Every conversation I have with a new crypto trading bot user ends up at the same question eventually. Usually by email, sometimes in a Discord DM, almost always worded the same way: "How do I know the bot is not going to run off with my money?"

It is the right question. The history of crypto is the history of good tools and bad custody. A trading bot is a piece of software that needs access to your exchange account to do its job. That access is the thing you have to get right. Get it right and a bot is boring infrastructure. Get it wrong and a bot is the story of how your balance disappeared.

This guide walks through the API key risk model honestly, covers the real-world practices that eliminate most of the risk, and explains how to pick a crypto trading bot without api key risk in 2026.

One-sentence answer. Run a self-hosted bot on your own hardware, create a dedicated exchange API key with read plus spot trade permissions only, never enable withdrawal permission, add the bot's intended behavior to an exchange-side whitelist if your exchange supports one, and back up your encrypted key store. Do those five things and your bot cannot become the story of how you lost your funds.

What an API key actually is

An API key is two strings (a public identifier and a secret) that together let a program do things on your exchange account without logging in with a password. Think of it as a credential you hand to a robot so it can place orders for you.

Every credential has a set of permissions attached. The important permissions, in roughly increasing order of danger, are:

1. Read. The bot can see your balances, your open orders, your trade history, your positions. It cannot change anything. A read-only key is as safe as a screenshot.
2. Spot trade. The bot can place, modify, and cancel orders on the spot market. It can buy and sell the assets you already hold, swap between pairs on your account, and generally execute a trading strategy. It still cannot move assets off the exchange.
3. Margin trade / futures trade. The bot can take leveraged positions. Danger goes up because leverage can liquidate you, but the bot still cannot withdraw funds.
4. Withdraw. The bot can move assets out of your exchange account to an external address. This is the permission that turns a bot from "can execute a strategy" into "can steal everything." No reputable trading bot ever needs this permission.

If you remember nothing else from this guide, remember this: never enable withdrawal permission on an API key you give to a trading bot. Every major exchange lets you toggle permissions at key-creation time. Leave withdrawal off. If your bot tells you it needs withdrawal permission to work, do not use that bot.

The two places API key risk actually lives

Once you accept that withdrawal permission is off, the API key risk question collapses to two concrete places where something can go wrong.

Place 1: the bot vendor's database. A SaaS trading bot stores your API keys on their server so their software can run your strategy on their infrastructure. This is operationally simple for the user and a high-value target for attackers. One breach, one insider, one misconfigured backup, and every customer's keys are in the wild at the same time. This is not theoretical. The history of crypto SaaS is full of these events.

Place 2: your own machine. A self-hosted trading bot stores your API keys locally, usually encrypted with a passphrase or a machine-bound key. The attack surface is your laptop, your server, your operating system, and whatever physical or remote access someone might get to them. The surface is much smaller than a SaaS vendor's, but it is not zero.

These two places have very different threat models.

A SaaS bot's risk is concentrated. One bad day for the vendor is a bad day for all of their customers simultaneously. You are not in control of the vendor's security posture, their incident response, or their patch cadence. You are trusting their company to be excellent at a job that requires constant vigilance, and every time they hire a new engineer or ship a new feature the attack surface changes without you knowing.

A self-hosted bot's risk is distributed. Your machine has to be compromised specifically for your keys to leak. You control the patch cadence, the physical access, the backup strategy, and the rotation. The risk is smaller in aggregate because there is no central honeypot, and the risk that remains is under your direct control.

For most traders, especially those who already practice reasonable operational security on their own hardware, self-hosted is materially safer. That is why "crypto trading bot without api key risk" is really a synonym for "self-hosted crypto trading bot with withdrawal disabled." The rest of this guide shows you how to actually run one.

The 10-step security checklist

This is the exact checklist I run through with new TradeArmor customers. It applies to any self-hosted trading bot, not just mine.

1. Create a dedicated API key for the bot. Do not reuse a key you use for manual trading, tax exports, or another bot. Each bot gets its own key so you can rotate or revoke one without affecting anything else.

2. Name the key after the bot. When you create the key on the exchange, give it a name like "tradearmor-bybit-main" so the key list in your exchange account tells you at a glance what each credential is for. An anonymous "key1" from two years ago is how people end up with mystery credentials they cannot safely delete.

