API has become a buzz word after the advent of Crypto currency trading. If you are still wondering what it is, you’ve come to the right place. Our team has taken some time to keep it in layman’s terms. We may not promise to explain like all those videos/blog posts with fancy titles “Explain Bla bla like I’m 5 year old” portray but we promise we will keep things simple and intuitive. Here’s our take on the API.
What’s an API?
API stands for Application Programming Interface. Okay! great, what does it do? As the name suggests, it is an interface for applications to interact programmatically. In layman’s terms, it’s a messaging system for two applications to interact.
How does it work?
So, an API is a combination of a couple of phrases which will be shared between the applications to make them interact securely. For instance, to view your information on Facebook, you need to log in. But, an external application can communicate with Facebook using secure phrases (if you provide them) and fetch the information allowed. This is a secure and legal way. Here you are allowing that application to communicate with Facebook to fetch your information by providing it with your secure phrases.
What are these phrases and how are they secure?
These phrases are either 2 or 3 depending on layers of security. They are generally called a key and secret. The additional 3rd phrase could be a passphrase. These are generally alphanumeric and contains 32 – 64 characters. They are keys for your account and generated using cryptographic algorithms. Security is ensured by the algorithm that’s followed by the application to generate those. Read more technical details on this here.
These API keys are created with a certain level of permissions embedded along with them. Whoever is creating them had to mention the permission level an application can get by having these phrases. This will ensure the privacy and security of your data.
Security in the Cryptocurrency world
In our case, we are dealing with API keys created on cryptocurrency exchanges to be shared with third-party applications which provide services around crypto-holdings, their trading, portfolio management, rebalancing etc.,
Each of such applications needs a various level of access. Primarily, there are 3 levels of access permissions provided on exchanges.
- Read or View Only permission
- Write or Trade permission
- Transfer of Funds permission
Read or View only access
Application using API keys with this permission can access your information but can only read it and present it on their platform, or use it to do some calculations or show it to you on a beautiful interface etc., This access is the safest amongst all, because it is only a Read access – though if this API detail falls into wrong hands, they can only see your information but cannot steal your funds or transfer.
Write or Trade access
This access is provided to applications that deal with automated trading, portfolio rebalancing, algorithmic trading, and third-party analyst firms which can execute trades on your behalf using their intelligence. This is much needed to achieve efficiency and embed analytical knowledge processed by a computer to make profits, it’s also important to keep in mind that these API details has the power to place trades on your behalf. In wrong hands, they could be devastating as hackers can place orders against their insane orders and steal away your digital assets. Read more on this kind of attacks.
This is kind of ultimate access, which has its own needs like arbitrage trading and other automated transfer of funds based on smart contracts and other algorithms. Here, in this case, a third party application would need a transfer of funds access along with trading access (not mandatory). Transfer of funds includes both deposit and withdrawal facility from user’s accounts. If the API details with such access get into bad hands, it could lead to permanent loss of funds as the hacker would withdraw your assets. A combination of trading and transfer access hack led to $40MM loss on Binance. More details about that here.
Given the above information, one should be careful about the access granted while creating an API key. One should evaluate the necessity of the API key and level of access that a third-party application needs and then select appropriate privileges. A mistake in granting more privileges than needed would get you into unnecessary troubles.
PS: Tax tools like BearTax would only need to read your transaction history and calculate capital gains or losses based on those numbers. There is absolutely no necessity for such applications to have trade access or transfer access. Thus we ask you to grant READ or VIEW only access while creating an API key.