Connect Kraken to your trading bot

Why Kraken

Kraken is one of the oldest still-operating crypto exchanges, with a clean regulatory profile in the US and the EU. Liquidity on majors is good (worse than Binance, better than most second-tier venues) and the API surface is well documented.

Note that Kraken Spot and Kraken Futures are different products with different APIs and different keys. If you trade both, you create two keys.

Before you start

Verify your account to at least Starter (US) or Express (rest of world) — Kraken gates API access behind verification. Enable 2FA with an authenticator app (TOTP) — Kraken supports per-action 2FA, which means the API key itself can require 2FA, but most users leave that off because their strategy then needs to handle the OTP.

Make sure your account email is verified and your master key (the password recovery key) is stored offline.

Create the API key

Spot: 1. Sign in and open Settings → API (or directly: kraken.com/u/security/api). 2. Click Create API Key. 3. Set a Description, e.g. noon-barbari. 4. Configure the permission checkboxes (see next section). 5. Optionally set a Key Expiration date. 6. Click Generate Key. Kraken displays a Private Key (your secret) — copy it now, it is not retrievable later.

Futures (separate API): Futures keys live at futures.kraken.com under Settings → API. The flow is similar but the URL, the documentation, and the connector in CCXT are different (krakenfutures).

Set the right permissions

On Kraken Spot, check:

• ✅ Query Funds — required.
• ✅ Query Open Orders & Trades — required.
• ✅ Query Closed Orders & Trades — required for backfilling fill history.
• ✅ Create & Modify Orders — required for sending new orders.
• ✅ Cancel/Close Orders — required for risk-management exits.
• ❌ Deposit Funds / Withdraw Funds / Transfer Funds — leave OFF.
• ❌ Earn — Allocate Funds / Deallocate Funds — only if you intentionally trade Earn products.

Click Generate Key.

IP whitelist

On the API key's settings, scroll to Key Permissions → IP Address Restrictions and add:

51.38.112.198

Kraken does not require this but it is the single highest-leverage security setting on the page.

51.38.112.198

Paste keys into Noon Barbari

Once the API key is created, copy the public key and the secret into Noon Barbari from the Profile → Exchange keys section of your account. Keys are encrypted at rest with a per-user envelope key and only decrypted in memory while a strategy run is active — they never leave the worker that needs them.

If the exchange issues a third value (passphrase, API memo, sub-account label), there will be a dedicated field for it. Save the form and the dashboard will run a lightweight balance query to confirm the credentials work.

Test the connection

Noon Barbari will issue a single read-only balance request the moment you save the key. A green tick means the credentials authenticated and your permission scopes match what the strategy needs. A red error usually points to one of four things: wrong key/secret pair, missing permission, IP whitelist mismatch, or 2FA grace period not yet expired.

Once green, run a small paper trade for a day before flipping a strategy to live. Real execution exposes you to fees, partial fills, and slippage that paper mode cannot replicate.

Security tips

Treat exchange API keys like SSH keys to a production server — rotate them on a schedule and revoke them the moment you no longer need them.

1. Never grant withdraw — Noon Barbari only needs read + trade. A key without withdraw cannot move funds out of your account, no matter who steals it.
2. Use a sub-account if your exchange supports them — isolates the bot's capital from your spot stack and your manual trading.
3. Enable IP whitelist even when the exchange does not require it.
4. Rotate keys every 90 days — set a calendar reminder. The exchange's UI will let you create a new key and revoke the old one in the same session.
5. Enable exchange-side alerts for new API keys, failed logins, and large orders so you find out about a compromise within minutes, not days.

Common pitfalls

• Mixing up Spot and Futures keys — they look the same in your password manager. Label them kraken-spot and kraken-futures.
• Skipping the Query Closed Orders permission — backfills of fill history will return zero rows and your performance dashboard will look empty.
• Forgetting that Kraken uses asset aliases (XBT not BTC, XDG not DOGE) in some endpoints. CCXT handles this for you, but if you debug raw responses you will see XBT/USD.

Troubleshooting

• EAPI:Invalid key or EAPI:Invalid signature.

  The secret is wrong or the request body has been altered after signing. If you copy-pasted the key, re-paste from your password manager — Kraken keys can contain + and / which are mangled by some clipboards.

• EAPI:Permission denied.

  The action requires a permission the key does not have. The error message names the permission; tick it on the Kraken side and the next call will work.

• EGeneral:Permission denied:expired.

  The key has reached its Key Expiration date. Create a new key with the same permission set and rotate.

• Are Kraken Futures keys interchangeable with Spot keys?

  No. They are issued under separate domains (futures.kraken.com vs kraken.com) and use different REST signatures. Maintain two keys if you trade both.