3. Enable read plus spot trade only. Turn off every other permission. If you genuinely plan to run leveraged strategies, enable the specific futures or margin permission the bot needs and nothing more. Turn off withdrawal, transfer, internal transfer, and any "sub-account" permission you do not intend to use.

4. Enable exchange-side IP whitelisting if your exchange supports it. Most major exchanges let you restrict an API key to a specific IP address. Lock the key to the static IP of your bot's machine (or your VPS). Now a leaked key is useless from anywhere except that one IP. This is the single highest-leverage defense available to you, and it is free.

5. Enable withdrawal whitelisting on your exchange account, not the key. Separately from the key, configure your exchange to allow withdrawals only to specific pre-approved addresses. This is a defense that lives at the account level. If some other attack path ever did grant withdrawal permission, the attacker still cannot send to a new address.

6. Store the key encrypted on disk. Any modern trading bot should encrypt its stored keys at rest with a passphrase or a machine-bound secret. Verify this before trusting real money to it. Open the config file and make sure the secret is not sitting there in plain text. If it is, the bot is not ready for production.

7. Enable full-disk encryption on the machine. FileVault on macOS, BitLocker on Windows, LUKS on Linux. This is the difference between "someone steals your laptop and reads your keys" and "someone steals your laptop and reads nothing." It takes ten minutes to set up and it is not optional for a machine that holds trading credentials.

8. Use a strong machine password and disable auto-login. A bot machine that auto-logs in on boot with no password is one coffee-shop theft away from total compromise. Use a password manager, generate a strong password, and require it at login.

9. Back up the bot's data directory to encrypted storage. Include the encrypted key store, the strategy configs, and the position database. Back up to at least one encrypted destination you control: an encrypted external drive, an encrypted cloud bucket, or both. Test the restore. A backup you have never restored is not a backup.

10. Rotate keys on a schedule. Every 90 days, generate a new API key on the exchange, update the bot's config, verify the new key works, and delete the old key. Rotation limits the blast radius of any undetected compromise and forces you to exercise the restore and reconfiguration path.

Do all ten and the likelihood of an API-key-related loss drops from "a real category of risk" to "vanishingly small." No single step on its own is sufficient. Layered together, they are.

Want to see how TradeArmor's self-hosted architecture works before installing anything? Open the DCA backtester to try the core DCA mechanic in your browser, or read the best self-hosted crypto trading bot guide for a full feature comparison.

How TradeArmor builds a crypto trading bot without API key risk

I am going to be concrete about how TradeArmor handles each piece of this because "we take security seriously" is the emptiest sentence in software marketing and I would rather show than tell.

Self-hosted by design. TradeArmor installs on your own hardware. macOS, Linux, or Windows. There is no TradeArmor cloud that stores your API keys. There is no central server your bot checks in with before executing a trade. Turn off my server for a year and your bot keeps running untouched.

Keys encrypted at rest. The API keys you enter into TradeArmor's dashboard are encrypted before they hit disk, using a passphrase you control. The keys are never written to log files, never exposed in the dashboard UI after entry (the UI shows a masked version), and never transmitted anywhere except directly to the exchange API over TLS.

Permission scoping enforced by the setup wizard. When you add a new exchange in TradeArmor, the setup screen shows you the exact minimum permissions to enable for that exchange, with a link to the exchange's key-creation page. The wizard refuses to let you configure the bot with an obviously over-permissioned key.

Withdrawal permission never used. TradeArmor's code does not call withdrawal endpoints. Ever. If you accidentally create an API key with withdrawal enabled, TradeArmor still will not use it, but you should fix the key anyway so a leaked credential is not dangerous regardless of the bot.

IP whitelist support. TradeArmor detects whether your exchange supports IP whitelisting and, if it does, shows you the outbound IP the bot is using so you can enter it on the exchange. On a home network behind a dynamic IP, this is tricky and TradeArmor flags it so you can make an informed decision (use a VPS with a static IP, or use a dynamic DNS + reconfigure cadence, or skip whitelisting on that key and make sure the other nine defenses are tight).

Dashboard auth on local machines. Even though the dashboard runs on localhost by default, TradeArmor requires you to set a dashboard password the first time you run it. Access from another machine on the network still needs that password. If you expose the dashboard via a Cloudflare tunnel for remote access, the tunnel sits in front of the same auth.

