How to get my API keys from KuCoin

Generate a KuCoin API key with limited permissions, enable 2FA, and store credentials securely to safely automate trading or track your portfolio.

Aug 08, 2025 at 06:50 pm

Understanding API Keys on KuCoin

API keys are essential tools for users who want to interact with KuCoin's trading platform programmatically. These keys allow external applications, trading bots, or personal scripts to access your KuCoin account for actions such as checking balances, placing trades, or retrieving order history. Each API key is a unique identifier that authenticates your requests to KuCoin’s servers. It is crucial to understand that API keys do not grant full account access by default—permissions can be customized to limit what the key can do, such as enabling only trading or disabling withdrawal capabilities.

Before generating an API key, ensure your KuCoin account is secured with two-factor authentication (2FA). This adds an extra layer of protection, especially since API keys can perform sensitive operations. KuCoin supports Google Authenticator, SMS, and other 2FA methods. Without 2FA enabled, you may not be allowed to create API keys, as this is a security requirement imposed by the exchange.

Navigating to the API Management Section

To begin the process of obtaining your API key, log in to your KuCoin account through the official website. Once logged in, locate your profile icon in the top-right corner of the screen. Click on it to reveal a dropdown menu. From this menu, select "API". This will redirect you to the API management dashboard, where all your existing API keys are listed, and where you can create new ones.

If this is your first time accessing this section, the list may be empty. The interface provides options to create a new API key, view active keys, and manage permissions. Make sure you are on the correct account type—KuCoin supports both standard and sub-accounts, and API keys are generated per account. If you're using a sub-account, ensure you're logged into that specific sub-account before proceeding.

Creating a New API Key

On the API management page, click the "Create API" button. A pop-up window will appear, prompting you to configure the new key. You will be asked to enter a name for your API key—this is for your reference and can be something descriptive like "Trading Bot" or "Portfolio Tracker".

Next, you will need to set permission scopes. KuCoin allows you to assign one or more of the following permissions:

• General – Allows viewing of account information and API status.
• Reading – Enables access to balance, order history, and transaction records.
• Trade – Permits placing, modifying, and canceling orders.
• Withdrawal – Grants the ability to withdraw funds from your account.

It is strongly recommended to avoid enabling the withdrawal permission unless absolutely necessary. Most third-party tools and bots only require reading and trade permissions. Enabling withdrawal access increases the risk of fund loss if the API key is compromised.

Completing Security Verification

After selecting the desired permissions, you must complete a security verification step. KuCoin will prompt you to enter your email verification code and 2FA code. Check your registered email inbox for a message from KuCoin containing a six-digit verification code. Enter this code in the designated field.

Then, open your 2FA authentication app (such as Google Authenticator) and input the current six-digit code displayed for your KuCoin account. This dual verification ensures that only the authorized account holder can generate API keys. If either code is incorrect, the process will fail, and you’ll need to retry.

Once both codes are verified successfully, the system will generate your API key and Secret Key. These two components are critical: the API Key is used to identify your application, while the Secret Key is used to sign requests for security. Both will be displayed only once during this process.

Securing and Storing Your API Credentials

After generation, copy both the API Key and Secret Key immediately. KuCoin will not show the Secret Key again for security reasons. If you lose it, you will need to delete the current key and create a new one. Store these credentials in a secure location—preferably encrypted or in a password manager. Never share them or commit them to public code repositories.

It is also advisable to set IP restrictions if your use case allows it. KuCoin lets you whitelist specific IP addresses that are allowed to use the API key. This means that even if someone obtains your credentials, they cannot use them from unauthorized locations. To enable IP restrictions, enter the static IP address you plan to use in the designated field during or after key creation.

You can also label the purpose and environment of the key (e.g., "Production Bot – AWS IP") to keep track of multiple keys. Regularly review your active API keys and revoke any that are no longer in use.

Testing Your API Key

To confirm your API key is working, you can make a simple test request using a tool like cURL or Postman. For example, to retrieve your account balance, use the following endpoint:

GET https://api.kucoin.com/api/v1/accounts

You must include the following headers:

• KC-API-KEY: Your API Key
• KC-API-SIGN: The signature generated using your Secret Key
• KC-API-TIMESTAMP: Current timestamp in milliseconds
• KC-API-PASSPHRASE: The passphrase you set (if any)

The signature is created by encoding the concatenation of timestamp, HTTP method, endpoint, and request body (if any) using HMAC-SHA256 with your Secret Key. This ensures each request is authenticated and tamper-proof.

Frequently Asked Questions

Can I recover my Secret Key if I lose it?

No, KuCoin does not store your Secret Key after creation. If you lose it, you must delete the current API key and generate a new one.

Is it safe to use API keys with third-party trading bots?

It can be safe if you limit permissions and use IP whitelisting. Always verify the legitimacy of the bot or service before providing API access.

How many API keys can I create on KuCoin?

KuCoin allows multiple API keys per account. There is no publicly stated limit, but it’s best to create only what you need and manage them carefully.

What should I do if I suspect my API key has been compromised?

Immediately go to the API management page, locate the suspicious key, and click "Delete". After deletion, create a new key if necessary and update your applications with the new credentials.