Trading means connecting real money, so security is foundational to how Formion is built.
Formion is non-custodial. It connects to your exchange through API keys and only ever places trades on your behalf β it cannot withdraw. Your funds stay on your own exchange or in your own wallet at all times.
- Use trade-only API keys (enable trading; leave withdrawals disabled).
- When connecting, add the Formion IP whitelist to your key β see How to Start β API Connection.
- All API keys, secrets and sensitive credentials are AES-256-GCM encrypted at rest.
- Traffic is encrypted in transit (TLS).
- Wallet keys (if you choose full mode) are encrypted; you can also link wallets read-only.
- Two-factor authentication (2FA) β enable it in your profile; mandatory for Institutional team accounts.
- Session management β review and revoke active sessions any time.
- Recovery email and login activity log.
When you connect your own AI provider keys, they're stored with the same AES-256-GCM encryption and used only for your requests.
- Keep API-key withdrawal permission OFF.
- Use a sub-account per bot where your exchange supports it.
- Enable 2FA and a strong, unique password.
- Pause or revoke a key any time from your exchange β bots stop immediately.
{% hint style="info" %} Found a security issue? Email support@formion.ai. {% endhint %}