Signed releases. TradeArmor releases are served through the proxy with integrity checks. You are not downloading binaries from a random mirror.

None of this is magic. It is a collection of boring, well-understood choices applied consistently. That is what "crypto trading bot without api key risk" actually looks like in practice.

Red flags in other bots

Some things should make you walk away. In no particular order:

• The bot requires withdrawal permission on your API key. Never acceptable.
• The bot stores your API key on a cloud server the vendor controls, even if they call it "self-hosted" because you run a Docker container. If the container phones home to validate your license or sync your strategy, the keys are within their reach.
• The setup instructions tell you to paste your API key into a web form on a .com website. That website has your key the moment you hit submit.
• The bot's marketing promises "our servers handle the trading", which means your keys live on their servers.
• The bot has no documented way to rotate keys.
• The config file stores the API secret in plain text.
• The dashboard has no authentication and binds to 0.0.0.0 by default, exposing it to your local network with no login.
• The bot's release binaries are downloaded over plain HTTP, or from a free hosting provider with no integrity check.
• The vendor has no public incident response history. Not "no incidents," which every vendor has, but "no record of how they handled them."
• The vendor's forum or Discord is full of unanswered support tickets about lost funds, and the vendor's response pattern is silence or blaming the user.

Any one of these is a reason to look elsewhere. Several of them together is the vendor telling you the truth about how seriously they take your security.

Frequently asked questions

If I turn off withdrawal permission, what is the worst an attacker with my key can do? Trade. They can buy and sell the assets already on your account. A sophisticated attacker can use wash trades across thinly traded pairs to extract value, though this is difficult and usually uneconomic. The practical worst case is that your portfolio gets churned into a bad position before you notice and rotate the key. This is bad, but it is not the same as losing your funds, and the defense (rotating the key at the exchange) is immediate.

Can I use a hardware wallet with a trading bot? Not directly. Hardware wallets protect withdrawals from self-custody addresses, not API access to a custodial exchange account. The analogous defense for an exchange account is an API key with withdrawal disabled plus an address whitelist. That is what this guide covers.

Is running a bot on a VPS safer or less safe than running it at home? Different risks. A VPS gives you a static IP (good for exchange IP whitelisting), a stable uptime, and a professionally managed physical environment. It also means your bot machine is accessible from the internet by default and requires disciplined SSH hardening. A home machine is not exposed to the internet by default and is physically under your control, but it has more variable uptime and a dynamic IP. Either can be safe if you set it up well.

Should I keep all my crypto on one exchange so the bot can use it? No. A trading bot does not need your entire crypto portfolio on one exchange. Keep only the capital you are actively trading on exchange. The rest belongs in self-custody (hardware wallet) or at minimum spread across exchanges. The bot only sees the part you choose to deploy on the exchange it is trading on.

What if I am not technical enough to follow this checklist? Most of it is easier than it sounds. Enabling withdrawal-off on a key is a checkbox. Enabling full-disk encryption is a single setting. Strong machine password is a password manager + a prompt. The hardest step is IP whitelisting on a dynamic home IP, and you can skip it if the other defenses are in place. If you find any step confusing, the TradeArmor setup wizard walks you through the exchange-specific version.

Bottom line

A crypto trading bot is a credential you give a robot. The safety of that credential is 100% about where it lives and what it can do.

If you want a bot whose entire security story you control, use a self-hosted bot, on your own machine, with an API key scoped to read plus spot trade only, with withdrawal permission off, with IP whitelisting where possible, with full-disk encryption, with a strong password, with encrypted backups, with rotations every 90 days. Do those things and you have a "crypto trading bot without api key risk" in every sense that matters.

TradeArmor is the self-hosted bot I built because I wanted all of this by default. Start a 14-day free trial and the setup wizard walks you through the exchange permissions step by step. If you are comparing options more broadly, the best self-hosted crypto trading bot guide has the wider landscape, and the ProfitTrailer alternative guide covers the migration path for anyone leaving PT specifically.

Set the keys up right and the rest of trading gets a lot less stressful.

