◈ ⌘ api · Intermediate
Binance API IP Whitelist: Complete Security Guide
Learn how to secure your Binance API key with IP whitelisting. Step-by-step guide with Python code, common mistakes to avoid, and best practices for algo traders.
◈ Contents
- → Why IP Whitelisting Is Non-Negotiable for API Security
- → How to Configure the Binance API Key IP Whitelist
- → Making Authenticated Requests to Binance API with Python
- → Handling IP Restriction Errors Gracefully
- → Whitelist Strategy for Multi-Server and Multi-Bot Setups
- → IP Restrictions Across Exchanges: Binance vs the Rest
- → Frequently Asked Questions
- → Conclusion
Running a trading bot without IP whitelisting on your Binance API key is like leaving your front door open with a sign that reads 'valuable stuff inside.' It is not a question of if someone will try to exploit your key — it is when. The binance api ip whitelist feature restricts your API key to only accept requests from specific IP addresses. Even if your key leaks through a misconfigured repo, a log dump, or a phishing attempt, an attacker cannot use it without originating from one of your approved addresses. This single setting is arguably the most impactful security measure available to algo traders, and it takes about two minutes to configure.
Why IP Whitelisting Is Non-Negotiable for API Security
API keys are powerful. On Binance, a key with spot trading permissions can open positions, cancel orders, and query your full portfolio in milliseconds. If withdrawal permission is also enabled, a leaked key becomes a direct threat to your funds. The attack surface is wider than most traders assume. Environment variables accidentally committed to public GitHub repositories expose keys daily. Log files that capture full HTTP request headers, clipboard history on shared machines, and overly permissive browser extensions have all been documented vectors for API key theft.
Binance allows up to 30 API keys per account. Each key can carry different permissions and a completely independent IP restriction list. A professional setup dedicates one key per strategy or per server, with each key locked to the exact machine running that logic. That way, if one key is compromised, the blast radius is limited to a single bot and a single server — not your entire trading operation.
Never enable 'Withdrawal' permission on keys used by automated bots. Combine IP whitelisting with the minimum required permissions — read-only keys cannot trade, trading keys should never withdraw. Defense in depth beats single-layer security every time.
How to Configure the Binance API Key IP Whitelist
The binance api key ip whitelist configuration lives inside your account's API Management panel. The process is straightforward but a few details trip people up consistently, especially around identifying the correct public IP versus a local network address.
- Log in to Binance and navigate to Profile → API Management
- Click 'Create API' to create a new key, or select an existing key to edit it
- Under 'IP Access Restrictions', select 'Restrict access to trusted IPs only'
- Click 'Add IP' and enter your server's public IP address — not a private 192.168.x.x or 10.x.x.x address
- Repeat for each additional IP you need (up to 30 per key)
- Confirm the change with your 2FA code — Binance requires this for any key modification
To find the public IP of the machine that will be calling the API, SSH into your server and run the command below. This fetches your external IP directly from a lightweight API — no guessing, no confusion with internal network addresses.
# Get the public IP of your current machine
curl -s https://api.ipify.org
# Or with more detail
curl -s https://api.ipify.org?format=jsonIf your bot runs on a home connection with a dynamic IP, your whitelist entry will break every time your ISP rotates your address. The fix: use a VPS with a static IP (DigitalOcean, Hetzner, AWS EC2 with Elastic IP), or route outbound traffic through a VPN service that provides a fixed exit IP. A $5/month VPS is far cheaper than a locked-out bot during a volatile session.
Making Authenticated Requests to Binance API with Python
Binance uses HMAC-SHA256 signatures for authenticated endpoints. Every request to a private endpoint needs a timestamp, a signature computed from your query parameters, and your API key in the request header. The code below handles the signature logic cleanly and can serve as the foundation for any Binance bot.
