Arjia
Security

API Key Encryption

How exchange API keys are encrypted, stored, and managed securely.

When you connect an exchange to Arjia, your API keys are encrypted and stored securely. This page explains how the encryption works and what protections are in place.

Encryption Overview

Arjia uses AES-256 encryption to protect all exchange API keys and secrets. The encryption process:

  1. You enter your API key and secret in the Arjia interface
  2. Keys are immediately encrypted using AES-256 before any storage operation
  3. Only the encrypted ciphertext is stored in the database
  4. Keys are decrypted only at the moment of making API calls to the exchange
  5. Decrypted keys are held in memory only for the duration of the API call

Storage Architecture

What Is Stored

  • Encrypted API key ciphertext
  • Encrypted API secret ciphertext
  • Exchange identifier (Bybit, Binance, etc.)
  • Authentication type (HMAC, RSA)
  • Connection metadata (name, creation date, last sync)

What Is NOT Stored

  • Plaintext API keys or secrets
  • Exchange account passwords
  • Seed phrases or private keys
  • 2FA codes

RSA Authentication

For exchanges that support RSA (like Binance), Arjia supports public/private key pair authentication:

  1. Arjia generates or imports an RSA key pair
  2. You register the public key on the exchange
  3. API requests are signed with the private key
  4. The exchange verifies using the registered public key

This is more secure than HMAC because even if the API key is intercepted, the private key is needed to sign requests.

Key Rotation

To rotate your API keys:

  1. Create new API keys on your exchange
  2. Update the keys in Arjia (Settings → Exchange Connections → Edit)
  3. The old encrypted keys are replaced with the new encrypted keys
  4. Deactivate the old keys on your exchange

We recommend rotating API keys periodically as a security best practice.

Best Practices

  • Use dedicated keys — Create API keys specifically for Arjia, not shared with other services
  • Minimum permissions — Only enable Read and Trade permissions
  • IP restrictions — Set IP whitelist on the exchange when possible
  • Regular rotation — Rotate keys every 90 days
  • Monitor usage — Check your exchange's API usage logs for unexpected activity

Security

Overview of Arjia's security architecture, encryption, and key management.

KMS Key Management

AWS KMS and GCP KMS integration for hardware-backed blockchain wallet security.

On this page

Encryption OverviewStorage ArchitectureWhat Is StoredWhat Is NOT StoredRSA AuthenticationKey RotationBest Practices