How We Secure Your API Keys
When you connect an exchange account, you are placing trust in us. This page explains every technical control we have in place to protect your API credentials — no marketing language, no vague assurances.
Your keys are encrypted before they hit the database and masked on every retrieval.
Keys encrypted in PostgreSQL via pgcrypto before storage
Secrets are never transmitted back to your browser
Withdrawal access must never be granted — and is never needed
What your API keys are used for
Nova requires exchange API keys to place and manage trades on your behalf. Without trading permission, the bot cannot open positions, set stop-losses, or close trades. Read-only keys are not sufficient for automation.
Your keys are only used to execute the trades you have authorized through your strategy configuration. They are never shared with third parties, used for any purpose other than your own trading activity, or accessed by any system except the Nova execution engine.
Nova does not support, request, or use withdrawal permissions. If your exchange allows you to create keys with trading access but without withdrawal access, we strongly recommend doing so.
| Permission | Required | Notes |
|---|---|---|
| Read (account info) | Yes | Needed to check balances and positions |
| Trade (buy / sell) | Yes | Required to open and close positions |
| Withdraw / transfer | Never | Do not grant this — Nova does not need it |
| Sub-account management | No | Not used |
| IP whitelisting | Recommended | Add Nova VPS IP for an additional layer |
AES-256 at rest. Masked on retrieval. Never plaintext.
Database-level encryption
API keys and secrets are encrypted using PostgreSQL's pgcrypto extension (pgp_sym_encrypt) before they are written to the database. They are stored as encrypted bytea columns — the database never holds plaintext credentials.
Separate encryption key
The encryption key used to protect your credentials is not stored in the database. It is maintained as a separate server-side secret in the Horizon API environment, independent of the database file system.
Masked retrieval only
When your dashboard displays a connected key, only a masked version is shown (first 4 characters + last 4 characters). Your raw API secret is never transmitted back to the browser at any point.
Encryption key rotation
We maintain a procedure to re-encrypt all stored credentials under a new encryption key without exposing plaintext at any point during the rotation. This can be performed as a security response measure.
Multiple layers before any key is touched
Firebase authentication
Every API request is validated against a Firebase JWT token. Unauthenticated requests are rejected before reaching any key-related endpoint.
Email verification required
Your email address must be verified before the system will accept or store any API key submission. Unverified accounts cannot connect exchanges.
Rate limiting on all endpoints
Key read, write, and delete endpoints are individually rate-limited. Brute-force or enumeration attempts are throttled automatically.
Keys are scoped to your account
Every key is stored with your user ID (uid). Queries for keys always include uid as a filter — cross-user access is not structurally possible.
Soft deletion
When you remove a connected exchange, the key record is marked inactive rather than deleted immediately. This prevents accidental permanent loss while still disabling key use.
Honest disclosure: what we can and cannot do
We believe in being direct. Here is an honest account of what is technically possible, and what is enforced by design.
- ✓Withdraw funds from your exchange
- ✓Transfer between accounts
- ✓Return your raw API secret to the browser
- ✓Share your keys with third-party services
- ✓Use your keys for any account other than your own
- →Execute trades authorized by your strategy configuration
- →Decrypt your keys server-side to authenticate API calls — this is required for the bot to operate
- →Access your keys if our server infrastructure were compromised — which is why we strongly recommend trade-only scoping and IP whitelisting at your exchange
No custodied key system can claim otherwise. The important safeguard is limiting scope: a trade-only key with no withdrawal access limits the blast radius of any breach.
Recommended steps when connecting your exchange
If you believe your key has been compromised
Step 1: Immediately go to your exchange and revoke the API key. This cuts off access at the source regardless of what any third-party system holds.
Step 2: In Nova settings, delete the connected exchange entry for that key. This marks it inactive in our system.
Step 3: Contact us at security@novabyhorizon.com so we can investigate from our end and confirm the key is fully inactive.
Questions about security?
We are happy to go deeper on any of these controls. Reach out directly — we will give you a straight answer.
No system can guarantee absolute security. The controls described on this page reflect the current implementation. Security practices are reviewed and updated regularly. Trading involves financial risk independent of platform security — Nova by Horizon is a trading tool, not financial advice.