The five Binance API permissions
Binance offers five toggleable permission scopes:
- Enable Reading — pull account state (balances, positions, trade history). REQUIRED for the bot.
- Enable Spot & Margin Trading — place spot orders. Margin is gated at the account level even if this toggle is on. REQUIRED for the bot.
- Enable Futures — place futures orders. NOT REQUIRED. Must stay OFF. Futures are non-halal under our framework.
- Enable Withdrawals — initiate withdrawals from the account. NOT REQUIRED. Must stay OFF. HalalCrypto never moves funds off your account.
- Permit Universal Transfer — move funds between sub-accounts. NOT REQUIRED. Must stay OFF.
The minimum scope HalalCrypto needs is the first two. Granting any of the other three is unnecessary and creates additional attack surface if your key ever leaks.
Why we never ask for Withdrawals
The single largest risk in any automated crypto product is custody. A withdrawal-enabled key, if compromised, means an attacker can drain the account. We solve this risk structurally: by never asking for the scope. There is no dashboard option, no advanced setting, no edge case where HalalCrypto requires withdrawal access.
What the dashboard checks
When you paste your API key, the dashboard runs a permission probe:
- Read: must be ON. Probe:
GET /api/v3/accountsucceeds. - Spot Trading: must be ON. Probe: a test order on a tiny LOT_SIZE that is immediately cancelled.
- Withdrawals: should be OFF. Probe:
GET /sapi/v1/capital/withdraw/applyreturns a permission error (this is the desired outcome). - Futures: should be OFF. Probe:
GET /fapi/v1/accountreturns a permission error.
Any deviation from the expected state is flagged in the dashboard with instructions on how to correct it.