Ed Cava

I ran ProfitTrailer for years. It was the first self-hosted crypto trading bot I trusted with real money, and its DCA engine was, for a long stretch, the best in the world. The EQ-price buy gate, in particular, was the one feature that separated a thoughtful DCA bot from a dumb one that averages down into a falling knife forever.

Then ProfitTrailer stopped evolving. Exchange support lagged. The forum went quiet. Releases became rare and minor. By 2024, every PT user I knew had the same conversation: "We love the engine, but we can't stay here forever."

I built TradeArmor because I had that conversation with myself one too many times. This guide is the comparison I wrote for the two PT users who migrated first, now expanded for anyone asking the same question in 2026.

TL;DR: If you are a ProfitTrailer user looking for a replacement in 2026, your real shortlist is short. TradeArmor is the only self-hosted option that preserves the EQ-price buy gate behavior and ships with a direct PT config importer. Freqtrade is the right answer if you are comfortable writing Python and do not need the EQ-price gate specifically. Everything else in this space either does not do DCA properly or does not run on your own hardware. The details are below.

Why PT users are looking for alternatives

The symptoms are all the same.

Exchange support has not kept up. The exchanges that mattered when PT was in active development are not the same ones that matter today. If your strategy lives on an exchange PT no longer supports well, every trading day is a quiet risk.

Releases are rare. The release cadence that built PT's reputation has effectively stopped. Minor patches trickle out. Major features have not landed in years. A bot that does not ship is a bot whose bugs you are discovering alone.

The community is fragmenting. The forum, the Discord, the Telegram groups that were the beating heart of PT's support ecosystem are now echo chambers of people trying to keep old builds running. New users do not arrive. Old users leave quietly.

No AI anything. Every modern trading tool now has some form of LLM assistance for strategy building, signal filtering, or anomaly detection. PT has none of it and will not get any of it. That is not automatically bad, but it is a tell about where the product is going.

The market has moved. Signal-driven trading, multi-instance proxying, copy trading, grid bots, plain-English strategy building, these are all table stakes in 2026. PT was built for an earlier market and it is still in that market.

None of this means PT was bad. It was great. It is just a tool whose moment has passed, and the question PT users actually want answered is not "should I leave?" but "where do I go that will still be here in 2028?"

The one feature PT users care about most

Before going through the alternatives, let us name the feature nobody will move away from.

The EQ-price buy gate.

If you have never run PT, here is what it does. When the bot is about to place a DCA buy (the second, third, tenth, twentieth leg of a position), it does not just check whether price has dropped below the average entry price. It checks whether price is below the lowest unsold leg price by some configurable percentage. In PT the formula is the EQPRICE, and the rule is roughly: only buy the next leg if current price is below the lowest unsold leg price times (1 minus the trigger percent).

Why does this matter?

Because averaging down against the average price is how you blow up. A position that has averaged down from $100 to $80 will keep triggering new buys all the way to zero if the gate is just "below average." A position that averages down against the lowest unsold leg price actually waits for real weakness before adding more exposure. It is a simple idea and it is the difference between a DCA bot that survives a cycle and a DCA bot that liquidates you in March.

If you are a PT user, you already know this. If you are not, ask any PT user in a Discord what they would give up last, and they will tell you the EQ-price gate.

This is the feature most PT "alternatives" get wrong. They claim to do DCA. They claim to do multi-leg. They show you a pretty UI. And then you look at the actual buy logic and it is just "price below average." That is not equivalent. It is not even close.

TradeArmor's DCA engine implements the EQ-price gate using the lowest unsold leg buy price, matching PT's behavior to the decimal. This is not a coincidence. It is why I built it.

Every ProfitTrailer alternative worth a look in 2026

Here is every option I consider credible for a PT migrant in 2026.

TradeArmor (the closest product match, and what I build)

License model: Paid, self-hosted. Starter $19.99/mo, Pro $49.99/mo, Enterprise $89.99/mo. Exchanges: Binance US, Coinbase, Bybit, OKX, Bitget, KuCoin. OS: macOS, Linux, Windows.

What it is: A signal-driven, self-hosted crypto trading bot built, in part, specifically to give PT users a place to land. The DCA engine uses the EQ-price buy gate with lowest-unsold-leg pricing. It supports up to 20 DCA levels with configurable cooldowns, per-pair overrides, take-profit rules, and partial-sell logic. It ships with a ProfitTrailer migration importer that reads your pairs.properties and DCA.properties files and produces a TradeArmor strategy on the other side.

