Reference
Read-only API-key support, by exchange.
Chartping connects to 13 exchanges and brokers with a read-only API key. How strictly “read-only” can be proven depends on what each platform’s API allows — but in every case Chartping exposes no order or withdrawal path, so it can’t move your funds. Here’s the honest, per-platform breakdown.
| Platform | Read-only scope provable? | Trade/withdrawal key at connect | Order/withdrawal path in Chartping |
|---|---|---|---|
| Binance | Yes — key-permission endpoint | Trade/withdrawal key rejected & never stored; re-checked every poll | None |
| Bybit | Yes — key-permission endpoint | Trade/withdrawal key rejected & never stored; re-checked every poll | None |
| Deribit | Yes — key-permission endpoint | Trade/withdrawal key rejected & never stored; re-checked every poll | None |
| OKX | No — no key-permission endpoint | Accepted but hard-flagged | None |
| Kraken | No — no key-permission endpoint | Accepted but hard-flagged | None |
| KuCoin | No — no key-permission endpoint | Accepted but hard-flagged | None |
| Bitget | No — no key-permission endpoint | Accepted but hard-flagged | None |
| Coinbase International | No — no key-permission endpoint | Accepted but hard-flagged | None |
| Gate.io | No — no key-permission endpoint | Accepted but hard-flagged | None |
| OANDA | N/A — API has no fund-movement primitive | Token used strictly read-only; no order/withdrawal endpoint called | None |
| Alpaca | N/A — API has no fund-movement primitive | Token used strictly read-only; no order/withdrawal endpoint called | None |
| Tradier | N/A — API has no fund-movement primitive | Token used strictly read-only; no order/withdrawal endpoint called | None |
| Hyperliquid | N/A — watched from your public wallet address (no key) | No key to hand over | None |
cTrader support is coming soon. Keys are stored encrypted at rest (AES-GCM); on exchanges we can verify, a key that later gains trade rights stops the connection.
Proven & rejected
Binance, Bybit, Deribit — a trade- or withdrawal-capable key is refused at connect and re-checked every poll.
Accepted, hard-flagged
OKX, Kraken, KuCoin, Bitget, Coinbase International, Gate.io— scope can’t be proven, so the key is accepted but flagged. Chartping still exposes no order or withdrawal path.
Read-only by nature
OANDA, Alpaca, Tradier have no fund-movement API; Hyperliquid needs no key at all — it’s watched from a public wallet address.
Frequently asked
Is a read-only Binance API key safe to give Chartping?+
On Binance, Bybit and Deribit, Chartping asks the exchange what the key can do and rejects any key that can trade or withdraw — it is refused at connect and never stored. Keys are held encrypted at rest (AES-GCM).
What if an exchange can't prove a key is read-only?+
On OKX, Kraken, KuCoin, Bitget, Coinbase International and Gate.io there is no endpoint to prove scope, so the key is accepted but hard-flagged. Chartping still exposes no order or withdrawal path, so it can't act on it either way.
Does Chartping ever have withdrawal access?+
No. Chartping exposes no withdrawal path and never calls a withdrawal endpoint on any platform. Broker tokens (OANDA, Alpaca, Tradier) have no fund-movement API, and Hyperliquid is watched from a public wallet address with no key at all.
More on the model: the security page, read-only by design, or exchange monitoring.
Watch every exchange account, read-only.
Join the waitlist — be among the first to know what's happening across every account you trade.