How Enigma's custody model works.

The short version

Your assets sit in your exchange account. They do not move through Trader Origin, and Trader Origin cannot move them. What we hold is a trading-scoped credential — an API key pair on the CEX connectors (Bybit, Binance, Blofin, Lighter), or an API-wallet private key on Hyperliquid (a separate sub-key that Hyperliquid lets you authorise for trading only, with no withdrawal rights). In every case the credential is limited to the permissions you granted on the exchange itself, it is encrypted at rest on our servers, and you can revoke it at any time from the exchange's own settings.

What an exchange API key actually is

When you trade on an exchange through its web interface, you log in with a password (and usually a second factor). Behind the scenes, your browser authenticates each request to the exchange's API using a session token. An API key is the non-browser equivalent: a long random string paired with a secret that an external application can use to call the same API endpoints you would reach through the website.

Crucially, every major exchange lets you scope what an API key is allowed to do. The typical permission set looks like: read-only (view balances and history), spot trading, futures or perpetuals trading, and withdrawals. Each of those is a separate switch, and each can be turned off independently.

The permissions to grant — and the permission never to grant

For Enigma to execute orders for you, it needs trading permissions on the markets you intend to trade (spot, futures, or both). It needs read permissions so it can show you your balances, positions, and order history in the interface. That is all.

Never grant withdrawal permissions — not to Enigma, not to any trading tool, not to any third party. Even if an application explicitly asks for them, the right answer is to refuse. Trading tools do not need to move funds off the exchange to operate; the exchange executes the trade against the balance you already hold there. A withdrawal-enabled key is the single most dangerous credential a trader can create, because any compromise of that key — via a malicious tool, a phished copy, a data leak, or a machine infected with malware — allows an attacker to drain the account rather than merely trade it.

In Enigma, the connection screen walks through these settings explicitly. If you want to be cautious, start with a read-only key, confirm the balances populate correctly, then replace it with a trading-and-read key once you are ready to enable live mode.

How Enigma stores and uses the key

When you add an API key, it is transmitted over TLS to the Enigma backend and encrypted at rest on our servers. We do not store or log the raw key material in plaintext anywhere. When Enigma needs to call your exchange — to fetch your balance, to fill an order you instructed, to cancel a resting order — the encrypted record is decrypted into memory, used for that specific request, and the decrypted value is not persisted back to disk.

This model is intentionally narrow. The server holds a secret only long enough to relay an order you instructed, but it does not hold a secret that would be valuable for an attacker to steal en masse. Even in the worst-case scenario of an attacker obtaining the encrypted store, the data would still need the decryption material to be usable.

Revocation is always on the exchange side

Because the API key is issued by your exchange, your exchange is the authoritative place to revoke it. If you suspect a key is compromised — you installed a suspicious browser extension, your password is in a breach dump, someone borrowed your laptop — go to the exchange's API settings and delete the key immediately. The revocation takes effect the moment it is saved; no further requests signed with that key will work anywhere.

You do not need to tell Enigma first. Revoking the key on the exchange makes the key useless; Enigma's next attempt to use it will simply fail the exchange's authentication check, and you can remove the stale record from Enigma when it is convenient.

API keys, main wallets, and Hyperliquid's agent model

This is worth separating because the terminology is confusing. On an on-chain, non-custodial protocol the master credential for a wallet is a private key. Whoever holds the master private key can move any asset the wallet owns, irrevocably, without asking anyone. A leaked master private key is, with very few exceptions, the end of that wallet's balance.

Centralised exchange API keys are fundamentally different. They are scoped credentials issued by a service provider who can invalidate them. They can be restricted to specific IP addresses, limited to specific permission sets, rotated on a schedule, and revoked in one click. For Bybit, Binance, Blofin, and Lighter, Enigma only ever receives a scoped API key pair — never a wallet private key of any kind.

Hyperliquid is different by design. Because Hyperliquid is an on-chain venue, trading happens through a key pair rather than a username/password-derived API key. To avoid handing over the master wallet, Hyperliquid's own settings let you generate a separate API wallet — a fresh Ethereum key pair that you explicitly authorise on Hyperliquid to trade on behalf of your main wallet, with no ability to withdraw funds. When you connect Hyperliquid to Enigma, what you paste is the private key for that API wallet — not your main wallet's private key. Enigma encrypts the API wallet key at rest (the same AES-based envelope used for API-key secrets on the CEX connectors), decrypts it in memory when you instruct an order, and can be revoked at any time from Hyperliquid's own API-wallet list.

The short version: nothing that Enigma stores can withdraw funds from any exchange or on-chain wallet. Your master wallet private key — if you have one — never leaves your device and never needs to.

Sensible hygiene

A few practices that apply to every trading tool, not just Enigma:

• Keep withdrawal permission disabled on any API key you issue to a third-party application.
• Enable two-factor authentication on the exchange account itself, with a hardware or app-based second factor rather than SMS.
• Where the exchange supports it, bind the API key to an IP allowlist containing only the addresses the application actually connects from.
• Rotate keys periodically — delete the old key, issue a new one, update the tool. Quarterly is a reasonable cadence.
• Keep the device you use for trading patched, avoid browser extensions from untrusted sources, and do not share the key string with anyone who asks for it.
• If anything looks wrong — unexpected orders, balance movements you did not authorise — revoke every API key on that exchange first and investigate afterwards.

What to expect when connecting

In Enigma, connecting an exchange is a one-screen flow. For the CEX connectors (Bybit, Binance, Blofin, Lighter) you paste the API key and secret you issued on the exchange, confirm the permission scope, and save. For Hyperliquid you paste the API-wallet private key you authorised on Hyperliquid's own interface — Enigma shows a side-by-side reminder that it should be the API wallet, not your main wallet. In either case the connection test runs automatically; failures are almost always a permission mismatch or an IP allowlist issue rather than something that requires sharing the credential with anyone.

From that point on, your balances and positions appear in the Enigma interface alongside the charts you already watch. No order is placed without your explicit action — either a manual order you click, or a strategy you have configured and started in live mode. You remain in control of the account at all times, and you can pause or stop any automated logic with a single click.