Chat with us
Trade-only · Encrypted · Auditable

Security you can audit,
not just trust.

How we handle keys, funds, audit trails, and the things we deliberately refuse to do.

Encrypted at rest
API keys, exchange secrets, and credentials are encrypted at rest before being persisted. We never store plaintext.
Trade-only permissions
We require, and only ever accept, API keys with trade scope. Withdraw and transfer permissions are explicitly rejected at key intake.
Isolated DEX wallets
On-chain bots run from a dedicated trading wallet you create. Its key is encrypted at rest and used only to execute the swaps you configure. Fund it with trading capital only.
Full audit log
Every order placed, fill received, and config change is logged with timestamp and source. Visible to you in real time.
Encryption

Your keys are never stored in plaintext.

API keys and exchange secrets are encrypted at rest at the point of intake, and access is isolated from any public-facing endpoint. When a bot needs to issue an order, the credentials are decrypted in a short-lived in-memory context and discarded immediately after the API call returns. Keys are never exposed through the product: no dashboard view, export, or support tool reveals them.

Permissions

Trade-only API scopes. Always.

Every CEX integration requires API keys with trade scope only. No withdraw, no transfer, no internal-conversion permissions. We validate the scope at key intake and reject any key that includes restricted capabilities.

Practically, this means the worst-case impact of any breach (yours, ours, or the exchange's) is a bad trade. Not a missing balance. We cannot move your funds even if we wanted to.

DEX architecture

Isolated DEX trading wallets.

On-chain bots run from a dedicated trading wallet, separate from your main wallet. You provide that wallet's key, which is encrypted at rest and used only to construct and execute the swaps you configure. We never ask for your primary wallet's key. Because the bot signs autonomously with this key, treat the DEX wallet as a hot trading wallet: fund it only with capital you're actively trading, and withdraw anytime.

Audit log

Every action. Logged. Visible. To you.

Every order placed, every fill received, and every config change is recorded with a timestamp, source identifier, and full parameters. The audit log is visible in the dashboard in real time, filterable by bot, venue, time range, and event type, and we can share your full log file on request. There is no internal data we hide from the account that owns it.

Operational security

Monitored around the clock.

Monitoring
24/7
Alerts
Real-time

What we never do.

The constraints we lock in are as important as the features we build.

  • Request withdraw permissions
    Even if an exchange offers it, we don't accept it. Trade-only or nothing.
  • Hold custody of your CEX funds
    On CEX, funds stay in your exchange account under a trade-only key, and we can never withdraw them.
  • Ask for your tokens or treasury
    We charge a flat subscription. We never take a token allocation, loan, or treasury transfer to operate your bots.
  • Trade your account for our own benefit
    We don't run a prop desk. Your bot trades for you, against the market, never against you.
  • Modify your strategy without consent
    All parameter changes are made by you in the dashboard. We don't push updates to live bots.
  • Share your data with third parties
    Account data, bot configs, and trade history are yours. Never sold, syndicated, or shared.

Verify us against any other MM service.

Use this checklist before trusting anyone, including us, with your token's market.

  • Are the API permissions trade-only?
    Yes. We explicitly reject keys with withdraw scope.
  • Who controls the DEX wallet?
    You do. The bot uses a dedicated wallet you create and fund. We never hold your primary wallet.
  • Can I see every order the bot places?
    Yes. Real-time audit log in the dashboard, filterable by bot/venue/date.
  • Can I stop the bot instantly?
    Yes. A single click stops a bot and cancels its open orders.
  • Does the operator have a track record I can verify?
    Yes. Coinner has been operating since 2021. Team contactable on Telegram and email.
  • Is there a clear way to report security issues?
    Yes. Responsible disclosure inbox below. We respond within 24h.

Security questions.

Found a security issue?

Email contact@coinner.co or reach out on Telegram. We acknowledge security reports within 24 hours and work with researchers in good faith. We don't run a public bug bounty yet, but we credit responsible disclosures.

Trust, verified.

The architecture is designed so that nothing about your safety depends on us being honest. Verify it yourself, then start a bot.