Read-only by design: what Chartping can and can’t do
Chartping is read-only by design: it reads your MetaTrader and exchange account state and alerts you — never trading or withdrawing. Here’s how that’s enforced.
Chartping is read-only: it reads your trading-account state — equity, balance, margin, open positions, P/L — and alerts you, and it can’t place a trade, move funds, or see your broker password. That’s not a policy we ask you to take on faith; it’s a property of how the connections work.
Connecting anything to a trading account is a trust decision, and the right instinct is suspicion: what can this thing actually do once it’s in? Here’s the honest, boring answer, connection by connection.
MetaTrader: the agent reads, locally
For MT4/MT5, a small read-only agent runs on your own Windows machine or VPS. It reads what the terminal already knows — equity, balance, margin, open positions, P/L — and sends that to Chartping over an encrypted, device-bound link. It doesn’t transmit your broker password anywhere; that never leaves your machine. There is no order-sending path in the agent at all.
Exchanges: read-only keys, verified where we can
For exchanges and brokers, you paste an API key — and how strictly we can police it depends on what the platform lets us check:
- Where scope is provable (Binance, Bybit, Deribit): Chartping asks the exchange what the key can do and rejects anything that can trade or withdraw — it’s refused at the door and never stored.
- Where it isn’t (OKX, Kraken, KuCoin, Bitget, Coinbase International, Gate.io): no endpoint exists to prove scope, so we don’t pretend to. The key is accepted but flagged with a hard warning — and because Chartping exposes no order or withdrawal path, it still can’t act on it.
- Brokers like OANDA, Alpaca and Tradier: their API has no fund-movement primitive at all, so a token is used strictly read-only — we never call an order or withdrawal endpoint.
- Hyperliquid: there’s no key to hand over at all — it’s watched from your public wallet address, which can only ever be read. The strongest read-only posture of the lot.
Accepted keys are stored encrypted at rest (AES-GCM), and on the exchanges we can verify, a key that later gains trade rights stops the connection. (cTrader support is coming soon.)
The connection can’t be replayed elsewhere
Traffic runs over TLS 1.3, and the agent’s link is bound to its device with an Ed25519 proof-of-possession. In plain terms: a token intercepted in transit can’t be lifted and reused from another machine. Read more in the security model.
What it deliberately can’t do
- Place, modify or close an order — there is no trading path.
- Withdraw or move funds — it never asks for that permission.
- See your broker password — for MetaTrader, it never leaves your PC.
- Give advice or signals — it watches the limits you set ( daily loss, drawdown-from-peak and margin level) and tells you where you stand. It never suggests a value or a strategy.
The honest caveats
Read-only cuts both ways: because Chartping can’t act for you, it can’t save an account on its own — it can only tell you what’s happening; acting is up to you. And it watches on short, repeating snapshots, so alerts are best-effort and can be delayed by connectivity or market conditions. We’re deliberately clear about this, because a monitor you understand is worth more than one you over-trust.
You can also export or erase your data whenever you want. If you want the short version of all of it, the FAQ answers the money question first.
Frequently asked
Can Chartping place or close trades?
No. Chartping is entirely read-only — it never sends an order. It only reads your account state and alerts you.
Does Chartping need withdrawal access?
Never. Chartping exposes no withdrawal path and never calls a withdrawal endpoint. On exchanges where key scope is verifiable (Binance, Bybit, Deribit) a withdrawal-capable key is rejected at connect; elsewhere it’s accepted but hard-flagged — either way it can’t move your funds.
Can Chartping see my broker password?
No. For MetaTrader the agent reads your terminal locally and the password never leaves your machine. For exchanges you paste a read-only API key — Chartping only ever reads, stored encrypted (AES-GCM).