We’ve created this security checklist to help you ensure you use our service responsibly — and with maximum confidence about your security while trading using the 3Commas software.
How does 3Commas work?
3Commas is a non-custodial software. You can use your 3Commas account to trigger and orchestrate actions on your connected exchange accounts. But, you cannot withdraw funds either directly from 3Commas or via 3Commas.
How does 3Commas connect to your exchange accounts?
3Commas connects to your exchange accounts using API keys. We offer three important pillars of security around API connections. Depending on the exchange, you can access some or all of these when you trade with us:
Sign Center
Sign Center is a secure API key storage isolated at both infrastructure and access levels to ensure the security of our systems. When 3Commas makes a trade request with an exchange, 3Commas servers ask the Sign Center to sign the transaction. This protocol is similar to how Metamask or Ledger signs a transaction.
API Key IP Whitelisting
When you create an API key with your exchange, you can specify an IP whitelist. The IP whitelist can be used to restrict the API key to certain IP addresses. You can use this tool to specifically authorize official 3Commas IP addresses — and block any others. Your created API key can’t be added to any other account on 3Commas — which means they cannot be used to initiate trades with your exchange account if the request doesn’t come from your 3Commas account.
Fast Connect
Exchanges that are focusing on better serving traders are beginning to offer Fast Connect. Fast Connect can help users quickly authorize specific account permissions, create API keys, and automatically connect to third-party API link services.
Fast Connect allows you to log in to your exchange account via the quick connect function on 3Commas software. It can automatically generate API keys and bind to our service, so you can start using 3Commas’ services without manually creating API keys.
Transactional access only
You can ask - "Can my funds disappear or be withdrawn?"
Here is the answer. 3Commas system tells your exchange to start and close deals. It has zero access to withdraw or transfer fiat or cryptocurrencies. Your login information for your exchange is never revealed to our system. No backdoor or cache can be exploited because the API deliberately does not have the functionality to request any of your personal information from the exchange. So no, from 3Commas side the funds cannot be withdrawn or transferred outside of your exchange.
How does 3Commas secure user data?
On top of using the three key secure connection protocols explained above, 3Commas secures user data with tools from security services provider Cloudflare, including:
Web Application Firewall
DDOS attack protection
SSL/TLS encryption between visitors and origin servers
What can you do to keep your data safe?
When working with an exchange:
Secure your exchange account with two-factor authentication (2FA).
Save 2FA backup keys in a safe place.
Use a strong and unique password/email for your exchange account.
Don’t store secure API keys in a shared or accessible document.
Don’t send your API keys via a message to yourself or anyone.
Use separate API keys for different services.
Connect exchange via Fast Connect if possible.
Always be wary of phishing emails and ensure the authenticity of the sender — especially check those from your exchange providers.
Set up alerts, like the one 3Commas Pro subscribers use on Binance that can send them messages any time there's an external trade.
When working with mobile devices:
Secure your smartphone with a PIN code or biometric measure.
Never give your device to anyone while the trading app is opened or when your Google Authenticator app is accessible.
Always ensure that your backup codes are retrievable in the event your phone is lost or stolen.
When creating an account on 3Commas:
If connecting to 3Commas using a web browser, ensure the address is either https://3commas.io or https://app.3commas.io in your browser address bar.
If you have created your 3Commas account with an email address and password:
Use an email address you are checking regularly (not a “spam-address”)
Use a strong and unique password different from your email address.
Verify your email address (you will receive a link once you are registered).
We strongly recommend you Enable 2FA for your account in Settings.
Create an anti-phishing code (new feature!) on the Settings page:
An anti-phishing code can consist only of 6 symbols of Latin letters and numbers.
This feature enhances email security for our software's users. You will receive emails from us with this code displayed in the letter, so you will know it's legit and official from 3Commas. You can change or disable it later if you want.
When using 3Commas:
Hide your balance when you are sharing screenshots or your interface is viewable by others.
Log out from 3Commas if you are giving access to your device to anyone else.
Secure your device with a password or PIN and don’t leave it unlocked.
Don’t share your email_token in TradingView commands.
Create an anti-phishing code (new feature!) on the Settings page:
An anti-phishing code can consist only of 6 symbols of Latin letters and numbers.
This feature enhances email security for our software's users. You will receive emails from us with this code displayed in the letter, so you will know it's legit and official from 3Commas. You can change or disable it later if you want.
Official 3Commas web and email addresses you can interact with:
3Commas Official URLs:
3Commas Official Email Addresses:
[email protected] (Coinpayments are a payment processing service; you will receive messages from this address if you purchase a subscription using Cryptocurrency).
[email protected] (Paddle is a payment processing service you may receive messages from this address if you have payment related issues).
Status of API security for 3Commas exchange partners
| New API keys secured by | New API keys secured by | New API keys secured by |
| Sign center | IP Whitelisting | Fast Connect, subject, to dev roadmap of exchanges |
Binance | ✔️ | ✔️ | ✔️ |
OKX | ✔️ | ✔️ | ✔️ |
KuCoin | ✔️ | ✔️ | ❌ |
Coinbase | ✔️ | ✔️ | ✔️ |
Binance TR | ✔️ | ✔️ | ❌ |
Binance US | ✔️ | ✔️ | ❌ |
Bitfinex | ✔️ | ✔️ | ❌ |
Bitstamp | ✔️ | ✔️ | ❌ |
Bybit | ✔️ | ✔️ | ✔️ |
BitGet | ✔️ | ✔️ | ❌ |
Gate.io | ✔️ | ✔️ | ✔️ |
Gemini | ✔️ | ❌ | ❌ |
HTX (Huobi) | ✔️ | ✔️ | ❌ |
Kraken | ✔️ | ✔️ | ❌ |
Stopping use of a specific CEX
In case you want to stop using a specific exchange account with 3Commas and select another one, there's a few things you need to be aware of and to check:
Any trading history from within 3Commas for this account will be deleted.
Any configured bots and SmartTrade templates for this account will be deleted.
Any active bot deals, SmartTrades or orders created within 3Commas for this exchange account will need to be canceled.
If you configured any custom TradingView alerts that used this account, they will need to be deleted on your TradingView.com account.
Once you've checked the above, you can proceed to the https://app.3commas.io/accounts page. Simply find the account to remove, click the Options button, then choose ‘Delete’.
Important: Please remember to log in to your exchange's website and delete the API key, otherwise it will remain active and could become a security risk.
3Commas’ continuing commitment to trader security
We take software and data security very seriously at 3Commas. Blockchain and cryptocurrency services are tempting targets for malicious attacks — which is why we operate under the assumption that malicious actors may be trying to compromise our software and the community it serves at all times.
The measures and protocols we explain on this page are testament to our continuously evolving efforts to those who might seek to exploit our customers — and give you the best possible security and protection.
Important: Following security measures is vital in cryptocurrency trading. Always remember that $100 worth of a token may grow into a fortune someday. Treat every penny with respect.