Built so we couldn't steal from you if we wanted to.
Non-custodial by design. You create a Bitfinex API key with withdrawals disabled — Stratum can read your balances and place or cancel funding offers, nothing else.
Non-custodial
Your funds never leave your Bitfinex account. We hold no custody, no escrow. Stratum is a permissions-scoped automation layer — not a wallet.
Scoped API keys
You create the API key on Bitfinex with withdrawals disabled — Stratum never needs that permission. When you add a key we read its real scopes from Bitfinex and reject it outright if withdrawal (or trading) is enabled, so a withdraw-capable key is never stored or activated.
Encrypted at rest
API secrets are encrypted at rest with AES-256-GCM. Never logged in plaintext, never sent to telemetry, redacted from crash reports.
Reproducible builds
Deployed from pinned, reproducible Docker images with dependency and static-analysis checks in CI. An independent third-party security audit is on our roadmap.
Two-factor auth
TOTP two-factor with backup codes. Required before any API-key write. Broader passkey / hardware-key support is planned, not yet shipped.
Responsible disclosure
Found something? Email [email protected]. We acknowledge reports, fix verified issues quickly, and credit researchers who want it. A funded bounty program is planned.