Beyond the DCA parity, TradeArmor adds things PT never had: a 3+ year signal track record on BTC/USDC, 15 real-time technical indicators, a plain-English AI strategy builder (BYOK, bring your own Claude, GPT, Gemini, or local Ollama key, no markup), grid trading, futures and leverage, copy trading, a tax reporting exporter, paper trading, a live dashboard, and a mobile PWA. Your API keys never leave your machine.

Who should pick it: Any PT user whose primary reason for staying was the DCA engine. You get parity on the engine plus a decade of features PT never shipped.

What you give up: PT's exact config file syntax. You will use TradeArmor's strategy builder (via the importer or from scratch) rather than hand-editing a .properties file. For most users this is a win. For users with highly customized .properties hacks, it is a one-time translation exercise.

Freqtrade

License model: Open source, free, GPL. Exchanges: Dozens via CCXT. OS: Python 3.10+.

What it is: The most active open-source crypto trading bot framework in 2026. Written in Python, strong community, strong backtesting engine, extensive documentation.

Who should pick it: A PT user who is comfortable writing Python, wants full control, and does not depend on the EQ-price buy gate specifically. Freqtrade can implement EQ-price style logic, but you will write it. The DCA features in Freqtrade are workable but not a drop-in replacement for PT's engine.

What you give up: A finished product. Freqtrade is a framework. You bring the strategy, the indicators, the risk management, the signal source, and the time to learn it. That is a feature if you want total control, and a dealbreaker if you wanted a product.

Gunbot

License model: Paid, self-hosted, one-time license. Exchanges: Several. OS: Windows, macOS, Linux.

What it is: Another long-running commercial bot with a Windows-first heritage and a heavy UI. Has a DCA module, has signals, has a large feature surface.

Who should pick it: Honestly, I am not the right person to sell you on Gunbot because I am a competitor. What I can tell you is that it is still under active development, which puts it ahead of PT on the "will it exist in 2028" question, and it has a dedicated user base. Look at it, read their forum, compare the DCA implementation to PT's EQ-price gate line by line before committing.

Hummingbot

License model: Open source, free. Exchanges: Many, including DEXs. OS: Docker.

What it is: A market-making bot. Not a DCA bot.

Who should pick it: Not you if you are a PT migrant. Hummingbot is excellent at market making and liquidity provision. It is not trying to be a DCA tool, and bending it into one is harder than using the right tool.

"We have a migration tool" SaaS bots

Several cloud-based SaaS bots market "PT migration" as a wedge. The workflow is the same in every case: upload your PT config, and they host your strategy on their servers. Your API keys move from your machine to their database. Your strategy runs on their uptime.

If self-custody was part of why you used PT, these are not alternatives. They are the opposite of PT. The only reason I mention them is because they will appear in your search results. Apply the self-hosted test from the best self-hosted crypto trading bot guide and walk away from anything that fails it.

Dead and dying

A partial list of PT-era bots you will still find in blog posts from 2019 to 2021 and that are not worth your time in 2026:

• Gekko: development stopped years ago. Do not trust money to it.
• Zenbot: archived.
• Crypto Trader (Haas Online's old UI): still around but a very different product today, worth evaluating on its own merits not as a PT successor.

Trust the GitHub activity graph and the last release date. If both are flat, it is dead, no matter what a 2020 blog post says.

Feature comparison: TradeArmor vs ProfitTrailer

This is the table that matters. If you are reading this guide, this is what you came for.

There is exactly one row where PT wins on familiarity: the .properties file format you have been editing for years. The importer eats that file for you. Everything else is ahead.

See the EQ-price gate in action on your own data. Open the DCA backtester, set trigger mode to Price-drop, and watch how the lowest-unsold-leg gate changes the number of fills and the drawdown curve compared to a naive "below average" DCA. No signup, runs in your browser.

How the PT migration actually works

This is the flow I walked my first two paying customers through. It is the same flow in the product today.

Step 1. Export your PT config. On your PT instance, locate your pairs.properties and DCA.properties files. Copy them to your laptop. If you have custom strategy files or per-coin overrides, grab those too. Do not share these files publicly, they describe your exact strategy and belong to you.

