◈ ⌘ api · Beginner
What Is a Kraken API Key and How to Use It
Learn what a Kraken API key is, how to create one, set permissions, and connect it to trading bots and platforms like VoiceOfChain.
◈ Contents
If you've ever wanted to automate your trades, connect a portfolio tracker, or plug Kraken into a signal platform like VoiceOfChain, you've run into the concept of an API key. It sounds technical, but the idea is simple: an API key is a credential that lets external software talk to your Kraken account without you typing your password every time. Think of it as a limited-access badge — you decide exactly what the software is allowed to do.
What Is a Kraken API Key?
A Kraken API key is a pair of strings — a public key and a private key — that authenticate requests made to Kraken's REST API. The public key (also called the API key) identifies who is making the request. The private key (also called the API secret) signs the request so Kraken can verify it hasn't been tampered with. Together they replace your username and password in automated workflows.
When you ask 'what is my Kraken API key,' the answer is: it's something you generate yourself inside your Kraken account settings. Kraken doesn't issue a single key per account — you can create multiple keys with different permission sets. One key for a read-only portfolio tracker, another for a trading bot, another for tax software. Each key is independent and can be revoked at any time without affecting the others.
| Permission | What It Allows | Risk Level |
|---|---|---|
| Query Funds | Read balances and open orders | Low |
| Query Open Orders | View active and pending orders | Low |
| Create & Modify Orders | Place, edit, cancel trades | Medium |
| Cancel Orders | Cancel existing orders only | Low-Medium |
| Withdraw Funds | Initiate withdrawals | HIGH — avoid unless required |
| Export Data | Download transaction history | Low |
Never enable 'Withdraw Funds' on an API key unless the software you're using absolutely requires it — and even then, whitelist specific withdrawal addresses inside Kraken's settings first. A compromised trading bot key can place bad trades; a compromised withdrawal key can drain your account.
How to Generate a Kraken API Key
Generating your first API key takes under two minutes. Log into your Kraken account, navigate to Settings → API, and click 'Generate New Key'. You'll give the key a label (something descriptive like 'VoiceOfChain Bot' or 'Tax Tracker'), then check off exactly the permissions this key needs.
- Log in to Kraken and go to Settings → API
- Click 'Add Key' or 'Generate New Key'
- Enter a descriptive label for the key
- Select only the permissions the connecting software needs
- Optionally set an IP whitelist to restrict which servers can use it
- Click 'Generate Key' and immediately copy both the API key and API secret
- Store them in a password manager — Kraken will never show the secret again
Copy your API secret immediately after generation. Kraken shows it once. If you close the page without saving it, you'll need to delete the key and generate a new one.
Authenticating with the Kraken API in Python
Kraken uses HMAC-SHA512 signatures for private endpoints. The signature process is more involved than on platforms like Binance or Bybit, which use simpler HMAC-SHA256 query string signing. Here's a minimal working setup using the official `krakenex` library — the easiest starting point for most traders.
import krakenex
# Initialize the API client
api = krakenex.API()
# Load credentials from a local file (never hardcode keys in scripts)
# The file should contain two lines: your API key, then your API secret
api.load_key('kraken.key')
# Query your account balances (requires 'Query Funds' permission)
response = api.query_private('Balance')
if response.get('error'):
print('API error:', response['error'])
else:
balances = response['result']
for asset, amount in balances.items():
if float(amount) > 0:
print(f'{asset}: {amount}')For traders who prefer not to use a wrapper library, here's how to build and sign a raw request manually. This gives you full control and is necessary when working with endpoints the wrapper doesn't expose.
import urllib.parse
import hashlib
import hmac
import base64
import time
import requests
API_KEY = 'your_api_key_here'
API_SECRET = 'your_api_secret_here'
BASE_URL = 'https://api.kraken.com'
def get_kraken_signature(urlpath, data, secret):
postdata = urllib.parse.urlencode(data)
encoded = (str(data['nonce']) + postdata).encode()
message = urlpath.encode() + hashlib.sha256(encoded).digest()
mac = hmac.new(base64.b64decode(secret), message, hashlib.sha512)
return base64.b64encode(mac.digest()).decode()
def kraken_request(uri_path, data):
data['nonce'] = str(int(1000 * time.time()))
headers = {
'API-Key': API_KEY,
'API-Sign': get_kraken_signature(uri_path, data, API_SECRET)
}
response = requests.post(
BASE_URL + uri_path,
headers=headers,
data=data
)
return response.json()
# Example: fetch open orders
result = kraken_request('/0/private/OpenOrders', {})
if result['error']:
print('Error:', result['error'])
else:
orders = result['result']['open']
print(f'Open orders: {len(orders)}')
for order_id, order in orders.items():
descr = order['descr']
print(f" {order_id}: {descr['order']}")Placing and Managing Orders via API
Reading balances is useful, but the real power comes from placing orders programmatically. This is how trading bots, signal executors, and platforms like VoiceOfChain turn alerts into actual trades on your account. Kraken's `AddOrder` endpoint handles market orders, limit orders, stop-loss orders, and more.
