Security
Security & egress IPs
Last updated: July 2026
The IP address to allow-list
All BTCMatic exchange traffic originates from a single static IP address. When you create your trade-only API key on Binance (or another supported exchange), restrict it to exactly this address:
138.201.89.234
- On Binance: API Management → your key → "Restrict access to trusted IPs only" → add
138.201.89.234. - Key validation checks this restriction — a key that is not IP-restricted, or restricted to a different address, is rejected at setup.
- If this address ever has to change, we will notify you well in advance; your key would otherwise stop working.
Why we require it
With the allow-list in place, your API key is useless from anywhere else on the internet. Even if the key leaked, an attacker could not use it — requests from any other IP are refused by the exchange itself.
The rest of the model
- Non-custodial. We never hold funds. Alerts read public chain data; orders run on your own exchange account.
- Trade-only keys, enforced. Keys are accepted only after a live permission probe; any key carrying withdrawal scope is rejected. We cannot withdraw your funds — by construction, not by promise.
- Envelope encryption. Keys are sealed per account with AES-256-GCM data keys wrapped by a hardware KMS, decrypted only inside the isolated order-execution service, and never written to logs.
- Blast-radius isolation. Only the order executor can decrypt keys or reach exchanges; the API, engine and adapters cannot.
- Signed webhooks. Every webhook delivery is signed (HMAC-SHA256) with your endpoint's secret, so your systems can verify it came from us.
- Immutable audit. Every fire, order and key validation is recorded and visible to you, including the full evaluation trace of why a rule fired.
Questions or something to report? security@btcmatic.com — see also our Terms and Risk disclosure.