You've created a Binance API Key and the system prompts you to set up an IP whitelist. What is it? How do you configure it? What risks come from not setting one?
To use the API feature, first make sure you've signed up for Binance and completed identity verification. API management is in the Binance App or web account settings.
What Is an IP Whitelist?
An IP whitelist is an "allow list." Only IP addresses on this list can use your API Key to send requests. Other IPs cannot make calls even if they have your API Key and Secret Key.
This is the most important line of defense for API security. With an IP whitelist set, even leaked API keys can't be used by attackers.
How to Configure?
Step 1: Find Your IP Address
If your trading bot runs on a cloud server:
- Check the public IP in the server control panel
- Or run on the server: curl ifconfig.me
If you run programs on your local computer:
- Visit whatismyip.com or similar sites to check your public IP
- Note: Home broadband IPs may change
Step 2: Add IP Whitelist on Binance
- Log in to the Binance web version
- Go to "Account Settings" → "API Management"
- Find the API Key you want to configure
- Click "Edit Restrictions" or "Modify"
- In the "IP Access Restriction" area, select "Restrict access only to trusted IPs"
- Enter your IP address
- You can add multiple IPs (one per line or comma-separated)
- Save settings and complete security verification
Step 3: Test
After configuration, test your API calls. If you get a permission error, check if the IP was entered correctly.
Can I Add Multiple IPs?
Yes. If you have multiple servers or use cases, add all needed IPs to the whitelist. Binance typically supports adding multiple IP addresses.
CIDR format is also supported (e.g., 192.168.1.0/24 represents the range 192.168.1.0 to 192.168.1.255). But it's recommended to be as specific as possible — the narrower the range, the more secure.
What If My Home IP Changes?
Many home broadband connections use dynamic IPs that change with each reconnection. Here are several approaches:
Option 1: Don't set an IP whitelist. Lower security, but compensate with other measures — disable withdrawal permissions, regularly rotate API Keys, enable account 2FA.
Option 2: Use a cloud server with a static IP. Deploy your program on a cloud server with a fixed IP. Recommended approach.
Option 3: Request a static IP from your ISP. Some ISPs support assigning static IPs to residential broadband, usually for an extra fee.
Option 4: Manually update the whitelist when your IP changes. Tedious but workable.
Can't Connect After Setting Whitelist?
Common causes:
Wrong IP entered: Verify the whitelist IP matches your actual IP. Your real outbound IP may differ from what you think, especially when using a VPN or proxy.
IP changed: After a dynamic IP change, the old IP becomes invalid. Re-check your current IP and update the whitelist.
IPv4/IPv6 confusion: Distinguish between IPv4 and IPv6 addresses. Most API connections currently use IPv4.
Firewall or proxy: Your network may go through a proxy server, making the actual outbound IP the proxy's IP.
Risks of Not Setting an IP Whitelist
Without an IP whitelist, anyone who obtains your API Key can make calls:
- With read-only permission: Attackers can see your positions and trade history
- With trading permission: Attackers can manipulate your trades, causing direct losses
- With withdrawal permission: Attackers may directly withdraw your assets
An IP whitelist isn't a silver bullet, but it blocks the vast majority of remote attacks.
Cloud Server Security Tips
If you run quantitative programs on cloud servers, beyond API whitelists also consider:
- Server security itself: strong passwords, SSH key login, firewall
- Don't store API keys in plaintext on the server — use environment variables or encrypted storage
- Regularly update server OS and dependencies
- Monitor for abnormal logins and network activity
Summary
IP whitelist configuration takes just a few minutes but significantly improves API security. If you have a server with a static IP, there's no reason not to set it. For dynamic IPs, weigh convenience against security, but at minimum ensure withdrawal permissions are disabled.