Custody permissions and API keys - What you need to know

Background

The Bullish exchange allows you to create API keys with withdrawal capabilities. These keys can be used in conjunction with a new set of API endpoints to: 

  • Retrieve historical transactions associated with a specific withdrawal destination. 
  • Request a withdrawal to an approved digital assets or fiat destination.
  • Execute SWIFT and ABA transactions.

Additional detail on these new capabilities can be found in the Bullish API documentation.

Creating custody API keys

Important: Our legacy key type, Bullish Key, will soon be deprecated. Although Bullish will continue to support Bullish Key, note that you will no longer be able to create new Bullish Keys after March 29, 2024. By June 28, 2024, Bullish will completely remove support for any existing Bullish Keys.

As of October 2023, Bullish supports 2 different API key types: 1. standard ECDSA and 2. Bullish Key, which is an EOSIO specific ECDSA key. For security purposes, custody permissions can only be granted to an API key at the time of key creation. Consequently, pre-existing keys cannot be given custody permissions retroactively. To prevent excess concentration of access, an API key with custody permissions cannot be granted trading permissions and vice versa. Finally, enabling an API key for withdrawals requires the user to set a whitelisted IP address range.

Add Custody API Key pop up.png

Whitelisting withdrawal addresses

Customers who wish to submit withdrawal requests via API will also be required to whitelist their withdrawal destinations via the Bullish UI. This ensures that in the event of an API key compromise, the bad actor(s) would still need full access to the Bullish platform to move funds outside of the organization. Because Bullish captures each withdrawal destination signature on an internal private blockchain, there is always a persistent and immutable set of details for each individual destination address approval.

You can view, whitelist, and manage a consolidated list of both fiat banks accounts and digital assets destination addresses in Account Settings > Bank Accounts and Account Settings > Digital Assets Accounts respectively. Should you attempt to make a withdrawal without first signing for the destination, you will be prompted to sign as part of the withdrawal process.

Further detail on the use of custody API endpoints with links to code examples can be found in the Bullish documentation.

Was this article helpful?
0 out of 0 found this helpful