API Key Encryption
How Mayson protects your exchange credentials.
Overview
Your API keys are among the most sensitive data we handle. Here’s how we protect them:
Encryption at Rest
AES-256 Encryption
All API keys and secrets are encrypted using AES-256, the same standard used by:
- Financial institutions
- Government agencies
- Military applications
Your API Secret → AES-256 Encryption → Encrypted Blob (stored)Key Management
- Encryption keys are stored separately from encrypted data
- Keys are rotated regularly
- Access to keys requires multiple authentication factors
Zero-Knowledge Architecture
What We Store
| Data | Stored As |
|---|---|
| API Key | Encrypted |
| API Secret | Encrypted |
| Exchange Name | Plain text |
| Last Used | Plain text |
What We Never Store
- ❌ Plain text API keys
- ❌ Plain text secrets
- ❌ Your exchange passwords
- ❌ Withdrawal permissions
Access Controls
Who Can Access Your Keys
| Entity | Access |
|---|---|
| You | Yes (via authenticated session) |
| Mayson System | Yes (for trade execution) |
| Mayson Staff | No (encrypted, can’t decrypt) |
| Database Access | No (encrypted data only) |
How Keys Are Used
- You request a trade
- System retrieves encrypted key
- Key decrypted in secure memory (ephemeral)
- Trade executed via exchange API
- Key cleared from memory immediately
Transport Security
HTTPS/TLS
All communication is encrypted:
- TLS 1.3 protocol
- Certificate pinning
- No plain text transmission
API Communication
When Mayson connects to your exchange:
- Secure connection established
- Your (decrypted) credentials used once
- Exchange response received
- Connection closed
- Credentials cleared
What You Should Do
Choose Correct Permissions
| Permission | Recommended |
|---|---|
| Read | âś… Enable |
| Spot Trade | âś… Enable |
| Futures | ⚙️ Optional |
| Withdrawal | ❌ Never |
Why No Withdrawals?
Even if someone compromised your API key, they cannot:
- Withdraw funds to another address
- Transfer assets out of your exchange
- Change your withdrawal addresses
The worst case: unauthorized trades within your account.
IP Whitelisting
Exchange-Side Protection
Many exchanges support IP restrictions:
- Get Mayson’s server IPs from support
- Add them to your exchange API settings
- Only those IPs can use your API key
Additional Protection
Even without IP whitelisting:
- Keys are encrypted and inaccessible
- All access is logged and monitored
- Unusual activity triggers alerts
Security Best Practices
| Practice | Description |
|---|---|
| Dedicated API Key | Create a separate API key just for Mayson |
| Minimal Permissions | Only enable Read and Spot Trading |
| Regular Rotation | Change API keys every 3-6 months |
| Monitor Activity | Check exchange API logs periodically |
Frequently Asked Questions
Can Mayson withdraw my funds?
No. We explicitly do not request or accept withdrawal permissions. Even if enabled on your API key, we do not use them.
What if Mayson gets hacked?
Your API keys are encrypted. An attacker would need:
- Database access
- Encryption key access (stored separately)
- Key derivation secrets
This multi-layer approach makes unauthorized decryption extremely difficult.
Can Mayson staff see my keys?
No. Staff cannot decrypt your API keys. Only the automated system can temporarily decrypt for trade execution, with full audit logging.
More questions? Contact our security team at [email protected]