Secure crypto bot: why a trade-only key changes everything

The biggest fear when automating crypto is simple: what if the bot runs off with my money? Theta answers that by architecture, not by promise. The bot runs on a trade-only API key — it can read your balance and place buy and sell orders, but it cannot withdraw. Your funds never leave your exchange account.

This is the opposite of custody. You don't transfer crypto to us; we never touch a balance. The worst a leaked key could do is trade inside your own account — never move funds out.

Start free — 30 days, no cardNo automatic charges. Cancel anytime.
⚠️ Crypto involves risk: you may lose part or all of the capital you invest. Theta is not a financial advisor and does not guarantee any return. Only invest what you can afford to lose.

Why trust it

Trade-only key, no withdrawals

The API key reads and trades — but can't withdraw. Your funds never leave your exchange account.

Never sells at a loss

No stop-loss, by design: if price drops, the bot holds and reopens later. You only realize a gain.

Free test mode

Simulate with a virtual balance, no time limit, before risking a single real cent.

Grows on its own, public plan

Half of each profit reinvests, half goes to a vault; the pilot climbs from $100 to $10,000 following a published plan. A rule, not a promise.

What happened in 2022 (and why it matters)

In 2022, a large trading-automation platform had roughly 100,000 user API keys exposed. Many of those keys had withdrawal permission. The result was predictable: anyone with withdrawals enabled was vulnerable to having funds drained.

The lesson isn't "never use bots." It's: never give a bot withdrawal permission. A trade-only key turns a catastrophic leak into a manageable scare — the attacker can't pull anything off the exchange.

How to create a secure API key, step by step

On your exchange (Binance, Bybit or Coinbase), when generating the API key:

  • Enable only Read and Spot Trading. Leave Withdraw UNCHECKED.
  • Turn on IP restriction (IP allowlist) and add only Theta's bot IP: 187.127.30.44.
  • Never share the Secret Key — it's shown once. Keep it only where you'll paste it into Theta.
  • If the exchange offers it, require 2-step confirmation to change key permissions.

Why the IP allowlist changes the game

Even if your key leaks, with an IP allowlist it only works from Theta's server. An attacker on another machine is simply refused by the exchange — the key is useless outside the authorized IP. It's a second lock, independent of the first.

Binance, Bybit and Coinbase even refuse keys with withdrawal permission in third-party API contexts — the ecosystem itself nudges you toward the safe setup.

What we do with your key (and what we watch)

The key you connect is trade-only by obligation: a key with withdrawal permission is refused at signup. The one that gets in is encrypted in the database and only works from our IP — if it leaks, it's a scrap of paper, because from another IP the exchange refuses it. On top of that, an accounting audit runs every dawn and a watchdog checks the server every 5 minutes.

  • A key with withdrawal: refused at signup. Only a trade-only key gets in.
  • Encrypted in the database and locked to our IP — useless outside it.
  • Accounting audit every dawn; watchdog checks the server every 5 min.

Custody vs. non-custody, in one sentence

Custody: you hand your funds to a third party and trust them to give them back. Non-custody (Theta): your funds stay in your exchange account the whole time; the bot only trades inside it. There's no withdraw button in Theta — so there's no custody. You keep control and revoke the key whenever you want, straight on the exchange.

Frequently asked questions

Why should I trust Theta?
We don't ask for trust — we ask for verification. Trade-only key (we refuse a key with withdrawal at signup), real screenshots, published formulas, CSV export, and a backtest that shows the red in plain sight. You check instead of believe.
Can Theta withdraw my money?
No. The API key only has read and trade permission. Without withdrawal permission, it's technically impossible to move funds off your exchange account.
What if Theta's API key leaks?
Since the key is trade-only and restricted to the bot's IP, a leak can't withdraw or trade from another IP. You can also revoke the key on the exchange at any time.
Do I have to set the IP allowlist manually?
It's strongly recommended. When creating the key, add IP 187.127.30.44 to the exchange's IP restriction. That ensures the key only works from Theta's server.
Which exchanges are supported?
Binance, Bybit and Coinbase. All support trade-only keys with IP restriction — and refuse keys with withdrawal permission in third-party API integrations.
Start free — 30 days, no card

No automatic charges. Cancel anytime.

30 days free, no card · then R$ 59/mo (from R$ 97) or R$ 490/yr (from R$ 790) · founder pricing locked until Dec 31, 2026. Outside Brazil: $12/mo (from $19) or $99/yr (from $149). Crypto (USDT): $12 = 1 month, $24 = 3 months, $79 = 1 year.

Theta is automation software; it is not investment advice. Crypto involves risk; past results do not guarantee future results. You pay for the software — your funds stay on your exchange.