API Token
StandX provides API access for programmatic trading through a self-custodial key system. All API tokens and signing keys are generated client-side and stored only by you — StandX does not store, access, or have any ability to recover your keys. This decentralized approach ensures that only you have control over your trading activities. No one can execute trades or withdrawals on your behalf without your keys.
Accessing API Token Management
To manage your API tokens:
- Click on your profile icon in the top right corner of the page and select the session management option
- Alternatively, if you already signed in, navigate to https://standx.com/user/session
![_max-h-[320px]](/_next/static/media/7b40a0bd03650e613c82d5a3ab100473.96c711bc.png)
Creating an API Token
When generating a new API token, you can customize the following options:
![_max-h-[500px]](/_next/static/media/f816d617a73a3af70f2bc3b86456b494.db8ad0ac.png)
Remark
Give your token a descriptive name (e.g., “trade-only”, “bot-trading”) to help you identify its purpose later.
Request Sign Key
- Self Provide – Use your own signing key for request authentication
- Generate – Generate a signing key locally in your browser
⚠️ Important: Regardless of which option you choose, the signing key is generated and stored only on your device. StandX never receives or stores your signing key. You must securely back up this key yourself — if lost, it cannot be recovered.
Permissions
Configure what actions the API token can perform:
- Trade – Allows the token to execute trades on your behalf
- Withdraw – Allows the token to initiate withdrawals (use with caution)
Tip: Follow the principle of least privilege. Only enable permissions that are absolutely necessary for your use case. For trading bots, consider enabling only “Trade” permission and keeping “Withdraw” disabled.
Expiry
Select how long the token remains valid:
- 7 days – Short-term use
- 30 days – Standard use
- 90 days – Extended use
- 180 days – Long-term use
Security Best Practices
⚠️ Warning: Your API keys are self-custodial. You are solely responsible for their security.
Because StandX operates on a decentralized, non-custodial model, we cannot recover lost keys or reverse unauthorized transactions. Please follow these best practices:
- Back up your keys securely – Store your API token and signing key in a secure location; they cannot be recovered if lost
- Never share your API keys – Do not share your API token or signing key with anyone
- Never commit keys to version control – Use environment variables or secure secret management
- Use restrictive permissions – Only enable the permissions you need
- Rotate keys regularly – Generate new tokens periodically and revoke old ones
- Monitor your sessions – Regularly review your active sessions and revoke any you don’t recognize
Revoking API Tokens
If you suspect your API key has been compromised, or you no longer need it:
- Go to https://standx.com/user/session
- Find the token in your session list
- Click Revoke to immediately invalidate the token
Revoking a token is immediate and cannot be undone. You will need to generate a new token if you need API access again.