import hashlib
import hmac
import time
import requests
from urllib.parse import urlencode
API_KEY = "your_api_key_here"
API_SECRET = "your_api_secret_here"
BASE_URL = "https://api.binance.com"
def get_signature(query_string: str) -> str:
return hmac.new(
API_SECRET.encode("utf-8"),
query_string.encode("utf-8"),
hashlib.sha256
).hexdigest()
def get_account_info() -> dict:
endpoint = "/api/v3/account"
params = {"timestamp": int(time.time() * 1000)}
query_string = urlencode(params)
params["signature"] = get_signature(query_string)
headers = {"X-MBX-APIKEY": API_KEY}
response = requests.get(
f"{BASE_URL}{endpoint}",
headers=headers,
params=params,
timeout=10
)
response.raise_for_status()
return response.json()
if __name__ == "__main__":
account = get_account_info()
print(f"Account type: {account['accountType']}")
print(f"Can trade: {account['canTrade']}")
print(f"Can withdraw: {account['canWithdraw']}")
balances = [b for b in account["balances"] if float(b["free"]) > 0]
for b in balances:
print(f" {b['asset']}: {b['free']}")The same signature pattern applies to trading endpoints. Here is an example placing a market buy order, including timestamp management to avoid the -1021 timestamp outside of recvWindow error that catches many traders the first time:
def place_market_order(symbol: str, side: str, quantity: float) -> dict:
"""
side: 'BUY' or 'SELL'
"""
endpoint = "/api/v3/order"
params = {
"symbol": symbol,
"side": side,
"type": "MARKET",
"quantity": quantity,
"timestamp": int(time.time() * 1000),
"recvWindow": 5000 # 5 second tolerance for clock skew
}
query_string = urlencode(params)
params["signature"] = get_signature(query_string)
headers = {"X-MBX-APIKEY": API_KEY}
response = requests.post(
f"{BASE_URL}{endpoint}",
headers=headers,
params=params,
timeout=10
)
data = response.json()
if "code" in data and data["code"] < 0:
raise RuntimeError(f"Order failed — code {data['code']}: {data['msg']}")
return data
# Example: buy 0.001 BTC at market
result = place_market_order("BTCUSDT", "BUY", 0.001)
print(f"Order ID: {result['orderId']}, status: {result['status']}")Handling IP Restriction Errors Gracefully
When your IP is not in the whitelist, Binance returns error code -2015 with an HTTP 403 status. This looks identical to an invalid API key error, which is intentional — Binance does not distinguish between 'wrong key' and 'unauthorized IP' in order to avoid giving attackers useful feedback. Your error handling code needs to catch this case and surface it clearly, otherwise you will spend time hunting a nonexistent key problem when the real issue is a server IP change.
import requests
import logging
logger = logging.getLogger(__name__)
class BinanceIPError(Exception):
"""Raised when the calling IP is not in the API key whitelist."""
pass
class BinanceAPIError(Exception):
def __init__(self, code: int, message: str):
self.code = code
self.message = message
super().__init__(f"Binance error {code}: {message}")
def safe_binance_request(url: str, headers: dict, params: dict, method: str = "GET") -> dict:
try:
if method == "GET":
response = requests.get(url, headers=headers, params=params, timeout=10)
else:
response = requests.post(url, headers=headers, params=params, timeout=10)
data = response.json()
# -2015 = Invalid API-key, IP, or permissions
if response.status_code == 403 or ("code" in data and data["code"] == -2015):
logger.error("IP restriction triggered. Check your binance whitelist address configuration.")
raise BinanceIPError(
"Request blocked: your server IP is not in the Binance API key IP whitelist. "
"Go to API Management and add your current public IP."
)
if "code" in data and data["code"] < 0:
raise BinanceAPIError(data["code"], data["msg"])
return data
except requests.Timeout:
logger.error("Binance request timed out after 10 seconds")
raise
except requests.ConnectionError as e:
logger.error(f"Connection error to Binance API: {e}")
raiseWhitelist Strategy for Multi-Server and Multi-Bot Setups
Once you move beyond a single bot on a single machine, the binance whitelist address strategy matters. Adding every IP to a single key creates a brittle setup where one compromised server exposes all your strategies. The right approach is isolation: one key per logical unit, with the smallest possible IP list attached to each.
| Setup | Key Strategy | IPs per Key |
|---|---|---|
| Single VPS | One key per strategy | 1 IP |
| Primary + Failover VPS | One key, two IPs | 2 IPs |
| Staging + Production | Separate keys per environment | 1 IP each |
| AWS Lambda / Serverless | NAT Gateway with Elastic IP | 1 static IP |
| Home + VPS hybrid | VPS-only; never home IP | 1 IP (VPS) |
For serverless deployments — AWS Lambda, Google Cloud Functions, or similar — your function runs on shared infrastructure with no fixed outbound IP. The correct architecture here is to route all outbound API calls through a NAT Gateway attached to an Elastic IP or a static egress IP service. This gives you a stable address to whitelist without spinning up a dedicated server. Platforms like Bybit and OKX handle this the same way, so the pattern transfers directly if you trade on multiple exchanges.
