Meetcrypt
Product· by Abdul Waheed

Read-Only API Keys: How to Connect an Exchange Safely

The single most common hesitation people have before connecting a portfolio tracker is reasonable: “I'm not giving some app my exchange login.” You shouldn't — and with a read-only API key, you don't have to. This guide explains what an API key actually is, why a read-only one is safe to share with a tracker, the permissions to turn off, and how to create one on Binance and Bitget without exposing yourself.

What an API key is (and isn't)

An API key is not your password and not your login. It's a separate credential — a pair of long random strings (a “key” and a “secret”) — that you generate inside your exchange account to let an outside application talk to the exchange on a defined, limited basis. You decide what that application is allowed to do when you create the key, and you can revoke it at any time without touching your password or your account access.

Crucially, an API key's powers are scoped by permissions you set. That's the whole safety mechanism, and it's why “connecting an exchange” via API is fundamentally different from handing over your credentials.

Why read-only is safe

API keys generally offer three broad permission levels:

  • Read — view balances, positions, trade history, funding. Look, don't touch.
  • Trade — place and cancel orders.
  • Withdraw / transfer — move funds out or between accounts.

A read-only key has only the first one enabled. An application holding a read-only key can see your data to compute your PnL — and it is physically incapable of placing a trade, cancelling an order, or moving a single satoshi, because the exchange itself rejects any such request from that key. The safety isn't a promise from the app; it's enforced on the exchange side. Even if the key leaked, the worst anyone could do is read your trade history. They could not take your funds.

That's the right level for a tracker. Tracking is a read activity. Anything asking for trade or withdraw permission to “just track” your portfolio is asking for more than the job requires.

The permissions to turn OFF

When you create the key, make sure these are disabled:

  • Enable Trading / Spot & Futures Trading — off.
  • Enable Withdrawals — off (this is the dangerous one; never enable it for a third-party tool).
  • Enable Internal Transfer / Universal Transfer — off.
  • Enable Margin / Borrow — off unless specifically needed (it isn't, for tracking).

Leave only the read/view permission enabled. Meetcrypt's connection form goes a step further: it validates the key and rejects write-enabled keys by default, so a key that accidentally has trade permission won't connect.

Extra hardening

Two optional steps make a read-only key even safer:

  1. IP allow-listing / restriction. Many exchanges let you bind a key to specific IP addresses. Restricting the key so it only works from the tracker's servers means a leaked key is useless from anywhere else.
  2. Label and review. Name the key clearly (e.g. “Meetcrypt read-only”) so you can recognise it later, and review your API keys periodically — revoking a read-only key is one click and instantly cuts off access.

How to create one (Binance and Bitget)

The exact menu labels shift as exchanges update their UIs, so follow the live, screenshot-backed steps in the API key setup guide rather than memorising a path that might change. The shape is the same on both venues:

  1. Go to API Management in your account settings.
  2. Create a new API key (you'll confirm with 2FA).
  3. Enable read/view only. Leave trading, withdrawals, and transfers disabled.
  4. Optionally restrict the key to the tracker's IP addresses.
  5. Copy the key and secret and paste them into Meetcrypt's connection form.

The secret is shown once at creation — store it carefully, and if you lose it, just delete the key and make a new one.

What Meetcrypt does with the key

Once connected, Meetcrypt uses the read-only key purely to pull your data: balances, fills, funding, and transfers, synced on a server-side timer. Every credential is AES-256-GCM encrypted with versioned keys and never logged in plaintext. The product is read-only by design and architecturally cannot trade or withdraw on your behalf — see the security model and features for the full detail.

If you've been holding off on tracking your real, consolidated PnL because you didn't want to risk your funds, a read-only key removes the risk that mattered. Create your workspace, generate a read-only key, and connect — your funds never leave your control.

Educational information only — not financial advice.

Related on Meetcrypt