Skip to content

Permissions and IP whitelist#

Required permissions#

On the Binance API key page, enable:

  • Enable Reading — needed to fetch balances, positions, and order history.
  • Enable Futures — needed to place USDⓈ-M Futures orders.

Leave everything else off. In particular:

  • Do not enable Withdrawals. HookTrader never withdraws and cannot ever ask Binance to.
  • Do not enable Spot & Margin Trading. HookTrader only trades USDⓈ-M perpetuals.
  • Do not enable Universal Transfer. Not used.

If you accidentally enable a permission HookTrader doesn't need, the platform still works — the key is just unnecessarily privileged. Drop the extra permissions when you can.

What HookTrader actually sends#

HookTrader uses only the permissions it declares — it reads balances and positions, submits and cancels futures orders, and monitors fills. It never requests withdrawal or spot/margin access.

IP whitelist#

If you restrict the key by IP, add the public IP of the HookTrader production server. The address is shown on the Exchanges → + Add API key screen so you don't have to look it up.

If the IP whitelist is wrong, you'll see one of:

  • Verify fails on save with the error code -2015 ("Invalid API-key, IP, or permissions for action").
  • Trades start failing later with the same code, after Binance starts rejecting requests from the whitelisted IPs you removed.

Both surface as a notification. See Troubleshooting → Binance error codes.

Whitelisting is optional but recommended for live keys

A leaked key without an IP whitelist can be used from anywhere — even though HookTrader can never withdraw, an attacker could still place loss-making trades against your balance. The cost of whitelisting is essentially zero; do it for live keys.

Verifying after a change#

Whenever you change permissions or the IP whitelist on Binance, use the Verify permissions button on the exchange detail page in HookTrader to re-run the signed test call. You don't need to re-enter the secret.