Skip to content
Aegis Docs

Security FAQ

Can the bot withdraw my funds?

Section titled “Can the bot withdraw my funds?”

No. Aegis uses API keys with trading-only permissions. The required permissions are specifically Futures Trading (and for Binance: Spot Trading for some account types). Withdraw, internal transfers, and bank/fiat withdrawal permissions are explicitly required to be disabled when you add an API key to Aegis.

If an API key has withdrawal permissions enabled, it does not meet the security requirements. See API Keys Overview for the full permission matrix.

How are my API keys stored?

Section titled “How are my API keys stored?”

API keys and secrets are encrypted at rest using AES-256-GCM before being stored in the Aegis database. The encryption key is managed at the infrastructure level and is not accessible from the application layer.

Once submitted through the dashboard, an API key is never shown back in plaintext. There is no “reveal key” function.

Is my private key stored anywhere?

Section titled “Is my private key stored anywhere?”

LP wallet and main wallet: No. Aegis never requests, stores, or transmits your LP wallet private key or seed phrase. The LP wallet is connected read-only for on-chain position scanning — Aegis never asks for signing authority over it.

HyperLiquid agent wallet: HyperLiquid’s auth model uses a delegated agent wallet instead of a traditional API key. The agent wallet private key acts as the API secret. When you add a HyperLiquid execution wallet, Aegis stores that agent private key encrypted with AES-256-GCM at rest and never shows it back after saving. The agent wallet has no withdrawal or custody permissions — it can only sign trading orders on your behalf. See HyperLiquid API Key for the full setup.

Binance: Binance uses a conventional API key/secret pair — no private key is involved. Aegis stores only that exchange credential, encrypted at rest.

What happens if my API key is compromised?

Section titled “What happens if my API key is compromised?”

If you believe your exchange API key may be compromised:

  1. Log in to your exchange account immediately
  2. Revoke or delete the API key from the exchange API key management page
  3. In Dashboard > Futures Wallets, remove the execution wallet entry that used the compromised key
  4. Create a new API key with the correct permissions
  5. Re-add the execution wallet with the new API key

Revoking the key on the exchange stops any further use immediately. After removal from the dashboard, the Aegis bot will no longer attempt to use those credentials.

Does Aegis support two-factor authentication?

Section titled “Does Aegis support two-factor authentication?”

For exchange API keys, Aegis does not bypass or interact with your exchange’s own 2FA — API key authentication is handled entirely by the exchange. Enabling 2FA on your exchange account is recommended and does not affect Aegis API key operation.

Who has access to my API keys?

Section titled “Who has access to my API keys?”

API key data is encrypted with AES-256-GCM at rest. Access to the decryption key is restricted to the Aegis infrastructure. The key is not accessible to dashboard users, including yourself, after submission.