Security

How GoldenClaw protects your data and exchange credentials

GoldenClaw acts as a proxy between your AI assistant and crypto exchanges. Your exchange credentials are stored encrypted and never exposed to AI models.

Data Flow

AI Client → GoldenClaw API (HTTPS) → Exchange API

          Encrypted credential
          storage (AES-256)

What GoldenClaw Receives

DataStored?Purpose
API key (GoldenClaw)YesAuthenticate your requests
Exchange credentialsYes (encrypted)Sign and route the orders you authorize to your exchange
Request parametersNo (transient)Forward to exchange API
Market data responsesNo (transient)Return to your client
Order detailsNo (transient)Forward to exchange, not stored

What GoldenClaw Does NOT Receive

  • Your AI conversation history
  • Your prompts or system instructions
  • Data from other MCP tools connected to your AI client
  • Your exchange withdrawal passwords or 2FA codes

Credential Encryption

Exchange API keys and secrets are encrypted at rest using AES-256. Decryption occurs only at request time in memory and is never logged.

No withdrawal access

GoldenClaw cannot withdraw funds from your exchange account. Exchange credentials are used only for order routing and data access. Always configure your exchange API keys with withdrawal disabled.

You Are the Operator

GoldenClaw signs and routes orders using your encrypted exchange credentials. You — not GoldenClaw — decide what orders to send. Configure exchange-side risk limits (max order size, daily loss caps, IP whitelisting) as a defense-in-depth layer.

Scope Isolation

API key scopes restrict what operations are possible:

ScopeCan DoCannot Do
market:readFetch prices, OHLCV, tickersView account, place orders
indicators:readCalculate technical indicatorsView account, place orders
account:readView balances, positionsPlace or cancel orders
trade:futures:writePlace/cancel futures ordersAccess other market types

Create keys with minimum required scopes. A market-data-only integration should never have trading scopes.

Transport Security

  • All API traffic uses HTTPS (TLS 1.2+)
  • MCP transport uses Streamable HTTP over HTTPS
  • No plaintext HTTP endpoints exist

API Key Best Practices

  • Keys are shown only once at creation — store immediately
  • Revoke compromised keys instantly from your Dashboard
  • Use separate keys per application and environment
  • Rotate keys periodically

Exchange API Key Best Practices

When creating exchange API keys for use with GoldenClaw:

  1. Disable withdrawals — GoldenClaw never needs withdrawal permission
  2. IP whitelist — If your exchange supports it, restrict API key access to specific IPs
  3. Use sub-accounts — Create a dedicated sub-account for API trading
  4. Set trading limits — Configure maximum order sizes on the exchange side

Reporting Security Issues

Contact security@goldenclaw.sh for vulnerability reports. Do not disclose security issues publicly.

Open Claw

Use GoldenClaw directly in the Open Claw AI assistant

Risk Disclosure

Important information about the risks of using GoldenClaw and trading crypto.

On this page

Data FlowWhat GoldenClaw ReceivesWhat GoldenClaw Does NOT ReceiveCredential EncryptionYou Are the OperatorScope IsolationTransport SecurityAPI Key Best PracticesExchange API Key Best PracticesReporting Security Issues