How to manage API keys on OKX? (Developer settings)

Accessing Developer Settings

1. Log in to your OKX account using verified credentials and two-factor authentication.

2. Navigate to the top-right corner of the interface and click on your profile icon.

3. Select Developer Settings from the dropdown menu.

4. Confirm your identity again if prompted via email or SMS verification.

5. Ensure you are on the official OKX domain to avoid phishing risks during this sensitive operation.

Creating a New API Key

1. In Developer Settings, locate and click the Create API Key button.

2. Assign a descriptive name that reflects its intended use—such as “Spot Trading Bot” or “Futures Monitoring Script”.

3. Choose permissions carefully: read-only, trade, withdraw, or full access—each carries distinct security implications.

4. Bind the key to specific IP addresses if operating from fixed infrastructure; this prevents unauthorized usage from unknown locations.

5. Download the generated API key, secret key, and passphrase immediately—OKX does not store or recover these values.

Securing API Credentials

1. Store API keys outside version control systems; never commit them to GitHub or similar repositories.

2. Use environment variables or secure vault services like HashiCorp Vault or AWS Secrets Manager for runtime injection.

3. Rotate keys regularly—especially after team member departures or suspected exposure incidents.

4. Enable Withdrawal Address Whitelist for any key granted withdrawal privileges.

5. Monitor API activity logs daily through the Developer Settings dashboard to detect anomalies such as unexpected request spikes or unfamiliar IPs.

Revoking Compromised Keys

1. Go to Developer Settings and locate the list of active API keys under the API Key Management section.

2. Identify the compromised key by its name, creation timestamp, or last used time.

3. Click the trash icon next to it and confirm revocation with your password or 2FA code.

4. Immediately invalidate all related application logic that depended on that key.

5. Audit associated wallet addresses and transaction history for signs of unauthorized fund movement.

Frequently Asked Questions

Q: Can I reuse the same passphrase across multiple API keys?A: No. Each API key must have a unique passphrase. Reusing passphrases increases systemic risk—if one is exposed, others become vulnerable.

Q: Why does OKX require IP binding for certain permission levels?A: IP binding restricts API calls to pre-approved network endpoints, reducing attack surface for keys with trade or withdrawal rights.

Q: Is it possible to change permissions after an API key is created?A: No. Permission levels are immutable post-creation. To modify access, revoke the existing key and generate a new one with updated settings.

Q: What happens if I lose my secret key or passphrase?A: OKX cannot retrieve or regenerate lost credentials. You must delete the key and create a replacement—no recovery mechanism exists.