Is It Safe to Give API Keys to a P2P Trading Bot?
A clear security breakdown: what API key permissions a P2P bot actually needs, what it cannot do with them, and how Pilotbot stores and protects your credentials.
Pilotbot Team
Author
On this page
- What API Keys Actually Control
- What a P2P Bot Cannot Do with a Properly Scoped Key
- How to Create a Correctly Scoped Key
- On Binance
- On Bybit
- How Pilotbot Stores Your API Keys
- Additional Security Measures to Consider
- Enable IP Whitelisting on Your API Key
- Use a Dedicated Sub-Account (Optional)
- Rotate Your Keys Periodically
- Monitor API Activity in Exchange Logs
- What Pilotbot Does NOT Do
- Why Some Users Are Still Cautious — and That's Reasonable
- Frequently Asked Questions
Direct answer: Yes — if you configure the API key correctly (ad-management permissions only, no withdrawal access), a P2P bot cannot move your funds. Your money stays in your exchange account. The key can only instruct the exchange to update ad prices, read market data, and check order status.
What API Keys Actually Control
An exchange API key is not a master password. It is a set of scoped permissions. You decide which capabilities the key has when you create it. The exchange enforces these permissions at the server level — no application can exceed the permissions you granted, regardless of what code it runs.
For a P2P bot, you need exactly two permissions:
| Permission | What it does |
|---|---|
| Read | View account info, ad prices, order history, trade pairs |
| P2P Ad Management | Create, update, and pause P2P ads |
That is it. Everything else — spot trading, futures, withdrawals, margin — can and should be left disabled.
What a P2P Bot Cannot Do with a Properly Scoped Key
With only Read + P2P Ad Management enabled, the API key:
- Cannot withdraw funds. Withdrawals require a separate permission (
WithdraworTransfer). If you do not enable it, no software can ever trigger a withdrawal with that key. - Cannot place spot or futures orders. Those require
Spot TradeorFutures Tradepermissions. - Cannot access your balance breakdown beyond what is needed for ad management.
- Cannot change your account settings, email, 2FA, or security configuration.
This is not a policy Pilotbot enforces — it is enforced by Binance and Bybit at the API level. Even if Pilotbot's servers were fully compromised, the API keys could not be used to drain funds.
How to Create a Correctly Scoped Key
On Binance
- Go to Account → API Management → Create API.
- Name it something recognisable, e.g. "Pilotbot P2P".
- Enable: Enable Reading + Enable Spot & Margin Trading is NOT needed — only enable P2P Trading.
- Leave disabled: Withdrawals, Internal Transfers, Universal Transfer.
- Set IP restriction to Pilotbot's server IP if shown in your dashboard (optional but adds another layer).
On Bybit
- Go to Account → API → Create New Key.
- Choose: System-generated API key.
- Permissions: enable P2P (read + order management). Leave everything else off.
- Optional: restrict to specific IP addresses.
How Pilotbot Stores Your API Keys
Pilotbot never stores your API key or secret in plaintext. The storage process:
- In transit: API keys are sent over HTTPS (TLS 1.3). They are never transmitted in plaintext.
- At rest — encryption: Each key is encrypted using AES-256-GCM (Advanced Encryption Standard, 256-bit key, Galois/Counter Mode) before being written to the database. AES-256 is the same encryption standard used by financial institutions and governments worldwide.
- Key management: The encryption keys are stored separately from the database, using environment-level secrets management. Accessing the database alone does not give you the plaintext API credentials.
- No logging: API keys are never written to application logs. Even in debugging mode, the key is replaced with a masked placeholder (e.g.
•••••YzK).
The result: even if the database were somehow accessed by an unauthorised party, they would see encrypted ciphertext — not your actual API credentials.
Additional Security Measures to Consider
Enable IP Whitelisting on Your API Key
Both Binance and Bybit allow you to restrict an API key to specific IP addresses. If you add Pilotbot's server IP to your whitelist, the key becomes useless to anyone else — even if it were somehow obtained.
To find the server IP to whitelist: check the Exchange Accounts section in your Pilotbot dashboard. The outbound IP is displayed there.
Use a Dedicated Sub-Account (Optional)
Some high-volume merchants create a dedicated sub-account (supported on Binance) specifically for P2P automation. This isolates the bot's activity from your main account and makes it trivial to revoke access without affecting anything else.
Rotate Your Keys Periodically
Best practice is to rotate API keys every 90 days. Generate a new key, update it in Pilotbot's dashboard, and revoke the old one. This limits the exposure window if a key were ever compromised.
Monitor API Activity in Exchange Logs
Both Binance and Bybit provide an API call history log. Periodically reviewing this log lets you confirm that the key is only being used for the operations you expect (ad price updates, market data reads).
What Pilotbot Does NOT Do
To be explicit about the scope:
- Pilotbot does not execute spot trades on your behalf.
- Pilotbot does not move funds between accounts or to external addresses.
- Pilotbot does not store your exchange password — only the API key/secret pair.
- Pilotbot does not share your API credentials with third parties.
- Pilotbot does not access your futures, margin, or lending positions.
The platform's sole function is to update the price on your P2P ads and read market data to determine what that price should be.
Why Some Users Are Still Cautious — and That's Reasonable
Even with all the technical safeguards above, giving any third-party application access to an exchange account involves trust. That is a reasonable position. Here are the questions to ask before connecting any bot:
- Is the key scoped minimally? Only the permissions the bot needs, nothing else.
- Does the platform encrypt keys at rest? Pilotbot uses AES-256-GCM — ask any vendor you evaluate.
- Is there a public security overview? See pilotbot.net/security-overview for our full security posture documentation.
- Can you revoke access instantly? Yes — delete the API key from your exchange at any time. Pilotbot's access is revoked immediately, with no data retention.
Frequently Asked Questions
Can Pilotbot see my full account balance? The Read permission allows Pilotbot to see P2P-related balance information needed for ad management. It cannot see spot, futures, or derivatives positions unless those permissions are also granted (which they should not be).
What if I accidentally grant withdrawal permissions? Immediately revoke the key and create a new one with the correct permissions. Pilotbot's connection to the old key is severed as soon as you delete it on the exchange side.
Does Pilotbot store my key forever? Your key is stored as long as the exchange account is connected in Pilotbot. You can remove it at any time from the Exchange Accounts dashboard — this triggers a deletion of the encrypted credential from our database.
What encryption does Pilotbot use? AES-256-GCM. This is a symmetric authenticated encryption algorithm with a 256-bit key, considered unbreakable with current technology. The same standard is used by banks, governments, and cloud providers for protecting sensitive data.
Is Pilotbot a regulated financial service? Pilotbot is a software tool for managing P2P ad listings. It is not a custodian, exchange, or financial intermediary — it never holds funds. Regulation requirements vary by jurisdiction; consult a local legal expert if needed.
Have more questions? Contact us or read the security overview.
Ready to automate your P2P trading?
Start your 14-day free trial. No credit card required.
Get started free