Address Book entries can now allow API initiated withdrawals to skip providing a otpToken
Historically we have required a 2fa code to be present on all API withdrawal requests, which for customers wishing to fully automate withdrawals has required the TOTP secret to be embedded in systems that otherwise would not require it. In order to improve this situation, it is now possible to add an Address Book entry with the checkbox “Skip two-factor authentication” checked:
This will show as Skip2FA “Pending” in the Address Book.
Once created, an email is sent to the user with a unique link to one-time approve the addition of the address.
After approval, the API /user/requestWithdrawal endpoint will no longer require the otpToken to be provided for withdrawals to that address. As usual, the API key must have been created with the withdrawal permission flag set.
It is also possible to add entries to the address book using the API - this can be done in the case of a service provider who wishes to automatically suggest address book entries for a BitMEX customer. Once requested, the email seeking approval is sent by BitMEX to the customer. It is possible for the external service to query the address book using an API token and check the entries, if the 2fa flag is set, and if it has been enabled by the user.
This should allow customers to improve the security of systems making automated withdrawals.