How to generate an API key on Gemini?

Generate a secure API key on Gemini by enabling 2FA, setting limited permissions, and using IP whitelisting for enhanced protection.

Aug 07, 2025 at 05:52 am

Understanding API Keys on Gemini

An API key on Gemini is a unique identifier that allows users to interact with the exchange's trading and account management systems programmatically. These keys grant access to specific functionalities such as placing trades, checking balances, or retrieving market data. Each API key is paired with a secret key, which acts as a password to authenticate requests. Gemini implements strict security measures to protect user accounts when using API access. Users must enable two-factor authentication (2FA) before generating an API key, ensuring that only authorized individuals can create or manage these credentials. It is essential to understand that API keys can be restricted based on permissions, such as read-only access or full trading capabilities.

Navigating to the API Settings Page

To begin generating an API key, log in to your Gemini account through the official website. Once logged in, locate the "Settings" option, typically found in the top-right dropdown menu under your profile icon. From the settings menu, select "API". This section is dedicated to managing all API-related configurations. If this is your first time accessing the API panel, you may see a prompt explaining the purpose and risks associated with API usage. Ensure your device is secure and free from malware before proceeding. The API dashboard will display any existing keys and provide the option to create a new one. Click on the "Generate New API Key" button to move forward.

Configuring API Key Permissions

When creating a new API key, Gemini presents a configuration panel where you define the key's access level. You are required to assign one or more permissions:

• View Balances: Grants read-only access to your account’s funds and holdings.
• Send Crypto: Allows the key to initiate cryptocurrency withdrawals.
• Trade: Enables the key to place, modify, and cancel orders on the exchange.
• Create Deposits: Permits generating deposit addresses.
• Withdraw Funds: Authorizes fiat and crypto withdrawals.

Select only the permissions necessary for your intended use. For example, if you're connecting Gemini to a portfolio tracker, choose View Balances only. Avoid enabling Send Crypto or Withdraw Funds unless absolutely required. After selecting permissions, you’ll be prompted to enter a label for the key. This label helps identify the key’s purpose, such as "Trading Bot" or "Portfolio Monitor". A descriptive label improves security by making it easier to audit and revoke keys later.

Setting IP Whitelisting for Enhanced Security

Gemini allows users to restrict API key usage to specific IP addresses, a feature known as IP whitelisting. This adds a critical layer of protection by ensuring the key only functions when requests originate from trusted locations. In the API key creation form, locate the "Whitelist IP Addresses" field. Enter the static IP address from which you plan to send API requests. Multiple IPs can be added by separating them with commas. If you're unsure of your public IP, you can search "What is my IP" on any search engine to find it. Leaving this field blank allows the key to work from any IP, which increases convenience but reduces security. For automated trading bots or server-based applications, always use static IPs and enable whitelisting. Confirm that your network does not use dynamic IP assignment, as this could disrupt API functionality.

Generating and Securing Your API Key

After configuring permissions and IP restrictions, click the "Generate API Key" button. Gemini will process the request and display the newly created API Key and API Secret. This is the only time both credentials are shown. You must copy and store them immediately in a secure location, such as a password manager or encrypted file. The secret key will not be retrievable if lost. Never share your API secret or store it in plaintext on your device. To verify the key was created successfully, check the API management dashboard. Your new key will appear with its label, creation date, and assigned permissions. You can deactivate or delete the key at any time from this interface. Deactivation instantly blocks all API calls made with that key.

Testing Your API Key Connection

To ensure your API key works correctly, perform a simple test using a command-line tool like cURL or a programming language such as Python. Here’s an example using cURL to fetch your account balance:

• Open a terminal or command prompt.
• Use the following command structure:

  curl -H "Content-Type: application/json" \
     -H "X-GEMINI-APIKEY: YOUR_API_KEY" \
     -H "X-GEMINI-PAYLOAD: BASE64_ENCODED_PAYLOAD" \
     -H "X-GEMINI-SIGNATURE: YOUR_SIGNATURE" \
     https://api.gemini.com/v1/balances

  Replace YOUR_API_KEY with the actual key. The payload must be a JSON object containing the request details and a nonce, then Base64-encoded. The signature is generated by signing the payload with your API secret using HMAC-SHA384. Many developers use libraries like python-gemini to simplify this process. A successful response returns a JSON array of your balances. A 403 error indicates authentication failure, often due to an incorrect key, secret, or signature.

Frequently Asked Questions

Can I regenerate my API secret if I lose it?

No, Gemini does not allow regeneration of the API secret for an existing key. If the secret is lost, you must delete the compromised key and generate a new one with the same permissions. Always store your API secret securely upon creation.

Is it safe to use an API key on a third-party application?

Only if the application is reputable and you’ve limited the key’s permissions. Avoid granting withdrawal or trading rights to unverified platforms. Use read-only keys for monitoring tools and enable IP whitelisting whenever possible.

How many API keys can I create on Gemini?

Gemini does not publish a strict limit on the number of API keys per account. However, maintaining too many keys increases management complexity and security risks. It’s best to create keys only when necessary and label them clearly.

What should I do if I suspect my API key has been compromised?

Immediately log in to your Gemini account, go to the API settings, and deactivate the suspected key. After deactivation, generate a new key if needed. Review your account activity for unauthorized transactions and consider enabling additional security features like withdrawal addresses whitelisting.