To set up your API keys on VALR, follow these steps:
1. Sign in to your VALR account using your verified email address and password.
2. Enable 2FA
You must enable app-based two-factor authentication (2FA), such as Google Authenticator.
- API keys cannot be generated unless 2FA is enabled.
- For help enabling 2FA, see the relevant help guide.
3. Navigate to API Keys
Go to your Main Account or sub-account where you want to generate the API key.
From the top right corner of the home page, click API Keys.
Here you can view existing keys or create a new one.
4. Generate a new API key
Give the key a name and select the permissions you want to grant:
- View: View balances, orders, and trade history
- Trade: Place buy and sell orders
- Withdraw: Programmatically withdraw funds
- Internal Transfer: Move funds between primary and sub-accounts
- Link Bank Account: Link bank accounts for fiat deposits and withdrawals
5. Click Next once you have selected the required permissions.
6. Check your email
An authorisation email will be sent to your verified email address.
Open the email, click the authorisation link, and enter your 2FA code.
7. Copy and store your API Key and API Secret securely, then click Confirm.
Important note:
The API Secret is only displayed once. Make sure you copy and store it before closing the screen.
ONE-TIME TOKEN (OTT) FOR THIRD-PARTY INTEGRATIONS
A One-Time Token (OTT) allows you to grant API access to a trusted third-party service without sharing your credentials directly. It is used by the VALR AI Assistant to securely obtain API access on your behalf.
How it works:
1. Create and generate a One-Time Token from your VALR account.
2. Share the token with the third-party service.
3. The third party exchanges the token for an API key by calling:
Endpoint: POST /v1/partner/exchange
Request body:
{ "ottToken": "your-token-here" }
4. The third party receives an API key and API secret in the response.
5. The OTT is immediately invalidated after it is exchanged. It can only be used once.
Important:
- An existing API key (read-only is sufficient) is required to exchange an OTT.
- The OTT is single-use and cannot be reused.
- The OTT is time-based and will expire if not exchanged within the configured window.
- The expiry is set to a default of 15 minutes.
- The permissions of the resulting API key are determined when the OTT is created.
SECURITY RECOMMENDATIONS
- Do not share your API key or API secret with anyone.
- Do not send your API secret with API requests. Only the API key is used for request signing.
- Do not commit your API secret to source control.
- If your API key or secret is compromised, delete it immediately from your settings page.
- The generated API key and secret are each 64 characters long and consist of letters and numbers.
- Always minimise the permissions of an API key to reduce risk.
- For details on making authenticated API calls, refer to the official Authentication documentation.
- Only share OTTs with third parties that you trust
For any other query, please reach out to our support team