What authentication methods does Kraken's API support?

Kraken's REST and WebSocket APIs primarily use a signature-based authentication method, which involves an API key and a secret. Each request is signed cryptographically with the secret to verify its origin and integrity.

How do I generate an API key for Kraken?

You can generate an API key by logging into your Kraken account, navigating to 'Settings' > 'API', and clicking 'Generate New Key'. You'll then configure permissions and IP whitelisting before finalizing its creation.

Can I set specific permissions for my Kraken API keys?

Yes, Kraken allows granular control over API key permissions. You can specify whether a key has read-only access, trading capabilities, or withdrawal privileges. It's recommended to grant only the necessary permissions.

What is IP whitelisting for Kraken API keys?

IP whitelisting restricts API key usage to a predefined list of static IP addresses. This enhances security by preventing unauthorized access even if your API key and secret are compromised, as requests from other IPs will be rejected.

How should I store my Kraken API secret securely?

Your API secret should never be hardcoded or committed to version control. Store it securely using environment variables, dedicated secrets management services, or encrypted configuration files with strict access controls.

Does Kraken support OAuth for third-party applications?

For direct API access by users or applications, Kraken utilizes API keys. While Kraken's broader platform may interact with user authentication flows, their primary developer API authentication for direct integration is via API key and secret, which is a common pattern in cryptocurrency exchanges.

What is the 'nonce' in Kraken API authentication?

A nonce (number used once) is a unique, incrementing integer included in each API request. It's required for Kraken's signature calculation and helps prevent replay attacks, ensuring each request is fresh and unique.

Kraken Authentication Methods & Security (2026)

Kraken authentication: The Kraken API utilizes a signature-based authentication scheme, requiring an API key and secret for most programmatic interactions. This method involves signing each request with your private API secret, ensuring that only authorized requests from your account are processed by the exchange's systems. Kraken supports both REST and WebSocket APIs.

Authentication overview

Kraken's trading platform and its programmatic interfaces, including the REST API and WebSocket API, require authentication to protect user accounts and data. Authentication ensures that only legitimate users or applications can access account-specific information, execute trades, or manage funds. For API interactions, Kraken employs a cryptographic signature-based authentication method that relies on API keys and secrets. This approach verifies the sender's identity and prevents unauthorized tampering with requests in transit.

During the authentication process, a unique signature is generated for each API request. This signature combines elements of the request (such as the endpoint path, nonce, and request body) with the user's private API secret. The server then validates this signature using the public API key. This mechanism is common in financial APIs where high security and non-repudiation are critical. The use of a nonce (a number used once) helps mitigate replay attacks, where an attacker might try to resend a valid previous request. This form of authentication is a standard practice for securing sensitive transactions, aligning with general API security principles outlined by organizations like the Internet Engineering Task Force (IETF) in RFC 6749 for OAuth 2.0, which often underlies such mechanisms, even if Kraken's specific implementation is proprietary for API keys OAuth 2.0 framework details.

Kraken offers client libraries (SDKs) in several programming languages, including Python, Node.js, Java, Go, and C#, which abstract much of the complexity involved in generating these signatures. These SDKs are designed to streamline the development process and help developers securely integrate with Kraken's services without needing to implement the cryptographic signing logic from scratch. Developers are advised to use these provided libraries to ensure correct and secure authentication.

Supported authentication methods

Kraken primarily supports API key and secret authentication for its programmatic interfaces.

Method	When to Use	Security Level
API Key & Secret (HMAC-SHA512 Signature)	All programmatic access via REST API and WebSocket API for trading, account management, and data retrieval.	High. Requires cryptographic signing of requests, protecting against tampering and unauthorized access, especially when combined with IP whitelisting and granular permissions.
Session Cookies (Web UI)	Direct login to the Kraken web interface for manual trading, account settings, and general platform interaction.	High. Enhanced by mandatory 2FA/MFA for login and sensitive actions.

The API Key & Secret method is essential for developers building applications that interact with Kraken's trading engine. This method is fundamental for both the Kraken REST API documentation and WebSocket API, allowing users to automate trading strategies, retrieve real-time market data, and manage their portfolio programmatically. Each API key can be configured with specific permissions (e.g., read-only access, trade execution, withdrawal capabilities) and restricted to a whitelist of IP addresses, significantly enhancing security.

Getting your credentials

To obtain API credentials for Kraken, you must first have an active Kraken account. The process involves generating a new API key pair from your account settings.

Log In to Your Kraken Account: Access the Kraken website and log in with your username and password.
Navigate to API Management: From the main dashboard, go to Settings and then select API.
Generate a New Key: Click the Generate New Key button.
Configure Key Permissions:
- Key Description: Provide a descriptive name for your API key (e.g., "My Trading Bot Key").
- Permissions: Carefully select the permissions required for your application. Granting only the necessary permissions follows the principle of least privilege. Options typically include:
- Nonce Window: Set an appropriate nonce window, which defines the acceptable time difference between your client's nonce and the server's. A smaller window enhances security.
- IP Whitelist (Recommended): Enter a comma-separated list of static IP addresses from which your API requests will originate. This restricts API key usage to only your specified servers, significantly reducing the risk if your key is compromised.
Confirm Generation: Review your settings and confirm. Kraken will then display your API Key and API Secret.
Secure Your Secret: The API Secret is shown only once upon generation. You must copy and store it securely immediately. If lost, you will need to revoke the key and generate a new one. Never share your API Secret.

