An API key is like a house key. You only give access to the rooms needed for the job. Nothing more.
What permissions to enable
To run DCA, an app only needs two things. To see your balance and to place buy and sell orders.
On Binance that means two options:
- Enable Reading: for balances and history.
- Enable Spot & Margin Trading: so buys and sells can fire.
Nothing else is required. If an option looks like more than the app needs, it probably is.
Why no withdrawal permission
Withdrawal permission lets an API key move funds out of your account. A DCA app never needs that.
With withdrawal off, even if someone gets hold of the key, they cannot take your funds. The worst they can do is open or close positions inside your own account. Annoying, not catastrophic.
Rotating and revoking keys
Good practice: rotate the API key every few months. Especially if you connect more than one app. If you lose access to an app or stop using it, go into Binance and delete the key right away.
Open API Management. You see every active key and remove anything you do not need. The whole thing takes under a minute.
Two small habits that keep the entire setup clean.
