This is a fantastic question and something we should provide more explicit guidance on. Let me get together with some of our smarter folks to provide details on how data is protect at rest and in transit. That’s on our side.
But there is solid security inherent in the Coinbase API permissions. This is part of why we chose Coinbase.
For reference: https://docs.pro.coinbase.com/#api-key-permissions
Permissions are broken down as follows:
1. View – Allows a key read permissions. This includes all GET endpoints.
2. Transfer – Allows a key to transfer currency on behalf of an account, including deposits and withdraws. Enable with caution – API key transfers WILL BYPASS two-factor authentication.
3. Trade – Allows a key to enter orders, as well as retrieve trade data. This includes POST /orders and several GET endpoints.
We only require you turn on “View” and “Trade” (1 and 3). These do not facilitate transfers out of Coinbase.
“Transfer” (2) introduces the most risk. You should not have that turned on for our API.
Some other steps to take:
– Ensure you have 2FA on for Coinbase Pro
– Ensure you have 2FA on for Crypto-ML: https://crypto-ml.com/two-factor-authentication/