Custody permissions and API keys - What you need to know

Background

The Bullish exchange allows you to create API keys with withdrawal capabilities. These keys can be used in conjunction with a new set of API endpoints to: 

  • Retrieve historical transactions associated with a specific withdrawal destination. 
  • Request a withdrawal to an approved digital assets or fiat destination.
  • Execute SWIFT and ABA transactions.

Additional detail on these new capabilities can be found in the Bullish API documentation.

Creating custody API keys

Bullish currently supports ECDSA for custody API keys. For security purposes, custody permissions can only be granted to an API key at the time of key creation. Consequently, pre-existing keys cannot be given custody permissions retroactively. To prevent excess concentration of access, an API key with custody permissions cannot be granted trading permissions and vice versa. Finally, enabling an API key for withdrawals requires the user to set a whitelisted IP address range.

Add Custody API key main pop up.png

Whitelisting withdrawal addresses

Customers who wish to submit withdrawal requests via API will also be required to whitelist their withdrawal destinations via the Bullish UI. This ensures that in the event of an API key compromise, the bad actor(s) would still need full access to the Bullish platform to move funds outside of the organization.

You can view, whitelist, and manage a consolidated list of both fiat banks accounts and digital assets destination addresses in Account Settings > Bank Accounts and Account Settings > Crypto Accounts respectively. Should you attempt to make a withdrawal without first signing for the destination, you will be prompted to sign as part of the withdrawal process.

Further detail on the use of custody API endpoints with links to code examples can be found in the Bullish documentation.

Was this article helpful?
0 out of 0 found this helpful