It's crucial to understand that API keys are powerful and can control significant assets. Treat your API secret with the same care as your account password. For detailed instructions, refer to the Kraken support article on API key creation.

Authenticated request example

Authenticating a request to the Kraken REST API involves several steps: generating a nonce, forming the request payload, signing the payload, and including the API key and signature in the request headers. Here is a Python example using the requests library and hashlib for signing, demonstrating how to query account balances.


import hashlib
import hmac
import base64
import time
import requests

API_KEY = "YOUR_API_KEY_HERE"
API_SECRET = "YOUR_API_SECRET_HERE"
API_URL = "https://api.kraken.com"

def get_kraken_signature(urlpath, data, secret):
    # Decode the API secret base64 string 
    # The secret is typically base64 encoded by Kraken
    decoded_secret = base64.b64decode(secret)

    # Nonce + POST data
    postdata = data['nonce'] + data['postdata']

    # Hash the postdata
    sha256 = hashlib.sha256(postdata.encode()).digest()

    # Path and hash of postdata
    message = urlpath.encode() + sha256

    # Sign the message with HMAC-SHA512 using the decoded secret
    hmac_digest = hmac.new(decoded_secret, message, hashlib.sha512)

    # Encode the resulting digest to base64
    return base64.b64encode(hmac_digest.digest())

# API endpoint for private user data
API_PATH = "/0/private/Balance"

# Generate a unique nonce for each request
nonce = str(int(time.time() * 1000))

# Request data (can be empty for some GET requests, but signed as POST for Kraken)
# For 'Balance', the postdata is empty string, which is fine.
# However, it must still be included in the signature calculation.
request_data = {
    "nonce": nonce,
    "postdata": "nonce=" + nonce # This represents an empty POST body for the signature calculation
}

# Generate the signature
signature = get_kraken_signature(API_PATH, request_data, API_SECRET)

# Set up the request headers
headers = {
    "API-Key": API_KEY,
    "API-Sign": signature.decode()
}

# Construct the full request URL
url = API_URL + API_PATH

# Make the POST request
try:
    response = requests.post(url, headers=headers, data=request_data)
    response.raise_for_status() # Raise an exception for HTTP errors
    print(response.json())
except requests.exceptions.RequestException as e:
    print(f"An error occurred: {e}")

This example demonstrates querying the Balance endpoint, which requires no additional parameters beyond the nonce. For other endpoints that require specific parameters, such as placing an order, those parameters would be included in the postdata string and factored into the signature calculation, following Kraken's REST API authentication guidelines. Always ensure your nonce is strictly increasing and unique per request to prevent replay attacks and API errors.

Security best practices

Securing your Kraken API keys and account is paramount to protecting your digital assets. Adhering to the following best practices can significantly mitigate risks:

Enable Two-Factor Authentication (2FA) for Your Account: Always enable 2FA for your Kraken account login. While API keys bypass web login, a compromised API key could still lead to asset loss if your account itself isn't well-protected. Kraken supports various 2FA methods, including Google Authenticator, YubiKey, and hardware tokens. More broadly, the FIDO Alliance promotes strong authentication standards, which Kraken's 2FA options align with for user login FIDO Alliance specifications.
Use IP Whitelisting: When generating an API key, specify a whitelist of static IP addresses that are permitted to make API calls using that key. This means that even if your API key and secret are compromised, they cannot be used from an unauthorized IP address. This is a critical security measure for production systems.
Grant Least Privilege: Configure API key permissions to grant only the absolute minimum access required for your application to function. For example, if your application only reads market data, do not grant it trading or withdrawal permissions. Regularly review and adjust permissions as your application's needs evolve.
Store API Keys Securely: Never hardcode API keys directly into your source code. Instead, use environment variables, secure configuration files, or a secrets management service (e.g., AWS Secrets Manager, HashiCorp Vault). Ensure these storage methods are protected with appropriate access controls.
Do Not Share API Secrets: The API secret should be treated as a highly sensitive password. Never share it, commit it to version control (e.g., Git), or expose it in client-side code.
Rotate API Keys Periodically: Implement a policy to regularly rotate your API keys. This practice minimizes the window of vulnerability if a key is unknowingly compromised. Destroy old keys once new ones are in use.
Monitor API Usage: Regularly check your API key usage logs (if available through Kraken) for any unusual activity or unexpected requests. Anomalous patterns could indicate a compromise.
Implement Nonce Management Carefully: Ensure your application's nonce generation logic is robust. Using a strictly increasing, unique nonce for each request prevents replay attacks and ensures proper authentication.
Use Official SDKs: Whenever possible, use Kraken's official SDKs or well-vetted community libraries. These libraries are designed to handle the complex authentication signing process correctly and securely, reducing the chance of implementation errors.
Encrypt Communications: Always use HTTPS for all API interactions to ensure that your requests and Kraken's responses are encrypted in transit, preventing eavesdropping. Kraken's API endpoints are served over HTTPS by default.

By diligently applying these practices, developers can create a more secure environment for their applications interacting with the Kraken API, safeguarding both their own and their users' assets.

Kraken Authentication Methods & Security (2026)

Authentication overview

Supported authentication methods

Getting your credentials

Authenticated request example

Security best practices

Frequently asked questions

Reviews

Discussion

Written by