Step 2. Install TradeArmor on the same hardware (or different, your choice). The installer runs on Mac, Linux, or Windows. It does not touch your PT installation. You can run both side by side while you verify the migration.

Step 3. Create a fresh exchange API key. Read plus spot trade permissions only. Withdrawal permissions off. Do not reuse your PT key for TradeArmor, create a new one so you can audit activity independently and revoke either side without touching the other.

Step 4. Open the PT Migration screen in the TradeArmor dashboard. Drop your pairs.properties and DCA.properties files in. The importer parses them, maps every field it recognizes to TradeArmor's strategy builder, and flags anything it cannot map with an explanation of why.

Step 5. Review the translated strategy. This is the step most people skim and should not. Open the imported strategy in TradeArmor's strategy builder and look at every DCA level, every cooldown, every take-profit rule. Confirm the EQ-price gate is set to the same trigger percentage you used in PT. If your PT setup used any custom .properties hacks or undocumented feature flags, expect those to need manual recreation. The importer is honest about what it cannot translate.

Step 6. Paper trade for at least a week. Point TradeArmor at your exchange in paper-trading mode, let it run on your actual strategy against live market data without placing real orders, and compare the behavior to what your PT instance would have done. If the two diverge in a way you cannot explain, do not migrate real capital yet. Open a support ticket or check the strategy diff.

Step 7. Flip the switch. When you are satisfied, disable your PT instance's trading (do not delete it yet), enable TradeArmor's live trading, and let it run. Keep PT on standby for two to four weeks as insurance. If TradeArmor behaves as expected, retire PT at that point.

That is the whole flow. Most migrations take an afternoon. The paper-trading step is what takes a week, and skipping it is the single most common mistake.

What to check before you commit

I have a short list of things I tell PT users to verify before committing real money to any alternative, including mine.

1. Does the EQ-price gate actually check against the lowest unsold leg, or against the average? Test it. Set up a three-leg position in paper trading and watch what the fourth-leg trigger looks like. Anything that just gates on average price is not equivalent to PT.

2. What happens after a partial sell? PT's behavior when a position is partially sold (some legs closed, some still open) is specific and different from many other DCA implementations. Test this explicitly. TradeArmor preserves the partial-sell semantics; verify it in paper trading before you trust it with capital.

3. How does the bot handle exchange outages? Run it across a known maintenance window on your exchange. A good bot retries with backoff and resumes cleanly. A bad bot drops orders or duplicates fills. PT was solid here; any replacement needs to be at least as good.

4. Does it cap DCA at a level you actually want? A 20-level ladder sounds great until you realize you do not want to be adding the 20th leg to a bleeding position. Make sure max DCA levels and position sizing are configurable in a way that matches your risk tolerance.

5. Who will support you in two years? The bot is less important than the person or team behind it. Read their changelog, their release notes, their community. Active, honest communication is the single best predictor of whether the software will still be reliable in 2028.

Frequently asked questions

I love PT and I do not want to leave. Am I wrong? You are not wrong for loving PT. It was an excellent piece of software. You are right to be cautious about the future. Set yourself a deadline ("if no meaningful release by date X, I migrate") and stick to it. Hoping a stalled project will revive is how people end up scrambling under pressure.

Will my PT strategies work on a different exchange via TradeArmor? Yes, if TradeArmor supports the exchange and the pairs you use. TradeArmor supports six exchanges out of the box. If you are moving to an exchange you have not used before, paper trade longer. Every exchange has quirks (fee structure, lot sizing, tick size) that affect DCA behavior at the margins.

How long does a migration actually take? The importer step takes minutes. The review and paper-trading step takes a week. The total elapsed time from "decided to migrate" to "fully trusting TradeArmor with real money" is usually one to two weeks if you do it carefully.

What if I run into problems? I personally read every support ticket from PT migrants in the early months of a migration. If you email support and mention you are migrating from PT, I will see it.

Is TradeArmor going to still exist in five years? I cannot promise what any software company looks like in five years. What I can tell you is that I built TradeArmor because I was a PT user who watched a tool I depended on go quiet, and I am not going to do that to my own customers. The cadence speaks for itself, check the release notes.