# Place a limit buy order for 0.01 BTC at $60,000
# Requires 'Create & Modify Orders' permission
def place_limit_order(pair, side, volume, price):
"""
pair : trading pair, e.g. 'XBTUSD'
side : 'buy' or 'sell'
volume : amount to trade as string, e.g. '0.01'
price : limit price as string, e.g. '60000'
"""
order_data = {
'pair': pair,
'type': side,
'ordertype': 'limit',
'price': price,
'volume': volume,
# Use 'validate': 'true' to test without actually placing the order
# 'validate': 'true'
}
result = kraken_request('/0/private/AddOrder', order_data)
if result['error']:
print('Order failed:', result['error'])
return None
txid = result['result']['txid']
print(f'Order placed successfully. Transaction ID: {txid}')
return txid
# Buy 0.01 BTC at $60,000
place_limit_order('XBTUSD', 'buy', '0.01', '60000')
# Cancel an order by transaction ID
def cancel_order(txid):
result = kraken_request('/0/private/CancelOrder', {'txid': txid})
if result['error']:
print('Cancel failed:', result['error'])
else:
print('Order cancelled:', result['result'])One important Kraken-specific note: the BTC/USD pair on Kraken is called `XBTUSD`, not `BTCUSDT` like on Binance or Bybit. Similarly, ETH is `XETHZUSD`. Always check Kraken's asset pair list before wiring up a new bot — wrong pair names are one of the most common beginner errors.
Connecting Your Kraken API Key to Signal Platforms
Generating a key is only the first step. The real value comes from connecting it to something that does useful work. VoiceOfChain, for example, delivers real-time trading signals for major crypto pairs — and when you connect your Kraken API key, those signals can trigger actual trades automatically without you staring at charts all day.
Most platforms that support Kraken will ask for two things: your API key (the public identifier) and your API secret (the signing credential). They'll typically store the secret encrypted on their end. When connecting to any third-party platform — whether it's VoiceOfChain, a tax tool like Koinly, or a portfolio tracker — always create a dedicated key with only the minimum permissions that service needs. If it's read-only analytics, give it read-only permissions. If it's executing trades, add order creation. Never give a third party withdrawal permissions unless you have a very specific reason and full trust in the service.
For comparison: on Binance, the API key setup is nearly identical — you generate a key pair under API Management and assign permissions. Bybit and OKX follow the same pattern. Coinbase has a separate API portal. The Kraken flow is straightforward once you've done it on any major exchange.
API Key Security Best Practices
Most API key breaches don't come from Kraken getting hacked — they come from traders storing keys carelessly. A key in a plain text file, committed to a public GitHub repo, or pasted into the wrong chat window can empty an account in minutes. These habits eliminate most of the risk.
- Store keys in environment variables or a secrets manager, never in source code
- Use a .env file locally and add it to .gitignore — never commit it
- Enable IP whitelisting so your key only works from known servers
- Create separate keys for each application — one for VoiceOfChain, one for your bot, one for tax software
- Audit your active keys every few months and delete ones you no longer use
- If you suspect a key has been compromised, revoke it immediately from Settings → API and generate a fresh one
- Never share your API secret in Telegram, Discord, or support tickets — Kraken support will never ask for it
Environment variable pattern for Python: store your keys as KRAKEN_API_KEY and KRAKEN_API_SECRET in a .env file, then load them with python-dotenv. This keeps credentials out of your codebase entirely and makes rotating keys trivial.
Frequently Asked Questions
What is my Kraken API key and where do I find it?
Your Kraken API key is a credential you generate yourself under Settings → API in your Kraken account. You can create multiple keys with different permission sets. If you've already created one, it will be listed there — but the secret is only shown once at creation, so if you've lost it you'll need to delete the old key and generate a new one.
Is it safe to give my Kraken API key to a third-party platform?
It depends on the permissions you assign and the platform's reputation. For read-only tools like portfolio trackers, the risk is low. For trading platforms, create a key with only 'Create & Modify Orders' enabled — no withdrawals. Always use a dedicated key per service so you can revoke one without disrupting others.
What's the difference between the API key and the API secret?
The API key is public — it identifies your account to Kraken, like a username. The API secret is private — it's used to cryptographically sign each request, proving it came from you. Both are required for private endpoints like trading and balance queries; public endpoints like ticker prices need neither.
How many API keys can I create on Kraken?
Kraken allows multiple API keys per account, though there is a practical limit. Most traders never hit it. The best practice is to create one key per application — one for your trading bot, one for a signal platform like VoiceOfChain, one for tax software — so you can revoke any single one without affecting the others.
Why is my Kraken API key returning an 'Invalid key' error?
The most common causes are: the key was typed incorrectly (copy-paste errors happen), the key was deleted or expired, the request is coming from an IP address not on the whitelist, or the key lacks the permission required for the endpoint you're calling. Check the key's permission settings in Settings → API and verify your IP whitelist configuration.
Do I need 2FA enabled to use the Kraken API?
Kraken allows you to add a two-factor password to individual API keys as an extra layer of security. This is optional but recommended for keys with trading permissions. Standard account 2FA (Google Authenticator) applies to web logins, not API requests, so API keys have their own separate security configuration.
Conclusion
A Kraken API key is your programmatic handshake with one of the most established crypto exchanges in the world. Once you understand that it's just a scoped credential — not magic, not dangerous by default — the rest falls into place quickly. Generate it, limit its permissions to what's actually needed, store the secret safely, and connect it to whatever tools add value to your workflow. Whether that's a custom Python bot, a tax reporting service, or a real-time signal platform like VoiceOfChain, the API key is what makes automation possible without ever handing over your login credentials.