Skip to main content
Sign In Get Started

How to secure your API Keys with Trusted IPs

 

What is changing?

Gemini has introduced a new security feature for users that allows API key functionality to be restricted to a set of trusted IP addresses. As a part of this change, Gemini is requiring users to take action to update their existing Trading API keys and either add trusted IPs or to set them as Unrestricted.

 

When does this need to be done?

June 30, 2025 by 9pm ET

 

Who does this affect?

Any client using Trading API keys for both REST and FIX. Customers who use Trading API keys for Auditor, Admin, or Fund Management functions will also need to take action. 

 

What’s a Trading API key?

An API key is a unique identifier made up of a key and secret that authenticates and authorizes a customer to interact with Gemini’s APIs. A Trading API key is specifically permissioned to allow the user to access endpoints that can be used for trading, like placing an order or cancelling an order.  

When creating an API key, Gemini provides customers with the flexibility to assign the type of role for each API key. Those roles are Trading, Auditor, and Fund Management.  Trading API keys have the ability to place and cancel orders, as well as the ability to perform functions associated with other roles (i.e.: Check Balances).  

 

How do I know if my API Key is a Trading key?

After signing in to your Gemini app on web or mobile, go to Settings > API.  You will have a list of all API keys and the role is found under “Permissions.”

 

How do I change my API Key?

After signing in to your Gemini app on web or mobile, go to Settings > API and navigate to the ellipsis of your existing API key(s) and click Edit. 

 

Why is Gemini doing this?

Gemini is committed to providing users with safe and secure access to its products. As such, we are always looking for ways to improve our security posture and this change is a step towards providing users with a greater degree of control over how and where their accounts can be accessed.

 

Do I have to allowlist my API keys?

No. We encourage you to do so, but if you would prefer not to assign Trusted IPs to your API keys, you may select Unrestricted access for your API keys. 

 

What if I don’t do anything?

We will begin blocking access by Trading API keys that have not been affirmed (IPs allowlisted, or set as Unrestricted) on June 30, 2025.  

 

Will this impact all API keys?

No, only keys that have the Trading role assigned.

 

Can I add Trusted IPs to non-Trading API keys (ie: Auditor and Fund Management keys)?

Yes.

 

What if I don’t know my IP?

You can choose to set your API keys to Unrestricted for now.  If you are able to get your IP information to allowlist in the future, the key’s settings can be updated at any time.

 

What if I use a VPN?

Unless you are 100% certain of the policies by which your VPN provider assigns IPs, you will likely want to select Unrestricted. 

 

Is this process different for master and account API keys?

You will need to take these actions for each API key in your account or account group regardless of the key’s scope. These updates can be performed by any account admin (in the case of account-scoped keys) or any group admin (in the case of master-scoped keys). 

If you have group-level admin access, you’ll be able to make the necessary changes across all accounts within your group.

If you’re an admin at the subaccount level, you’ll only be able to make changes for that specific subaccount. In either case, the required actions will need to be completed for each account you manage.

 

Can I just create new API keys instead?

Yes. You will need to either assign Trusted IPs or select Unrestricted for any new API key that you create. If you are no longer going to use your old API key, it is strongly recommended that you delete the unused key. 

 

Are there other security-related best practices we should do?

There are a number of security-related best practices Gemini recommends:

  • Deleting unused API keys
    • If you stop using an API Key for any reason, delete it.
  • Ensuring appropriate permissioning for API Keys
    • For example, avoid using a Trading API for Fund Management functions.
  • Using a password manager for API keys
    • Secure your sensitive information with the appropriate tools.
  • Avoid sharing your API key information
    • Treat your keys with the appropriate care, and on a need-to-know basis.

See our most recent blog on Protecting Your Crypto Portfolio

 

 

 

A simple, secure way to buy and sell cryptocurrency

Trade bitcoin and other cryptos in 3 minutes.