Bottom line

If you are a ProfitTrailer user in 2026 and you have been putting off the migration question, it is time to answer it.

• You want the EQ-price buy gate preserved, your API keys on your own machine, and a bot that is actively shipping? That is TradeArmor. The PT importer is built in, the DCA engine matches PT's behavior on the features that matter, and the first two paying customers were PT migrants, this path has been walked before. Start a 14-day free trial.
• You want a free Python framework and you do not depend on the EQ-price gate specifically? Freqtrade.
• You want a commercial alternative and TradeArmor is not a fit? Evaluate Gunbot honestly, read their forum, and check the DCA implementation against PT's EQ-price behavior before committing.
• You want to stay on PT indefinitely and hope it revives? Set a deadline. Do not let the decision be made for you by a service interruption or an exchange deprecation.

If you want to see exactly how the DCA engine behaves on your market of choice before you install anything, the free DCA backtester runs in your browser and implements the same EQ-price gate logic the live engine uses.

And if you are still weighing self-hosted vs SaaS trading bots in general, the best self-hosted crypto trading bot guide is the broader comparison this one spun off from.

Ed Cava

This guide is the comparison I wish existed when I started. It is written by a founder who actually runs a self-hosted crypto trading bot in production every day, not a freelancer filling in an affiliate template. If you are evaluating options in 2026, these are the ones that still matter, how they actually behave in the wild, and how to pick one that will still be running in 2028.

Quick answer for people who want the TL;DR: If you want a self-hosted crypto trading bot that ships with built-in signals, supports six exchanges, runs on Mac, Linux, or Windows, and keeps your API keys on your own machine, look at TradeArmor. If you want a pure open-source framework and you are comfortable writing Python, look at Freqtrade. Everything else in this space is either discontinued, SaaS in disguise, or a hobby project. The details are below.

What a self-hosted crypto trading bot actually is

The phrase gets stretched to the point of meaninglessness. Here is the test I use.

A crypto trading bot is self-hosted if, and only if:

1. You install it on hardware you control (your laptop, your Mac mini, your home server, your own VPS).
2. Your exchange API keys are stored locally on that hardware. They are never uploaded to a vendor database.
3. The software keeps running if the vendor disappears tomorrow. Nothing calls home to validate a license before it executes a trade.
4. Your trading data (positions, P&L, logs) lives in a file you can back up and move.

If any of those four is missing, you are using a SaaS bot with a self-hosted installer. There are bots that ship as Docker containers and still phone home to a central auth server on every restart. That is not self-hosted. That is a SaaS bot with extra steps.

Why does this matter? Because the crypto bot graveyard is full of companies that shut down overnight, got hacked, or pivoted away from the market that paid their bills. If your bot dies when their server dies, your strategy is not yours. It is rented.

The five things that actually matter when choosing one

I have trialed, bought, and abandoned a lot of trading software. When I look back at what made the difference between a tool I kept and a tool I uninstalled, it comes down to the same five things every time.

1. Custody of your API keys. Self-custody is not a marketing bullet. It is the difference between one compromise affecting you and one compromise affecting every customer of a platform at the same time. The right answer is keys that never leave your hardware and that you grant read plus spot trade permissions only, never withdrawal.

2. Depth of the position management engine. A bot that can only buy and sell is a toy. A bot that can run a 20-level DCA ladder with an EQ-price buy gate, a configurable take-profit, cooldowns, and per-position overrides is a tool. The difference shows up after your third losing entry in a row when a dumb bot keeps buying and a good bot waits.

3. Signal quality or strategy flexibility. Either the bot ships with decent built-in signals and a track record you can inspect, or it gives you enough flexibility to run your own. Ideally both. A bot that forces you to write Python from scratch to do anything useful is not a product, it is a framework.

4. Exchange coverage. The exchanges you use today are not the exchanges you will use in 2028. A bot that only runs on Binance is a liability. Six supported exchanges, including at least two US-friendly options, is the floor.

5. Whether the company will still exist in two years. Boring but decisive. Check the release cadence on GitHub, the last forum post, the last changelog entry. If the project is dead or the founder has moved on, your money is pointing at a time bomb.

Everything else, the UI polish, the screenshot gallery, the influencer endorsements, is secondary. Optimize for those five and you will not regret it.

