Security
Toobit Agent Trade Kit provides multiple layers of security to protect your assets and credentials.
Security Layers
| Layer | Description |
|---|---|
| Local Execution | All programs run locally. Keys are only stored in the local config file (~/.toobit/config.toml). Signatures are computed locally. AI cannot access your credentials. |
Read-Only Mode --read-only | Only data queries are allowed. All write tools are disabled — AI cannot execute any trades. |
Module Filtering --modules | Precisely control which modules are exposed to AI. For example, --modules market only exposes market data. |
| Smart Registration | On startup, the server detects API Key permissions. If the Key lacks trade permissions, order tools won't be registered. |
| Risk Labels | All tools involving fund operations are tagged with [CAUTION], prompting AI to confirm before execution. |
| Local Rate Limiting | Built-in token bucket rate limiter prevents overloading the Toobit API. |
| Audit Logging | All tool calls are automatically logged to ~/.toobit/logs/ with sensitive data (signatures, etc.) redacted. |
Best Practices
Credential Security
DANGER
Never share your API Key or Secret Key with any AI model or paste it into a chat. All credentials should only be stored in the local config file (~/.toobit/config.toml).
- Use a sub-account API Key with only the minimum required permissions
- Set up IP whitelisting to restrict API Key usage
- Regularly review and rotate your API Keys
Risk Management
- Start with
--read-onlymode to familiarize yourself with features - Use
--modules marketto expose only market queries, with no trading involved - Test with
spot_place_order_testbefore actual trades - Regularly review audit logs in
~/.toobit/logs/ - AI can make mistakes — always verify order details before execution
WARNING
Users bear all risks and losses from trading operations.