How to Set Up a KuCoin API Key for Trading Bots
How to Set Up a KuCoin API Key for Trading Bots
Connecting a trading bot to KuCoin requires an API key. Done correctly, this is safe — the bot can trade on your behalf but cannot withdraw your funds. Done incorrectly, you hand over full control of your account to a third party. This guide walks through every step, with the security settings that matter.
What You Need Before Starting
- A KuCoin account with KYC completed (required for API access)
- Two-factor authentication enabled (Google Authenticator or SMS)
- The IP address of the server your bot will run from (for whitelisting)
- 10 minutes
Step 1: Log In and Navigate to API Management
Log in to your KuCoin account at kucoin.com. Hover over your profile icon in the top-right corner and click API Management from the dropdown menu. You may be prompted for your trading password and 2FA code — enter them to proceed.
You should now see the API Management page. If you have existing API keys, they'll be listed here. To create a new one, click Create API.
Step 2: Name Your API Key
Give your API key a descriptive name so you can identify it later. "SuperKamouBot Trading" is clear. "API1" is not. If you run multiple bots or services, good naming saves you from accidentally revoking the wrong key later.
Step 3: Configure Permissions (Critical Step)
KuCoin lets you choose what each API key can do. This is the most important step in the entire process. Get this wrong and you risk losing your funds.
The Permissions You Need
For a trading bot, you need:
- General — enabled (required to read account data)
- Trade — enabled (required to place orders)
- Withdraw — DISABLED (this is the single most important setting)
Why Disabling Withdrawals Is Non-Negotiable
If your API key has withdrawal permission enabled, anyone who obtains your key can move your funds off the exchange. Even if you trust the bot provider, you are trusting every employee, every server, and every line of code between you and the withdrawal. There is no reason a trading bot needs withdrawal access. If a service asks for withdrawal-enabled API keys, do not use that service.
The Permission Matrix
| Permission | Setting | Why |
|---|---|---|
| General | Enabled | Read account balance, positions, order history |
| Trade | Enabled | Place and cancel orders |
| Withdraw | Disabled | Prevents funds from leaving your account |
Step 4: Set a Passphrase
KuCoin API keys require a passphrase — a separate password specific to this key. Use a strong, unique passphrase. Do not reuse your account password. Store it in a password manager. You will need this passphrase along with the API key and secret to connect your bot.
Step 5: Whitelist Your IP Address
KuCoin allows you to restrict an API key to specific IP addresses. You should always do this. Without IP whitelisting, anyone who obtains your key can use it from anywhere in the world. With whitelisting, the key only works from the server you specify.
How to Find Your Server's IP Address
If your bot runs on a VPS, SSH into the server and run:
curl ifconfig.me
This returns your server's public IP address. Enter this IP in the IP Whitelist field when creating your API key.
If you run the bot locally (not recommended for production), use your home IP. Note that home IPs often change — if your bot stops working after a router restart, the IP whitelist is the likely cause.
Why IP Whitelisting Matters
Even if your API key leaks — through a misconfigured bot, a compromised server, or a phishing attack — IP whitelisting means the key is useless from any other location. It is a second layer of defense on top of disabling withdrawals.
Step 6: Complete 2FA and Create the Key
KuCoin will ask for your trading password, email verification code, and Google Authenticator code. Enter all three. The API key is then created and you'll see:
- API Key (also called API ID) — a public identifier
- Secret Key — shown only once; copy it immediately and store it securely
- Passphrase — the one you set in Step 5
The secret key is shown only once. If you lose it, you must delete the API key and create a new one. Store all three values in a password manager or secure vault — never in a plain text file, never in a git repository, never in a chat message.
Step 7: Connect Your Trading Bot
With your API key, secret, and passphrase in hand, you can now connect your trading bot. The exact process depends on the bot, but the general flow is:
- Log in to your bot's dashboard or configuration
- Navigate to the exchange/API settings section
- Select KuCoin Futures as the exchange
- Enter your API key, secret, and passphrase
- Test the connection
- Start the bot
If you're using SuperKamouBot, see the safety page for how we handle your API keys and the managed API guide for the hands-off option. Full API documentation is at API docs.
Common Mistakes to Avoid
1. Enabling Withdrawal Permission
This is the most dangerous mistake. A trading bot never needs to withdraw funds. If you accidentally enable withdrawals, delete the key immediately and create a new one with withdrawals disabled.
2. Skipping IP Whitelisting
Without IP whitelisting, a leaked key works from anywhere. With it, a leaked key only works from your server. There is no downside to whitelisting and a massive upside. Always whitelist.
3. Using the Same Key for Multiple Services
If you use the same API key for multiple bots or services, revoking access to one means revoking access to all. Create a separate API key for each service. This also lets you monitor which service is making which trades.
4. Storing the Secret Key Insecurely
The secret key is as sensitive as your password. Do not commit it to git, paste it into a support chat, or store it in a plain text file on your desktop. Use a password manager or encrypted vault.
5. Not Testing with a Small Balance First
When connecting a new bot, start with a small balance. Verify the bot places orders correctly, respects your risk parameters, and can be stopped cleanly. Only increase the balance once you've confirmed everything works.
6. Forgetting to Set a Trading Password
KuCoin requires a trading password separate from your login password for API key creation. If you haven't set one, you'll be prompted to. Do this before starting the API key setup.
Security Checklist
Before you finish, verify:
- Withdraw permission is disabled
- Trade permission is enabled
- IP whitelist is set to your bot's server IP
- Passphrase is strong and stored in a password manager
- Secret key is stored securely (not in plain text, not in git)
- You tested the connection with a small balance
- You know how to revoke the key if needed (API Management → Delete)
What to Do If Your Key Is Compromised
If you suspect your API key has been compromised — your bot behaves unexpectedly, you see trades you didn't authorize, or your key was exposed:
- Immediately go to API Management on KuCoin
- Delete the compromised API key
- Check your account for unauthorized trades or withdrawals
- Contact KuCoin support if you see unauthorized activity
- Create a new API key with all security settings applied
- Update your bot with the new key
Speed matters. A compromised key with withdrawals disabled cannot drain your account, but it can place unwanted trades. Deleting the key stops the bleeding immediately.
The Bottom Line
Setting up a KuCoin API key for a trading bot is straightforward, but the security settings are critical. Disable withdrawals. Whitelist your IP. Use a strong passphrase. Store the secret securely. Test with a small balance. These five habits protect your funds regardless of which bot you use.
If you want a bot that takes security seriously, see how SuperKamouBot handles API keys or explore the managed API option where we handle the setup for you.
Disclaimer: This guide is for educational purposes. Always verify current KuCoin interface steps against KuCoin's official documentation, as the UI may change. Never share your API secret with anyone.
Risk Notice: Trading cryptocurrency futures involves substantial risk of loss. Past performance does not guarantee future results. This is not financial advice.
