Background
Our October 2022 release of the Bullish exchange allows you to create API keys with withdrawal capabilities. These keys can be used in conjunction with a new set of API endpoints to:
- Retrieve historical transactions associated with a specific withdrawal destination.
- Request a withdrawal to an approved crypto or fiat destination.
- Execute SWIFT and ABA transactions.
Additional detail on these new capabilities can be found in the Bullish API documentation.
Creating custody API keys
For security purposes, custody permissions can only be granted to an API key at the time of key creation. Consequently, pre-existing keys cannot be given custody permissions retroactively. To prevent excess concentration of access, an API key with custody permissions cannot be granted trading permissions and vice versa. Finally, enabling an API key for withdrawals requires the user to set a whitelisted IP address range.
Whitelisting withdrawal addresses
Customers who wish to submit withdrawal requests via API will also be required to whitelist their withdrawal destinations via the Bullish UI. This ensures that in the event of an API key compromise, the bad actor(s) would still need full access to the Bullish platform to move funds outside of the organization. Because Bullish captures each withdrawal destination signature on an internal private blockchain, there is always a persistent and immutable set of details for each individual destination address approval.
You can view, whitelist, and manage a consolidated list of both fiat banks accounts and crypto destination addresses in Account Settings > Bank Accounts and Account Settings > Crypto Accounts respectively. Should you attempt to make a withdrawal without first signing for the destination, you will be prompted to sign as part of the withdrawal process.
Further detail on the use of custody API endpoints with links to code examples can be found in the Bullish documentation.