If you run a P2P merchant desk, you eventually need to hand your account data to a tool — a pricing bot, a dashboard, an accounting script. The safe way to do that is a read-only Binance API key for P2P: a key that can see your balances, order history, and account data, but can't move a single satoshi out. Set up right, even a leaked key is worthless to a thief.
This guide walks through exactly how to create one, which single permission to enable, why read-only is safe, and the boxes you must leave unchecked. I'll flag where Binance's own UI wording drifts, because it does.
Why read-only is the right key for a P2P tool
A pricing or monitoring bot needs to read things: your available USDT, your open P2P ads, your recent fills, your wallet balances. It does not need to place withdrawals, transfer funds internally, or open a futures position. So don't give it the ability to.
Binance's own security guidance lands in the same place — the most secure API key is one with minimal permissions, IP restrictions in place, and withdrawal access disabled, according to Binance Support. A read-only key is exactly that. The worst thing an attacker can do with a leaked read-only key is look at your account. Annoying, but not account-draining.
The whole point: with withdrawals off and IP restrictions on, a stolen API key and secret still can't take your money. That's the safety margin you're building here.
Step 1 — Get to API Management
Log in to Binance, click your profile icon, go to [Account], then [API Management], and click [Create API]. That's the path Binance documents in its how-to-create-API-keys guide.
One note before you click: this guide is for global Binance.com. Binance.US runs a separate site with its own help pages and a slightly different flow, so if you're on the US platform the screens won't line up perfectly.
Step 2 — Pick the key type
Binance offers two types when you create a key. The System-generated option is an HMAC symmetric key — Binance hands you an API Key and a Secret Key. The Self-generated option is asymmetric (Ed25519 or RSA), where you supply your own public key and keep the private one.
For a straightforward read-only P2P setup, the system-generated HMAC key is the normal choice — it's what most bots and dashboards expect. Pick that unless your specific tool asks for Ed25519 or RSA.
Save the Secret Key immediately
After you name the key, Binance makes you clear a security check — 2FA devices or passkeys — before it issues anything. Then it shows you the Secret Key once. That's it. It's displayed at creation time and cannot be retrieved later, per Binance's documentation. Copy it into your password manager the moment you see it. If you lose it, you delete the key and start over.
Step 3 — Enable only Reading
Here's the part that actually matters. A newly created key defaults to read access — the default restriction is Enable Reading, which grants read access to your transaction and account history. In Binance's API, the underlying permission field is literally named enableReading, and it sits alongside the ones you're going to leave off: enableSpotAndMarginTrading, enableWithdrawals, enableInternalTransfer, enableMargin, enableFutures, permitsUniversalTransfer, enableVanillaOptions, and enablePortfolioMarginTrading, as listed in the Binance Open Platform permission reference.
So the job is simple. Go into Edit Restrictions and make sure only Reading is on. Everything else stays unchecked.
A wording heads-up: the checkbox is commonly shown as Enable Reading, but Binance shuffles its labels, and some help pages phrase it "Enable Read" or "Read-Only." Whatever it's called on your screen at the time of writing, it's the read-access permission. Trust the intent, not the exact string.
What NOT to enable
For a P2P read-only tool, leave all of these off:
- Spot & Margin Trading — your bot is reading prices, not placing your trades.
- Withdrawals — never, on a key like this. This is the one that drains accounts.
- Internal Transfer and Universal Transfer — moving funds between accounts is still moving funds.
- Futures, Margin, Options, Portfolio Margin — irrelevant to reading P2P data.
And you don't need a special "C2C scope" or any P2P-specific permission on top of reading. Read access covers signed GET requests to your account and history data. If your particular tool hits a specific /sapi C2C or account endpoint, confirm that endpoint is covered by the reading permission — but there's no separate P2P toggle to hunt for.
Step 4 — Lock it to your IP (worth doing anyway)
Here's a nuance people get backwards. IP whitelisting is not required for a pure read-only key — read-only is precisely the permission you're allowed to hold without an IP restriction. Binance made that explicit: effective 2023-01-30 00:00 UTC, a system-generated HMAC key with an unrestricted IP can only hold Enable Reading and nothing else, per Binance Support. In other words, the platform pushes no-IP keys toward read-only by design.
But if your bot runs from a fixed IP — a VPS, a home connection with a static address — whitelist it anyway. It costs you nothing and it closes the door completely. With an IP whitelist, only the listed addresses can use the key. Someone holding both your API Key and Secret Key still can't make a single call from anywhere else, as JieCoin's whitelist guide explains. A leaked read-only key that's also IP-locked is about as dead as a leaked key gets.
How to add the whitelist
In API Management, find your key, click Edit Restrictions, choose Restrict access only to trusted IPs under IP Access Restrictions, enter your IP, and save after the security check. Binance accepts multiple IPs and CIDR notation — so a range like 192.168.1.0/24 works, per the same guide.
Separately, note that IP restriction becomes mandatory the moment you want anything beyond reading. To enable trading or withdrawals at all, you must add IPv4 access restrictions (or switch to self-generated Ed25519/RSA keys), and withdrawals specifically require a whitelisted IP, according to Binance. You're not doing that here — but it's why the read-only path stays so clean.
Step 5 — Plug it into your tool
You now have an API Key and a Secret Key that can see everything and touch nothing. Drop them into whatever's consuming them. If you're using VelosBot for P2P auto-pricing, this read-only key is all it needs to watch your account and adjust your ad prices — it never needs withdrawal or trading rights, and you should never give it any.
Quick reality check before you trust it in production: make a signed GET call for your account balance and confirm the data comes back. If it does, reading works. Then try something write-flavored and confirm it's rejected. That failure is the feature.
A few things to keep in mind
Binance changes its UI labels and its rules over time, so treat any exact wording here as "as of 2026" and glance at the live screen. There's also a widely repeated third-party claim that no-IP keys expire after 30 days — I'm not stating that as fact, because I couldn't confirm a specific expiry number on an official Binance page. If your key does go quiet, just regenerate it. Rules shift; check current guidance when in doubt.
None of this is financial or legal advice — it's operational hygiene for running a merchant desk. But it's the hygiene that separates traders who get wiped by a leaked key from the ones who shrug and rotate.
Once your read-only key is set, you can grab VelosBot and point it at your account, or head back to the homepage to see how the auto-pricing side works. Set the key up right once, and you never have to think about it again.