The legal documents on this page are governed by the laws of the Republic of Türkiye and are originally published in Turkish. Translations are provided for informational purposes only; the Turkish text prevails in case of any dispute.

API Security and Encryption

Last updated: April 2, 2026

🔐 Our Security Commitment

The security of your API keys is our highest priority. Your keys are protected with industry-standard AES-256 encryption and are never stored in plain text.

1. API Key Storage

  • AES-256 Encryption: Your API key and secret values are encrypted on the server side using the AES-256 algorithm.
  • Encryption Key Isolation: The encryption key is stored in a secure environment separate from the database.
  • Masking: In the user interface, your API key is shown masked, with only the first 6 and last 4 characters visible (e.g. ABcDeF...xYz1).
  • No Plain Text: Your API keys are never transmitted in plain text to log files, error reports, or third-party services.

2. API Key Permission Requirements

The following minimal permissions are sufficient for your exchange connection with Next Candle Predictor:

Read: Viewing balance and position information
Trade: Required only if you use semi-automatic or fully automatic mode
Withdraw: DO NOT GRANT — The Platform never performs withdrawal operations

3. IP Restriction Recommendation

We strongly recommend setting an IP restriction on your exchange API key. This way, your API key can only be used from specific IP addresses, preventing misuse even in the event of a leak.

4. Data Communication Security

  • All API communication takes place over HTTPS encrypted with TLS 1.3.
  • WebSocket connections use the WSS (WebSocket Secure) protocol.
  • Exchange API calls require each request to be signed with HMAC-SHA256.

5. Disconnecting an API Key

You can remove your API key at any time via Settings → Exchange Connection. When the connection is removed:

  • Your encrypted API keys are permanently deleted from our database.
  • Your active positions remain as they are on the exchange (the platform does not auto-close positions).
  • We also recommend that you delete the API key on the exchange side separately.

6. Security Breach Protocol

In the event of a possible security breach:

  • Affected users are notified within 24 hours.
  • All encrypted keys are immediately invalidated.
  • Users are advised to renew their API keys on the exchange side.
  • A notification is made to the relevant authorities within 72 hours under KVKK.

7. User Responsibilities

  • Do not share your API keys with third parties.
  • Do not grant Withdraw permissions.
  • Set up IP restriction whenever possible.
  • If you notice suspicious activity, immediately disconnect and contact us.

8. Contact

For questions related to API security:

Email: security@nextcandlepredictor.com