Secure crypto bot: why a trade-only key changes everything
The biggest fear when automating crypto is simple: what if the bot runs off with my money? Theta answers that by architecture, not by promise. The bot runs on a trade-only API key — it can read your balance and place buy and sell orders, but it cannot withdraw. Your funds never leave your exchange account.
This is the opposite of custody. You don't transfer crypto to us; we never touch a balance. The worst a leaked key could do is trade inside your own account — never move funds out.
Why trust it
The API key reads and trades — but can't withdraw. Your funds never leave your exchange account.
No stop-loss, by design: if price drops, the bot holds and reopens later. You only realize a gain.
Simulate with a virtual balance, no time limit, before risking a single real cent.
Half of each profit reinvests, half goes to a vault; the pilot climbs from $100 to $10,000 following a published plan. A rule, not a promise.
What happened in 2022 (and why it matters)
In 2022, a large trading-automation platform had roughly 100,000 user API keys exposed. Many of those keys had withdrawal permission. The result was predictable: anyone with withdrawals enabled was vulnerable to having funds drained.
The lesson isn't "never use bots." It's: never give a bot withdrawal permission. A trade-only key turns a catastrophic leak into a manageable scare — the attacker can't pull anything off the exchange.
How to create a secure API key, step by step
On your exchange (Binance, Bybit or Coinbase), when generating the API key:
- Enable only Read and Spot Trading. Leave Withdraw UNCHECKED.
- Turn on IP restriction (IP allowlist) and add only Theta's bot IP: 187.127.30.44.
- Never share the Secret Key — it's shown once. Keep it only where you'll paste it into Theta.
- If the exchange offers it, require 2-step confirmation to change key permissions.
Why the IP allowlist changes the game
Even if your key leaks, with an IP allowlist it only works from Theta's server. An attacker on another machine is simply refused by the exchange — the key is useless outside the authorized IP. It's a second lock, independent of the first.
Binance, Bybit and Coinbase even refuse keys with withdrawal permission in third-party API contexts — the ecosystem itself nudges you toward the safe setup.
What we do with your key (and what we watch)
The key you connect is trade-only by obligation: a key with withdrawal permission is refused at signup. The one that gets in is encrypted in the database and only works from our IP — if it leaks, it's a scrap of paper, because from another IP the exchange refuses it. On top of that, an accounting audit runs every dawn and a watchdog checks the server every 5 minutes.
- A key with withdrawal: refused at signup. Only a trade-only key gets in.
- Encrypted in the database and locked to our IP — useless outside it.
- Accounting audit every dawn; watchdog checks the server every 5 min.
Custody vs. non-custody, in one sentence
Custody: you hand your funds to a third party and trust them to give them back. Non-custody (Theta): your funds stay in your exchange account the whole time; the bot only trades inside it. There's no withdraw button in Theta — so there's no custody. You keep control and revoke the key whenever you want, straight on the exchange.
Frequently asked questions
Why should I trust Theta?
Can Theta withdraw my money?
What if Theta's API key leaks?
Do I have to set the IP allowlist manually?
Which exchanges are supported?
No automatic charges. Cancel anytime.
30 days free, no card · then R$ 59/mo (from R$ 97) or R$ 490/yr (from R$ 790) · founder pricing locked until Dec 31, 2026. Outside Brazil: $12/mo (from $19) or $99/yr (from $149). Crypto (USDT): $12 = 1 month, $24 = 3 months, $79 = 1 year.
Theta is automation software; it is not investment advice. Crypto involves risk; past results do not guarantee future results. You pay for the software — your funds stay on your exchange.