Hyperliquid API key security guide banner

Why API Key Security Matters on Hyperliquid

Hyperliquid's API gives you programmatic access to your trading account — placing orders, checking balances, and managing positions through code rather than clicking through the web interface. This power enables automated trading bots, portfolio trackers, and custom analytics. But with great power comes great responsibility: an exposed API key can give an attacker the same level of access you have.

Unlike centralized exchanges that typically offer read-only API keys or keys with withdrawal restrictions, Hyperliquid's account model is different. Your API key acts as a session token that can authorize trading operations. Understanding how to secure it is essential for every automated trader.

How Hyperliquid API Keys Work

Hyperliquid uses a wallet-based authentication system rather than traditional API key-secret pairs. When you connect your wallet to Hyperliquid, the platform generates a session that allows you to interact with the exchange. For programmatic access, you typically:

  • Generate an agent key from the Hyperliquid interface under API settings
  • Configure the key with specific permissions (trading, withdrawals, etc.)
  • Use the key in your trading bot or automation scripts
  • Bind the key to specific IP addresses for additional security

It is critical to understand that API keys on Hyperliquid can be scoped to specific functions. Always apply the principle of least privilege — give each key only the permissions it absolutely needs.

Step-by-Step: Creating a Secure API Key

Step 1: Navigate to API Settings

Log into app.hyperliquid.xyz and go to the API section in your account settings. You will see options to create new API keys and manage existing ones.

Step 2: Configure Permissions Carefully

When creating a new key, you will be presented with permission options. For a trading bot that only places and cancels orders, enable only trading permissions. Disable withdrawal and transfer permissions unless your bot absolutely needs them. For read-only applications like portfolio trackers, use the minimum permission level.

Step 3: Set IP Whitelisting

If your trading bot runs on a server with a static IP address, enable IP whitelisting. This restricts the API key so it can only be used from that specific IP. Even if the key is leaked, an attacker cannot use it from a different location. If your bot uses cloud infrastructure without static IPs, consider using a VPN or proxy with a fixed IP address.

Step 4: Store the Key Securely

Never hardcode API keys in your source code. Use environment variables, a secrets manager like HashiCorp Vault, or encrypted configuration files. If you use GitHub, ensure your API key is never committed to a repository — even private ones. Use .gitignore and tools like git-secrets to prevent accidental exposure.

Trade on Hyperliquid Securely

Create your Hyperliquid account and set up secure API keys for automated trading. Use referral code HOLYGRAIL for a 4% fee discount on all trades — including those made by your bot.

Join Hyperliquid — HOLYGRAIL

API Key Security Best Practices

  • Rotate keys regularly: Generate new API keys every 30-90 days and deactivate old ones. This limits the window of exposure if a key is compromised without your knowledge.
  • Use separate keys for separate applications: Do not share one API key across your trading bot, portfolio tracker, and analytics dashboard. Compartmentalize so a breach in one system does not affect others.
  • Monitor API usage: Regularly check your API key usage logs on Hyperliquid. Look for requests from unexpected IP addresses, unusual trading patterns, or access at strange hours.
  • Set withdrawal limits: If Hyperliquid supports it, set daily withdrawal limits on API keys that have transfer permissions. This caps potential losses even if a key is compromised.
  • Use hardware-backed key storage: For high-value accounts, store API keys in hardware security modules (HSMs) or cloud KMS services rather than plain environment variables.

What to Do If Your API Key Is Compromised

Time is critical. If you suspect your API key has been exposed:

  1. Immediately deactivate the key from the Hyperliquid API settings page. This is the fastest way to stop unauthorized access.
  2. Check your trade history for any unauthorized trades or withdrawals. Note the exact times and amounts.
  3. Revoke all sessions from your account security settings to force-logout any active sessions.
  4. Generate new keys and update your trading bot configuration.
  5. Audit your systems to determine how the key was leaked — check server logs, GitHub commits, and team access.

Automated Trading Without Compromising Security

The best security setup for automated Hyperliquid trading balances protection with operational needs:

  • Run your bot on a dedicated server with firewall rules that limit outbound connections
  • Use a separate Hyperliquid subaccount for automated trading, funded only with the capital the bot needs
  • Configure alerts in your monitoring system to notify you of large position changes or unusual PnL swings
  • Keep the bulk of your trading capital in a separate, cold-storage wallet and transfer only what is needed to the trading subaccount

Hyperliquid Subaccounts for Added Security

Hyperliquid's subaccount feature is one of the most effective security tools available. Create a dedicated subaccount for each trading bot or strategy. If one bot's API key is compromised, the attacker can only access that subaccount's funds — not your entire portfolio. You can also set per-subaccount leverage limits and position caps as an additional safety net.