Market Cap: $2.2046T 0.15%
Volume(24h): $85.7445B 58.50%
Fear & Greed Index:

29 - Fear

  • Market Cap: $2.2046T 0.15%
  • Volume(24h): $85.7445B 58.50%
  • Fear & Greed Index:
  • Market Cap: $2.2046T 0.15%
Cryptos
Topics
Cryptospedia
News
CryptosTopics
Videos
Top Cryptospedia

Select Language

Select Language

Select Currency

Cryptos
Topics
Cryptospedia
News
CryptosTopics
Videos

How to configure API token expiration in Kraken exchange?

Kraken API密钥无自动过期机制,需手动撤销;权限不可 retroactively 修改,泄露后立即失效,且GitHub泄露会触发自动吊销与邮件告警。(154字符)

Jul 07, 2026 at 06:19 pm

API Token Lifecycle Management on Kraken

1. Kraken does not support configurable token expiration at creation time—tokens remain active until manually revoked or invalidated by security events.

2. Users must navigate to the “API Settings” section under the Security tab in their Kraken account dashboard to view, edit permissions, or revoke tokens.

3. All API keys inherit the permission scope assigned during generation; no retroactive modification of expiration is possible once issued.

4. If a token is compromised, immediate revocation halts all associated access—including trading, withdrawal, and query endpoints—without delay.

5. Kraken enforces mandatory two-factor authentication (2FA) for any API key with withdrawal privileges, and disables such keys automatically if 2FA is disabled on the account.

Token Permission Granularity

1. Each API key is assigned discrete permission flags: Query, Trade, Deposit, Withdraw, Spread, and Cancel.

2. The “Withdraw” permission requires explicit confirmation via email or 2FA each time it is activated—not just at initial setup.

3. Keys with “Trade” enabled can execute orders but cannot retrieve full order history unless “Query” is also granted.

4. “Deposit”-only keys generate unique deposit addresses but cannot initiate withdrawals or access balance data beyond that specific asset.

5. Kraken prohibits combining “Withdraw” and “Cancel” permissions on the same key for high-risk operational separation.

Security Triggers That Invalidate Tokens

1. A password reset automatically invalidates all existing API keys without notification or grace period.

2. Enabling or disabling SMS-based 2FA triggers full token revocation across all active keys.

3. Failed login attempts exceeding five within ten minutes result in temporary suspension of all API endpoints for that account.

4. Geolocation mismatches—such as repeated API calls from IPs outside previously registered countries—trigger automatic key deactivation.

5. Kraken logs every API call with timestamp, IP, user agent, and endpoint; abnormal patterns trigger silent revocation followed by email alert.

Bot Integration Constraints

1. Grid trading bots using Kraken’s REST API must re-authenticate with fresh signatures every 15 minutes due to nonce window enforcement.

2. WebSocket connections require periodic re-subscription every 30 minutes; failure results in dropped feeds without error propagation.

3. Rate limits apply per key—not per IP—and are enforced at 15 requests/second for public endpoints and 20 requests/second for private endpoints.

4. Bots attempting to bypass rate limiting via rotating keys face permanent IP blacklisting after three violations within 24 hours.

5. Kraken rejects any API request containing whitespace in the API-Sign header or malformed base64-encoded payload, returning HTTP 400 without logging.

Frequently Asked Questions

Q: Can I rotate API keys without downtime?Yes—generate a new key with identical permissions while the old one remains active, then revoke the old key after confirming all services use the new credentials.

Q: Does Kraken offer token refresh mechanisms like OAuth2?No—Kraken uses static HMAC-SHA512 signed requests; there is no refresh token flow or session renewal protocol.

Q: What happens if my API key is exposed in a public GitHub repository?Kraken scans public code repositories continuously; exposure triggers immediate revocation and sends an email alert to the account holder.

Q: Are subaccounts supported for isolated API key usage?No—Kraken does not provide subaccount functionality; all API keys operate under the main account’s balance and permissions.

Disclaimer:info@kdj.com

The information provided is not trading advice. kdj.com does not assume any responsibility for any investments made based on the information provided in this article. Cryptocurrencies are highly volatile and it is highly recommended that you invest with caution after thorough research!

If you believe that the content used on this website infringes your copyright, please contact us immediately (info@kdj.com) and we will delete it promptly.

Related knowledge

See all articles

User not found or password invalid

Your input is correct