Exchange API Credentials
Connect KhunQuant to your exchange accounts so it can read your portfolio, track prices, and execute trades on your behalf.
An API key is like a limited-access password for your exchange account. A correctly configured key lets KhunQuant see your portfolio and trade for you — but it cannot withdraw your funds. Follow these rules for every exchange:
- Never enable withdrawal permissions on any API key you give to KhunQuant.
- Save your Secret Key immediately after creation — it is shown only once. If you lose it, delete the key and create a new one.
- Never share your API key or secret with anyone, including in screenshots or chat messages.
- Enable IP whitelisting if available — it locks the key to your device's IP address.
Supported Exchanges
| Exchange | Type | Guide |
|---|---|---|
| Binance (global) | International crypto | Binance API Setup |
| BinanceTH | Thai crypto (Binance Thailand) | BinanceTH API Setup |
| OKX | International crypto | OKX API Setup |
| Bitkub | Thai crypto | Bitkub API Setup |
| Settrade | Thai SET stock market | Settrade API Setup |
How KhunQuant Stores Your Credentials
Your API keys are never stored in config.json. They are stored in a separate file called .security.yml inside ~/.khunquant/. This file is not tracked by version control and is not shared with anyone.
File layout:
~/.khunquant/
├── config.json ← settings (no secrets here)
└── .security.yml ← your API keys live here
Basic .security.yml structure for exchanges:
exchanges:
binance:
accounts:
- api_key: "paste_your_api_key_here"
secret: "paste_your_secret_key_here"
okx:
accounts:
- api_key: "paste_your_api_key_here"
secret: "paste_your_secret_key_here"
passphrase: "paste_your_api_passphrase_here" # OKX only
bitkub:
accounts:
- api_key: "paste_your_api_key_here"
secret: "paste_your_secret_key_here"
binanceth:
accounts:
- api_key: "paste_your_api_key_here"
secret: "paste_your_secret_key_here"
settrade:
accounts:
- api_key: "your_app_login_id"
secret: "base64_encoded_private_key"
pin: "your_trading_pin"
For production security, wrap each value with enc:// encryption using the Credential Encryption feature, or use env://VARIABLE_NAME to load from environment variables. See Security YAML Reference for the full reference.
Multiple Accounts
You can connect more than one account per exchange (for example, a main account and a sub-account). Just add more entries under accounts:
exchanges:
binance:
accounts:
- name: "main"
api_key: "key_for_main_account"
secret: "secret_for_main_account"
- name: "trading-bot"
api_key: "key_for_bot_account"
secret: "secret_for_bot_account"
When asking KhunQuant to use a specific account, say: "check my binance trading-bot account".
Enabling an Exchange in config.json
After adding credentials to .security.yml, enable the exchange in config.json:
{
"exchanges": {
"binance": {
"enabled": true
},
"okx": {
"enabled": true
}
}
}
For Settrade specifically, you also need to add non-sensitive fields to config.json:
{
"exchanges": {
"settrade": {
"enabled": true,
"accounts": [
{
"broker_id": "FSSVP",
"app_code": "ALGO",
"account_no": "1234567"
}
]
}
}
}
Quick Permissions Reference
| Exchange | Enable | Disable (critical) |
|---|---|---|
| Binance | Read + Spot Trading | Withdrawals ← never enable |
| BinanceTH | Read + Spot Trading | Withdrawals ← never enable |
| OKX | Read + Trade | Withdraw ← never enable |
| Bitkub | Read + Trade | Withdraw ← never enable |
| Settrade | (no granular toggles) | N/A — withdrawal not available via API |
Outbound Proxy for IP Allowlisting
If KhunQuant runs on a home computer or laptop, your public IP address can change at any time. The Outbound Proxy option routes all exchange API traffic through a proxy server — typically a cheap VPS with a static IP. You then allowlist only the VPS IP on the exchange, and your home IP never needs updating.
Configure via Web UI
- Open KhunQuant's portfolio settings for your exchange, e.g. http://localhost:18800/portfolios/binance
- Expand an account card and scroll to Outbound Proxy (Optional) at the bottom
- Enter your proxy URL and click Save
http://vps-ip:3128
After setting the proxy, update your exchange API key's IP allowlist to permit only the proxy server's IP — not your home IP. This way the key is unusable even if it's ever leaked.
Configure via config.json
The proxy field lives in config.json (it is not a secret and is not stored in .security.yml):
{
"exchanges": {
"binance": {
"enabled": true,
"accounts": [
{
"name": "main",
"proxy": "http://vps-ip:3128"
}
]
}
}
}
Proxy Scheme Support by Exchange
| Exchange | http:// | https:// | socks5:// | socks5h:// |
|---|---|---|---|---|
| Binance | ✅ | ✅ | ❌ | ❌ |
| OKX | ✅ | ✅ | ❌ | ❌ |
| BinanceTH | ✅ | ✅ | ✅ | ✅ |
| Bitkub | ✅ | ✅ | ✅ | ✅ |
| Settrade | ✅ | ✅ | ✅ | ✅ |
Why the difference? Binance and OKX use the CCXT library which only exposes HTTP/HTTPS proxy configuration. BinanceTH, Bitkub, and Settrade use a native Go HTTP client that natively supports all four schemes including SOCKS5.
If you need to proxy Binance or OKX traffic, use an HTTP proxy such as Squid or Tinyproxy on your VPS.
Step-by-Step Guides
Follow the guide for each exchange you want to connect:
- Binance API Setup — international Binance (binance.com)
- BinanceTH API Setup — Thai Binance (binance.th)
- OKX API Setup — OKX with passphrase
- Bitkub API Setup — Bitkub (Thai baht crypto exchange)
- Settrade API Setup — SET stock market (most complex — read carefully)