IP Restrictions Across Exchanges: Binance vs the Rest
Binance is not the only exchange that offers this protection. Understanding how the feature works across platforms helps when you run bots on multiple venues simultaneously. OKX calls it 'IP Allowlist' and supports up to 20 IPs per key. Bybit supports IP restriction per API key as well and also requires 2FA confirmation on any change, similar to Binance. KuCoin implements the feature under 'API Restrictions' with support for IP ranges using CIDR notation — useful if you operate across a small block of addresses in a data center. Gate.io and Bitget both offer per-key IP restriction, though Bitget enforces a shorter list limit. Coinbase Advanced Trade (formerly Coinbase Pro) allows IP allowlisting but applies it at the portfolio level rather than per key.
If you use VoiceOfChain for real-time trading signals, you are likely routing execution across several of these venues simultaneously. In that case, your IP whitelist discipline needs to be consistent — each exchange's API key should be tied to the specific server that processes signals for that exchange. Mixing keys across servers without proper whitelist segmentation is where most multi-exchange bot operators eventually have an incident.
One practical difference: Binance updates the whitelist within a few seconds of saving. OKX and Bybit also apply changes quickly, but KuCoin can take up to a minute to propagate the restriction. Factor this in if you are rotating IPs during a maintenance window — do not assume the new IP is active the moment you click save.
Frequently Asked Questions
What happens if my IP changes and it's not in the Binance API whitelist?
Your bot will receive a -2015 error and all authenticated requests will be blocked immediately. Binance enforces the restriction at the network level — there is no grace period. You will need to log in to the Binance web interface from any allowed IP (or via your account login, which is separate from API access) and add your new IP address before requests will succeed again.
Can I whitelist a range of IPs or use CIDR notation on Binance?
No. Binance currently only supports individual IP addresses — no CIDR blocks or wildcard ranges. Each IP must be entered one at a time, and you can add up to 30 addresses per key. If you need range support, KuCoin's API restriction feature does accept CIDR notation and may fit your infrastructure better.
How many IP addresses can I add to a single Binance API key?
Binance allows up to 30 IP addresses per API key. In practice, most bots operate from one or two servers, so this limit is rarely a constraint. If you are approaching 30 IPs, that is usually a signal that the architecture should be refactored into multiple keys with smaller, purpose-specific IP lists.
Does IP whitelisting fully protect my API key if it gets stolen?
It protects against remote exploitation from unauthorized IPs, which covers the vast majority of attack scenarios. However, an attacker with access to a whitelisted server — for example through a separate vulnerability on your VPS — could still use the key from that machine. IP whitelisting is a strong layer of defense but not a substitute for keeping your server patched, using strong SSH keys, and never storing secrets in plaintext.
Can I check my current API key IP restrictions programmatically?
Not directly — Binance does not expose an API endpoint that returns the configured IP whitelist for a given key. You can verify that your current calling IP is allowed by making a test request to GET /api/v3/account and checking whether you receive a -2015 error. Key management must be done through the Binance web UI or by handling the error response in your code.
Should I set up IP whitelisting on read-only API keys too?
Yes, even read-only keys should be whitelisted. A read-only key exposes your full portfolio balances, open orders, trade history, and account structure — information an attacker can use for targeted phishing or to time attacks against your other accounts. The principle of least privilege applies to the IP list as much as it does to the permission set.
Conclusion
The binance api ip whitelist is one of the highest-leverage security settings available to any algo trader. Two minutes of configuration work dramatically shrinks the window an attacker has to exploit a leaked key. Combine it with the minimum required permissions per key, one key per strategy, and solid error handling in your bot code and you have a layered defense that holds up even when individual components fail. If you rely on real-time signals from platforms like VoiceOfChain to trigger execution, this setup also ensures that your signal-to-order pipeline is hardened at the API layer — not just at the signal source. The same discipline applies whether you run exclusively on Binance or spread execution across Bybit, OKX, and KuCoin simultaneously: lock down every key to the exact machine that uses it, and audit the list every time you change your server infrastructure.