Skip to main content

BitMEX API & Account Security

  • Updated

Secure your BitMEX account by enabling two-factor authentication, using strong passwords with a password manager, and encrypting your hard drive. For API keys, generate one key per tool, apply least-privilege permissions, restrict usage to a single IP via a CIDR block, and store secrets in files with strict permissions or a secret manager.

 

How should I secure my computing environment?

Account takeovers often exploit how users store API keys. BitMEX recommends the following environment-hardening measures:

  • Enable two-factor authentication everywhere (email and exchange accounts). In order of preference: U2F, Yubikeys, TOTP. Do not use SMS authentication.
  • Use a strong password on your computer and store credentials in a password manager such as 1Password, KeePass, or LastPass.
  • Encrypt your hard drive using BitLocker (Windows), FileVault (macOS), or LUKS/CryptFS (Linux). Encrypt your backups as well.
  • Consider installing a hardware firewall with IDS/IPS on your network.
  • On macOS, use an outgoing traffic filter such as Little Snitch.
  • On public networks, always use a VPN provider.

 

How should I structure and configure my BitMEX accounts?

Start by using testnet.bitmex.com to explore account security, key configuration, and withdrawal settings without real funds. Key features to test include:

  • Address whitelisting: Add addresses to your address book and configure withdrawals to only allow whitelisted wallet addresses. This is especially important for corporates requiring segregation of duties between traders and treasury management.
  • Account linking: Corporate users can create a group of accounts with shared ownership, allowing instant fund transfers within the group without on-chain fees. Contact support@bitmex.com for setup.

 

What are the best practices for writing trading software?

Review the existing API documentation at bitmex.com/api/explorer, the REST API guide, and the WebSocket API guide before building your application.

  • Add credential files to .gitignore. If credentials are accidentally pushed to GitHub, delete the API key immediately at bitmex.com/app/apiKeys and check your account history. Define a strict CIDR block to limit potential abuse.
  • Write tests and use assertions. Implement independent risk limits that log, alert, or shut down your application if breached. An independent codebase is preferable for risk systems.
  • Use Cancel-on-Disconnect. BitMEX supports a Dead Man’s Switch that automatically cancels open orders on crash or disconnection.

 

How should I set up and secure a trading server?

For the lowest latency connection to BitMEX, start a server in AWS ap-northeast-1 (az4) . Co-location is not offered, so being in the same AWS zone is optimal.

  • A t3.nano or t3.micro instance suffices for most applications. Monitor CPU credits on burstable instances or enable T3 Unlimited. Larger instances provide better network capacity for high-volume data ingestion.
  • Use SSH keys and disable password authentication.
  • Install automatic security updates and ufw (uncomplicated firewall), opening only the ports you need.
  • Set up email alerts for server events such as SSH login and process restarts. Consider using a command logger and immutable containers.

 

How do I generate and manage API keys securely?

Generate one API key per automated tool and name each key for easy identification.

  • Grant the least permissions possible. Use read-only keys for external audits or portfolio tracking.
  • Specify a single IP address followed by /32 in the CIDR field to lock the key to your server.
  • If you move servers, regenerate the key with a new CIDR block and name.
  • Never share keys between development and production machines.

For storage, save the key and secret in a file on disk with strict permissions, readable only by the user running the software. If using containers, use a volume mount. Avoid environment variables because every dependency, child process, and crash log can expose them. If you must use environment variables, encrypt secrets with an AES key baked into the application. Ideally, use a secret manager like Vault.

 

What should I do if I suspect an API key breach?

Contact the BitMEX Support Team immediately. They will lock your account, help secure your funds, and assist with investigation.

In addition:

  • Delete or disable any compromised API keys
  • Change your passwords
  • Check your account history

Related articles

This website is operated by HDR Global Trading Limited, a company incorporated under the International Business Companies Act of 1994 of the Republic of Seychelles with a company number of 148707 and registered address at Global Gateway 8, Rue de la Perle, Providence Mahé, Seychelles (“HDR”). HDR wholly owns BitMEX, a Bitcoin-based trading platform.


Access to trading or holding positions on BitMEX is prohibited for any person or entity that is located, incorporated or otherwise established in, or a citizen or a resident of: (i) the United States of America, Québec (Canada), the Hong Kong Special Administrative Region of the People’s Republic of China, the Republic of Seychelles, Bermuda, Cuba, Crimea and Sevastopol, Iran, Syria, North Korea or Sudan; (ii) any state, country or other jurisdiction that is embargoed by the United States of America; or (iii) any other jurisdiction where the services offered by BitMEX are restricted (collectively “Restricted Jurisdictions”). If it is determined that any BitMEX user has given false representations as to their location, incorporation, establishment, citizenship or residence, or HDR detects a user is from a Restricted Jurisdiction as described above, HDR reserves the right to immediately close their accounts and liquidate any open positions. HDR may, in its sole discretion, implement controls to restrict access to the BitMEX trading platform in any of the Restricted Jurisdictions.