker and tax tool cannot trade; the dormant bot can. The largest preventable blast radius comes from the unused trade-enabled key, not the two active read-only keys. The correct security task is credential inventory and revocation—not disconnecting the useful read-only data first.
This worksheet is qualitative. It does not estimate breach probability.
API key vs wallet address vs seed phrase
| Credential/data | What it normally enables | Safe for a balance tracker? |
|---|---|---|
| Public wallet address | View public on-chain activity | Yes, with privacy tradeoffs |
| Provider-scoped read-only API key | View permitted exchange data | Appropriate when required and trusted |
| Trade-enabled API key | Place or modify orders | Not needed for portfolio tracking |
| Withdrawal-enabled API key | Move assets | Never needed for portfolio tracking |
| Seed phrase/private key | Control and sign for wallet assets | Never share with a tracker |
If an application asks for a seed phrase to “import balances,” stop.
Connection and revocation checklist
- Official exchange domain and account confirmed
- Use case and required query fields written down
- Separate key created for this application
- Trade disabled
- Transfers and withdrawals disabled
- Address management and broad management disabled
- Scope limited to correct portfolio/subaccount where supported
- IP allowlist configured if compatible
- MFA enabled on exchange and app
- Secret stored only through the intended secure entry path
- First sync reconciled against source account
- Key added to credential inventory
- Revocation tested or procedure documented
- Review/revocation trigger scheduled
For tracker selection, compare how providers connect and reconcile data in Best Crypto Portfolio Trackers. For a full data-quality review after connection, use the crypto portfolio health check.
Limitations and counterevidence
Provider documentation and interfaces change. Some connections use OAuth rather than an API key, and OAuth scopes require the same least-privilege review. IP allowlisting may not work with a service that does not publish stable egress addresses. A provider's “read” permission may expose more account history than you expect.
Read-only reduces authority; it does not guarantee the third party's security, privacy, accuracy, or availability. Evaluate the application as well as the key.
The Bottom Line
Read-only crypto API keys are the right default for portfolio tracking because the job is observation, not execution. Prove the scope in the exchange UI, protect the secret, inventory every connection, and remove dormant credentials.
The decisive question is not “Does the app call itself read-only?” It is “What actions will the exchange authorize for this exact key?”
This article is for research and education, not personalized security or financial advice.
Sources
- Coinbase Exchange: API key permissions
- Kraken: API key permission reference
- Kraken: API key security practices
- OKX: API key permissions and IP binding
- Binance: API request security and endpoint permissions
- NIST SP 800-171 Rev. 3: Least privilege
- BlockMind: Connect your portfolio
- BlockMind: Trust and security