← Back to blog index · 2026-05-10

How to Create a Funding-Only Bitfinex API Key — 5-Minute Step-by-Step

Complete walkthrough for creating a funding-only API key safely. Why withdraw must NEVER be enabled, which permissions to check, and how safe your key is once given to a bot.

If you want to use a funding bot to automate Bitfinex Funding, the first step is creating an API key for the bot.

Get one checkbox wrong and your entire Bitfinex account becomes vulnerable to drain.

This post is a step-by-step guide explaining what to check and why.

TL;DR — 5 Critical Decisions

  1. Check: Funding > Read
  2. Check: Funding > Write
  3. Absolutely don’t check: Wallets > Withdraw
  4. Don’t check: Account history (optional, bot doesn’t need)
  5. ⚠️ Restrict IP (advanced, optional)

Why a Funding Bot Only Needs Funding Permissions

Bitfinex’s API permission system allows fine-grained authorization down to feature level. A funding bot does only:

  1. Read your funding wallet balance (Funding Read)
  2. Place funding offers on your behalf (Funding Write)

It does NOT need:

  • Withdraw (never give this)
  • Spot trading (funding bots don’t trade spot)
  • Margin (funding bots don’t open leverage)

So a funding bot needs 2 permissions — Funding Read + Funding Write. Anything more = giving attackers more surface.

Step 1: Log Into Bitfinex, Go to API Keys

  1. Open bitfinex.com
  2. Log in (and confirm 2FA is on)
  3. Top-right avatar → API Keys → “Create New Key”

Or jump directly to setting.bitfinex.com/api#new-key.

Step 2: Permission Settings — The Critical Part

On the “Create New Key” page you’ll see a wall of permission checkboxes. 99% should be unchecked.

Account section

  • ❌ View Account History
  • ❌ View Affiliate Code
  • ❌ Earn (Bitfinex’s own staking product, unrelated to funding)

Wallets section

  • Get Balance — commonly mis-checked: Funding Read covers what the bot needs
  • Withdraw — NEVER check: giving bot withdraw = bot can transfer your funds out
  • ❌ Transfer Between Wallets

Orders section (spot/margin trading, funding bot doesn’t need)

  • ❌ View Orders
  • ❌ Submit Orders
  • ❌ Cancel Orders

Margin section (funding bot doesn’t open leverage)

  • ❌ Margin Trading
  • ❌ Margin Funding (note! this is “borrow for leverage”, not “lend out funding”)

Funding section — the only ones to check

  • Funding Read (read funding wallet + offer / credit state)
  • Funding Write (place / cancel funding offers on your behalf)

Step 3: Name the Key + IP Restriction (Optional)

Key Label: name something identifiable like “yieldsforge-funding”. Helps when revoking later.

IP Restriction (advanced): can restrict the key to specific IPs. If using Yieldsforge, our IPs are Railway’s asia-southeast1 region (dynamic, not fixed) — don’t restrict, it’ll break. If running your own server, lock to your IP.

Step 4: Click Create, Copy Key + Secret

After “Create”, Bitfinex shows:

  • API Key: a long string
  • API Secret: another string (this is shown ONCE — leave the page and it’s gone forever)

Copy immediately to a safe place (password manager / private note). Don’t store on desktop or in email.

Step 5: Paste Key Into Your Bot

If using Yieldsforge:

  1. Log in to app.yieldsforge.com
  2. Settings → API Keys
  3. Paste API Key + Secret
  4. Click verify — we auto-test permissions

If you accidentally checked withdraw, Yieldsforge will reject directly:

❌ Key has 'withdraw' permission. Funding bots must use 
   funding-only keys. Please re-create with withdraw 
   permission UNCHECKED.

This is a sanity check, not a bug — we enforce funding-only keys.

Is Giving the Bot a Key Safe? What Could Go Wrong?

Reasonable concern. Worst case:

  1. Bot reads your balance with Funding Read → minimal harm, funding book is public anyway
  2. Bot places strange offers to scam you → only realistic attack vector
    • Example: bot places very-low-rate offer that gets filled by a colluding account
    • Requires malicious bot operator + active manipulation, not anonymous hacker
  3. Bot CANNOT: withdraw, transfer, spot trade, open leverage — anything that “moves money out” is impossible

So the security question becomes trust the bot operator, not the API key itself (assuming you check permissions correctly).

How to Judge Bot Operator Trustworthiness

  1. Open source: best — you can audit the code (Yieldsforge publishes backtest methodology now, source code planned 2026 Q3)
  2. Brand history: Coinlend / Cryptolend running 5+ years without incident is decent (though their fees are bad — see comparison)
  3. Auditable: dashboard shows every bot action (placed, cancelled, filled) for verification
  4. Explicitly not custodial: operator emphasizes “I don’t hold funds, can’t withdraw”

How to Revoke

If you want to stop the bot or suspect key leak:

  1. Bitfinex backend → API Keys
  2. Find the labeled key → “Revoke”
  3. Effective immediately — bot’s next API call gets rejected

Yieldsforge auto-detects key invalidation and pauses + emails you.

Yieldsforge 7-day free trial →

Disclosure: I’m the developer of Yieldsforge. Screenshot descriptions based on Bitfinex 2026-05 UI, may change. Educational content, not investment advice.

Want to put your USDT on autopilot?

7-day free trial. No credit card required.

Start free trial