IP whitelist & rotation

IP whitelisting locks your exchange API key so it can only be used from a fixed set of IPs. Even if the key + secret leaks, an attacker cannot use it from any other machine. We strongly recommend you add IP whitelisting to every connected key — every supported exchange supports it. This page lists our current production IPs, our rotation policy, and how to verify the whitelist is working end-to-end.

Current server IPs

The canonical list is on the API Connect page → IP whitelist card. We display it there (not in this static doc) because IPs can rotate and the dashboard always has the live list. The card shows:

• Current production IPs — what to whitelist today.
• Rotation pending — any IP scheduled to be added or removed.
• Effective date — when the rotation takes effect.
• One-tap copy — copy the comma-separated list to paste into the exchange whitelist form.

At time of writing, the production set is a small number of fixed IPs in our primary region; the dashboard is the source of truth.

How to add IPs on Binance

1. Binance → Account → API Management → click Edit restrictions on the row.
2. Tick Restrict access to trusted IPs only.
3. Paste the IPs from our API Connect IP whitelist card (comma-separated).
4. Save. Pass 2FA.

Binance lets you whitelist up to 30 IPs per key. We're well under that. If you also access the key from your own server / bot, add your IPs alongside ours.

How to add IPs on other supported exchanges

Bybit, OKX, Bitget, Kucoin all expose the same option under their API key settings — usually labelled "IP Restriction" or "IP Whitelist". Paste the same IP set we provide. The flow is otherwise identical.

Verification

After adding the IPs:

1. Return to our API Connect page.
2. Click Re-validate on the card.
3. Outcome should flip to ✅ Connected within seconds.

If validation still fails with IP not whitelisted:

• Binance whitelist propagation can take 5-10 minutes — wait and retry.
• Confirm you saved the whitelist edit (the page sometimes asks for 2FA twice).
• Confirm you pasted the most recent set (we sometimes rotate; check the dashboard).

Our rotation policy

When we need to add or remove a server IP (e.g. provider migration, capacity scale-up), we follow this schedule:

That gives you 37 days from announcement to act. Most users never notice — we publish the IP, the dashboard surfaces the banner, the user updates the whitelist in 30 seconds.

Detecting a stale whitelist

If your key is rejected with IP not whitelisted after a rotation:

• The dashboard's IP whitelist card shows a red diff — which IP is missing.
• The top toolbar shows a red API dot.
• A trade alert pushes (if you have Trade alerts on API disconnected enabled).

Fix — copy the new IP set from the dashboard, paste into Binance whitelist, save, re-validate.

Detecting a leaked key (with whitelist)

If your key is whitelisted to our IPs only, a leaked key cannot be used elsewhere. You can still audit:

• Binance API Management page shows recent uses of the key — the source IP per request.
• Any unexpected source IP means either someone bypassed whitelist (shouldn't be possible) or the audit shows our IPs only (the expected outcome).

If you ever suspect a leak:

1. Delete the key on Binance immediately.
2. Re-create with the same permissions.
3. Update on our API Connect page.

Common pitfalls

• Forgot to enable the whitelist toggle — adding IPs to the list without checking "Restrict to trusted IPs" leaves the whitelist unused.
• Used wrong region IPs — if our dashboard shows a comma-separated list, paste it verbatim; don't pick a subset.
• Server IP changed but no email — make sure the email on your Account is verified — see Verify email.

What's next

• API Connect — overview — back to the hub.
• Binance Futures connect — the key generation flow.
• Trade alerts — API disconnected alert wiring.