Back to Argix Labs
Legal

Legal

API Key & Broker Credential Security

Version 1.0|Last Updated: June 8, 2026

1. Purpose

This document describes how Argix Labs handles broker API credentials provided by users of THIS PLATFORM.

2. Credential Requirements

To use the Platform’s trading features, users must provide broker API credentials with trade-execution permissions. The Platform requires the ability to:

  • Read account information (balances, positions, order history)
  • Submit new orders (market, limit, stop)
  • Modify and cancel existing orders
  • Access market data

Read-only API keys are NOT sufficient for the Platform’s core trading functionality.

3. Encryption

  • All broker API credentials are encrypted at rest using AES-256-GCM symmetric encryption.
  • Encryption keys are managed separately from encrypted data.
  • Credentials are decrypted only in-memory during trade execution and are never written to disk in plaintext.

4. Access Controls

  • Encrypted credentials are stored in the application database.
  • Access to the database is restricted to the application service layer.
  • No administrative user can view decrypted credentials.
  • Credentials are never sent to the frontend, included in API responses, logged, or displayed in the UI after initial submission.

5. Credential Lifecycle

EventAction
User submits credentialsValidated against broker API, then encrypted and stored
Trade executionDecrypted in-memory, used for API call, immediately discarded
User disconnects brokerEncrypted credentials permanently deleted
User deletes accountAll associated credentials permanently deleted
Credential rotationOld credentials deleted, new credentials encrypted and stored

6. Incident Response

In the event of a suspected credential compromise:

  1. All affected credentials will be immediately invalidated.
  2. Affected users will be notified within 72 hours.
  3. Users will be instructed to rotate their broker API keys immediately.
  4. A post-incident review will be conducted.

7. User Responsibilities

Users are responsible for:

  • Generating API keys with the minimum permissions necessary.
  • Securing their own Argix Labs account credentials.
  • Monitoring their brokerage account for unauthorized activity.
  • Rotating API keys periodically.
  • Revoking API keys if they suspect compromise.

8. Current Limitations

  • The Platform does not currently support OAuth-based broker authentication.
  • Credentials are stored in the application database, not a dedicated secrets manager (planned improvement).
  • No hardware security module (HSM) is currently used for key management (planned improvement).