Connection Security

What Sigma Engine Can Do

Place limit orders on your account based on settings you provide
Cancel orders on your account
Read positions and balances

What Sigma Engine Cannot Do

Withdraw funds from your account
Transfer funds to other addresses
Access other users' accounts
Modify account settings or permissions

Revoking Access

You can revoke access at any time:

Linked Signer: Go to the exchange's settings → Linked Signers → Revoke
API Keys: Go to the exchange's API Management → Delete the API key

After revoking, the bot can no longer place orders on your behalf. Your funds remain safe. You'll need to reconnect if you want to resume trading.

Credential Encryption

All credentials (signer keys, API keys, API secrets) are encrypted at rest using Fernet (AES-128-CBC + HMAC-SHA256). Encryption keys are stored in environment variables, never in code or logs.

Session Security

All authenticated API requests use JWT (JSON Web Tokens) with short-lived expiry. Tokens are issued on wallet signature verification and must be included in every request. Sessions expire automatically — if your token expires, you sign in again with your wallet. There is no password to steal or phish.

Vault Security

Vault deposits go to a hardware wallet — not a smart contract. Yield payouts are sent directly to your wallet, never held as a platform balance. This means even in a worst-case platform compromise, your earned yield is already in your possession.

What Sigma Engine Can Do​

What Sigma Engine Cannot Do​

Revoking Access​

Credential Encryption​

Session Security​

Vault Security​