What Arbitron does with your keys
Arbitron trades through exchange accounts you already own — funds never leave your exchange. To place orders on your behalf, your dedicated trading server needs API keys: credentials issued by each exchange that grant programmatic access to your account. Keys are stored AES-256 encrypted and are decrypted only for your own trading server, never displayed back in the UI.
The permissions principle is non-negotiable: a key needs reading (balances, positions, orders) and futures trading (place and cancel orders) — and nothing else. Never enable withdrawal or internal-transfer permissions. Arbitron has no withdrawal code paths at all, and a trade-only key means that even in the worst case nobody can move your funds with it.
Each key entry also carries two trading parameters. Taker Fee % should be set to your real fee tier on that exchange (VIP level, token discounts) — profit estimates across the platform use this number, so an inaccurate fee skews every signal. Default Leverage, when set, overrides your global leverage preference for cards on that exchange.
Creating a key on the exchange
Each exchange has an API management page — the key form in Arbitron links straight to it. Create a new key, enable read and futures-trading permissions, leave withdrawals off, and paste the key and secret into Arbitron. Give the key a label you will recognize a year from now (e.g. "Bybit main").
Several exchanges add a third credential — a passphrase you define when creating the key: OKX, Bitget, KuCoin, BloFin, BitMart (called "Memo" there), Poloniex and WEEX. It must match exactly what you typed on the exchange; a wrong passphrase is the single most common reason a key test fails.
MEXC is a special case: besides the API key and secret, Arbitron asks for a Web Token (the u_id cookie from your logged-in MEXC browser session). MEXC's public futures API does not expose order placement, so the web token is required for trading. It expires when you log out of that browser session — keep the session alive or refresh the token when the key test starts failing.
IP whitelisting
Your subscription includes a dedicated trading server with its own static IP address, shown at the top of the API Keys page. When the exchange offers IP restriction for API keys (most do), add this IP to the key's whitelist.
Whitelisting is the cheapest security upgrade available: a leaked key becomes useless to an attacker because it only works from your server's address. Some exchanges also require a bound IP before they enable trading permissions at all, or extend key expiry when one is set. Since the IP is yours alone and never changes, you set it once per key.
Connecting DEXes
Three supported venues are decentralized exchanges where authentication works through wallet signatures instead of exchange-issued API keys: Hyperliquid, Aster and Lighter. The form adapts automatically — field labels change to wallet terminology.
Hyperliquid: enter your wallet address plus the private key of an API wallet — a separate trade-only key you generate in the Hyperliquid app. The API wallet can sign orders but can never withdraw funds, so your main wallet's private key is never shared with anyone.
Aster uses EVM EIP-712 signing: you provide your main wallet address, plus a signer wallet address and the signer's private key, created through Aster's Pro API. Trading is authorized by the signer; your main wallet keys stay with you.
Lighter: wallet address, private key and an API Key Index — a numeric slot (3–254) identifying which of the account's API keys to use. Arbitron resolves the rest of the account configuration automatically when you test the key.
Test and troubleshooting
The Test button sends the credentials to your trading server, which performs a real authenticated call against the exchange — the same code path live trading uses. A green check means the exchange accepted the signature and the permissions are sufficient. On Binance, the test additionally detects whether the account runs in Portfolio Margin mode and configures order routing accordingly.
When a test fails, the exchange's own error message is shown. The usual suspects, in order of frequency: a copy-paste typo or trailing space; a wrong or missing passphrase; futures trading not enabled on the key; the key's IP whitelist not yet including your server IP; or a freshly created key that the exchange has not activated yet (wait a minute and retry).
Rotating a key is routine: create the new key on the exchange, update the entry in Arbitron, re-test. If a key dies while cards are running (expired, revoked, whitelist changed), affected cards switch to the Error state and stop trading — you will get a Telegram notification, and the card can be resumed once the key works again.