Guac/Docs/Exchange Settings
SETUP GUIDE

Connect your
exchange to Guac

Step-by-step guide to creating API keys, configuring permissions, and connecting your exchange securely. Five minutes from start to first trade.

API keys let Guac trade on your behalf, without ever holding your funds. Understand how they work, set them up correctly, and you're done.

Understanding API keys

An API key is a credential that lets one application talk to another on your behalf. For Guac, that means executing trades in your exchange account, without ever having access to your password or your funds beyond what you explicitly permit.

The four facts you must know

1 Keys come in pairs

Every API key has a public key (the API Key) and a private key (the Secret Key). Together they prove the request really came from you. The Secret Key is the dangerous one, guard it like a password.

2 Permissions are configurable

You decide what actions Guac can perform. We require only Read (to view balances and positions) and Trade (to execute orders). Withdrawal permissions should always be disabled.

3 Guac never sees plain text

Your keys are encrypted with AES-256 before storage. The same encryption standard used by governments and financial institutions worldwide. Even Guac's own engineers cannot read your Secret Keys.

4 You can revoke instantly

From your exchange dashboard, you can revoke any API key in one click. If Guac (or anyone with the key) is doing something you don't authorize, you cut access immediately. No password reset. No support tickets.

Mental model Think of API keys as a limited-power proxy · You're saying: "This service can look at my account and place trades, but cannot move money out, change my password, or do anything else." You hold the master key. They hold a single-purpose duplicate.

Step-by-step setup

Same flow on every exchange. Should take five minutes.

  1. Log into your exchange account. Make sure 2FA is enabled on your exchange. this is a hard prerequisite for safe API usage.
  2. Navigate to API settings. Look for "API Management," "API Keys," or "Developer Settings". usually under account or security settings.
  3. Create a new API key. Give it a descriptive label like Guac Trading Bot so you can identify it later.
  4. Set permissions. Enable Read and Spot/Margin Trading · Never enable withdrawal permissions. Guac does not need them, and any service that requires them is a red flag.
  5. Set IP restrictions (recommended). For extra security, restrict API access to specific IP addresses. Contact Guac support for our current IP ranges.
  6. Copy both keys. Store them somewhere safe. the Secret Key is typically only shown once. Lose it and you'll need to create a new pair.
  7. Enter keys in Guac. Paste the API Key and Secret Key into Guac's exchange connection page. The connection is tested instantly. you'll know within seconds if everything works.
Before you click create Triple-check the permissions you've enabled. Withdrawal access is the only one that can lose you funds. Everything else is just access to information or trades. Make withdrawals the line you never cross.

Exchange-specific notes

Each exchange has quirks worth knowing before you generate keys.

Binance

  • Enable only Enable Reading and Enable Spot & Margin Trading
  • Consider Restricted Access mode to limit API functionality further
  • Binance.com keys do not work on Binance.US, they are separate platforms

Coinbase Pro

  • Keys must be created in Coinbase Pronot regular Coinbase
  • Set the Trade permission to "View and Trade" for automated trading
  • Stricter rate limits than most exchanges. Guac handles this transparently

Kraken

  • Uses a Master Key system with granular configurable permissions
  • Required: Query Funds and Create & Modify Orders
  • If you hit connection issues, adjust the Nonce Window in your API settings

KuCoin

  • Permissions can be set per trading pair. Use General and Trade for full functionality
  • Default key expiration is 90 days · Set to "Never" for continuous use

Using sub-accounts

Many exchanges support sub-accounts: separate trading accounts under your main login, with their own balances and API keys. They're a powerful tool for isolating strategies and managing risk.

When sub-accounts make sense

  • Strategy isolation · Run different bots without interaction
  • Risk capping · Cap exposure per strategy at the account level
  • Cleaner accounting · Simpler P&L tracking and tax reporting
  • Permission scoping · Different keys with different access

Trade-offs to know

  • Additional setup overhead
  • Transfers between sub-accounts may take time
  • Some features may be limited on sub-accounts
  • More accounts = more complexity to manage
Pro strategy Create a dedicated sub-account for Guac funded with a fixed percentage of your total portfolio. This gives you a hard ceiling on Guac's exposure, simpler tax reporting on automated trades, and the ability to evaluate Guac's performance in isolation.

Troubleshooting

ProblemFix
Invalid API key formatRe-copy the entire key and secret. Check for extra spaces or characters.
Insufficient permissionsEnable both Read and Trade. Recreate if needed.
IP restrictionsAdd Guac's server IPs to your exchange's allowlist.
API key expirationSome exchanges expire keys (90-day default on KuCoin). Create a new pair.
2FA requirementsSome exchanges require 2FA for API key creation. Complete all security steps first.
Rate limitingIf you use multiple services on one key, you may hit limits. Use separate keys per service.

Next steps

Security Measures
How Guac protects your data and your best practices for secure trading.
All Supported Exchanges
Browse the full catalog. 15+ major exchanges with feature breakdowns.
Still stuck?
Our support team is fast. Email us, ping us in Discord, or open a ticket.