plutarc
plutarcby Valeon

API Keys

Securely manage your exchange API keys for automated trading.

Overview

API keys connect your bots to your exchange account. Each key provides the bot with the credentials it needs to read market data and execute trades on your behalf.

The API Keys page shows a table of all your managed keys with their label, exchange, market type, masked key, active status, and bot assignment.

Adding a Key

Click "Add API Key" to open the dialog. You'll need to provide:

  • Label — A descriptive name for this key (e.g. "BitMEX Main", "BTC Perps Key").
  • Exchange — The exchange this key belongs to. Currently supported: BitMEX.
  • API Key — Your exchange API key string.
  • API Secret — Your exchange API secret. This is entered once and never shown again.
  • Contract Type — Linear (USDT-settled) or Inverse (BTC-settled). This determines how P&L and position sizes are calculated.

Active & Inactive Keys

Each key has an active/inactive toggle. Only active keys can be assigned to bots. Deactivating a key provides a quick way to temporarily prevent a bot from trading without destroying the bot or deleting the key.

If a key is currently assigned to a bot, deactivating it will prevent the bot from opening new positions but won't affect existing positions — exit rules will continue to function normally.

Assigning to Bots

API keys are assigned to bots on the bot detail page. Key assignment rules:

  • Each key can be assigned to only one bot at a time.
  • The key must be active to be assignable.
  • You cannot change a bot's API key while it has open positions.
  • Keys cannot be deleted while assigned to a bot — unassign them first.

Security

API key security is critical. Here's how plutarc protects your credentials:

  • Encryption at rest — API secrets are encrypted using AES-256-GCM (authenticated encryption). They are never stored in plain text.
  • Runtime-only decryption — Secrets are only decrypted in-memory within your dedicated bot instance's process. They never touch disk unencrypted.
  • Masked display — The dashboard only shows masked key hints for identification. The full key and secret are never displayed after initial entry.
  • Immediate deletion — Keys are permanently deleted upon request or account closure.

Always create API keys with trading permissions only — never enable withdrawal permissions. This limits the potential impact if credentials were ever compromised.