Skip to main content

Documentation Index

Fetch the complete documentation index at: https://kraken-sandbox.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

When creating an API key at Settings → API, Kraken asks you to select permissions. Granting too few causes EGeneral:Permission denied errors. Granting too many exposes you to unnecessary risk if the key is compromised.

Permissions by use case

Use caseRequired permissions
Market data only (public endpoints)None — public endpoints require no key
Read account balancesQuery Funds
Read order history and positionsQuery Open Orders & Trades, Query Closed Orders & Trades
Algorithmic spot tradingQuery Funds, Query Open Orders & Trades, Create & Modify Orders, Cancel/Close Orders
Market makingQuery Funds, Query Open Orders & Trades, Create & Modify Orders, Cancel/Close Orders, Get WebSocket Token
Funding operations (deposits/withdrawals)Query Funds, Deposit Funds, Withdraw Funds
Full institutional accessAll of the above
Read-only monitoring dashboardQuery Funds, Query Open Orders & Trades, Query Closed Orders & Trades
Sub-account managementQuery Funds, Create & Modify Orders, Cancel/Close Orders

Permission descriptions

PermissionWhat it enables
Query FundsBalance, BalanceEx, TradeBalance
Query Open Orders & TradesOpenOrders, QueryOrders, TradesHistory, QueryTrades, OpenPositions
Query Closed Orders & TradesClosedOrders, QueryOrders, TradesHistory, QueryTrades
Create & Modify OrdersAddOrder, EditOrder, AmendOrder, AddOrderBatch
Cancel/Close OrdersCancelOrder, CancelAll, CancelAllOrdersAfter, CancelOrderBatch
Query Ledger EntriesLedgers, QueryLedgers
Export DataAddExport, ExportStatus, RetrieveExport, RemoveExport
Access WebSocket APIGetWebSocketsToken — required for authenticated WebSocket subscriptions
Deposit FundsDepositMethods, DepositAddresses, DepositStatus
Withdraw FundsWithdrawMethods, WithdrawAddresses, WithdrawInfo, Withdraw, WithdrawStatus, WithdrawCancel
EarnEarn/Strategies, Earn/Allocations, Earn/Allocate, Earn/Deallocate

Security best practices

Use IP whitelisting. Lock your API key to the IP addresses your trading system runs from. This single measure prevents almost all key misuse even if the key is leaked. Use separate keys per purpose. Give your market data service a read-only key. Give your order management system a trading key. Give your accounting system a ledger query key. If one is compromised, the blast radius is contained. Never embed keys in source code. Use environment variables or a secrets manager. Rotate keys periodically. Set the minimum permissions required. A key used only for placing orders does not need Withdraw Funds.
Withdrawal permissions should only be enabled on keys that genuinely need to move funds, and those keys should have strict IP whitelisting. A compromised key with withdrawal permissions is a direct financial risk.

WebSocket authentication

WebSocket private channels (executions, balances, open orders) require a short-lived token rather than your API key directly. Obtain it via the REST endpoint before opening your WebSocket connection: 
POST /0/private/GetWebSocketsToken
The token is valid for 15 minutes. Your API key must have the Access WebSocket API permission enabled. 
{
  "error": [],
  "result": {
    "token": "WW91ciBhdXRoZW50aWNhdGlvbiB0b2tlbiBnb2VzIGhlcmUu",
    "expires": 900
  }
}
Use this token in your WebSocket subscription messages — never send your API key directly over WebSocket.

Authentication

HMAC-SHA512 signature generation and nonce management

Sub-accounts

Issue independent API keys per sub-account for strategy isolation

WebSocket authentication

How to use your WebSocket token in subscription messages