The field in 2026

Here is every self-hosted option I consider credible as of April 2026. I have installed and tested each one unless noted. Pricing is verified against their public sites at the time of writing.

TradeArmor (what I build)

License model: Paid, self-hosted, BYOK AI optional. Starter $19.99/mo, Pro $49.99/mo, Enterprise $89.99/mo. Exchanges: Binance US, Coinbase, Bybit, OKX, Bitget, KuCoin. OS: macOS, Linux, Windows. What it is: A signal-driven crypto trading bot that runs entirely on your own hardware. Ships with built-in cava-signals on BTC/USDC with a 3+ year track record, 15 real-time indicators, a plain-English AI strategy builder, a 20-level DCA engine with an EQ-price buy gate, grid, futures, copy trading, backtesting, paper trading, and a tax reporting exporter. Your API keys never leave your machine. The AI assistant is BYOK, meaning you bring your own Claude, GPT, Gemini, or local Ollama key and pay zero markup. Who it is for: Technical traders who want a finished product, not a framework. ProfitTrailer migrants who need an EQ-price gate they can trust. Anyone who refuses to put their keys in someone else's database. What I do not recommend it for: If you want to write your own strategy in raw Python against a data feed, use Freqtrade. TradeArmor has a strategy builder and a boolean formula engine, but it is not a Python SDK.

I obviously have a bias. Read the rest of this list before making a call.

Freqtrade

License model: Open source, free, GPL. Exchanges: Dozens via CCXT. OS: Python 3.10+ on Linux, macOS, Windows. What it is: The most serious open-source crypto trading bot that still ships. Written in Python, maintained actively, large Discord community, excellent documentation. Ships with a backtesting engine, hyperopt for parameter tuning, a telegram interface, a small web UI, and example strategies. Who it is for: Developers. If you are comfortable in Python, you can build almost anything on top of Freqtrade. It is the closest thing to a trading framework you will find for free. What you give up: A finished product. Out of the box, Freqtrade does not come with signals worth trading. You supply the strategy, the indicators, the risk management, and the learning curve. The included examples are demos, not edge. When to pick Freqtrade over TradeArmor: You want to write Python, you do not need signals, and you want zero vendor dependency. When to pick TradeArmor over Freqtrade: You want a dashboard, built-in signals, a DCA engine that is battle-tested in production, a plain-English strategy builder, and you would rather spend your time trading than coding.

Hummingbot

License model: Open source, free, with a paid ecosystem of "connectors" and market-making campaigns. Exchanges: Dozens, including decentralized ones. OS: Python, Docker-first install. What it is: A market-making bot that has been repositioned several times. Hummingbot is excellent at what it was originally built for: running liquidity on centralized and decentralized exchanges. It is not primarily a directional trading bot, and it is not a DCA bot. Who it is for: Market makers, liquidity providers, and professionals who understand spread capture. Who should skip it: Anyone whose strategy is "buy the dip, take profit at +5%." That is not what Hummingbot is for, and bending it into that shape is harder than using the right tool.

Gekko (do not use)

Gekko was the most popular open-source trading bot from roughly 2017 to 2019. Development stopped years ago. The repo still exists, the installer still works on some systems, and you will occasionally find a YouTube tutorial from 2018 that makes it look alive. It is not alive. Exchange APIs have moved on, Node versions have moved on, and the few forks that claim to maintain it are dormant. Do not trust money to software that has not shipped a real release in years.

ProfitTrailer (stalled)

ProfitTrailer was the reason I started building in the first place. It had the deepest DCA engine on the market, it shipped as a self-hosted JAR, and its EQ-price buy gate is still the gold standard for averaging down without throwing good money after bad. It also stopped evolving. The last meaningful release was a long time ago. Exchange support has not kept up. The community has fragmented. If you are a ProfitTrailer user in 2026, you are running on borrowed time, and you are the reason I built TradeArmor's migration path (see the dedicated comparison for the full story).

Jesse

License model: Open source. Exchanges: A handful, all via CCXT. OS: Python. What it is: A more recent Python framework with a strong focus on backtesting quality and clean code. Smaller community than Freqtrade. Who it is for: Python developers who specifically prefer Jesse's design over Freqtrade's. Functionally, Freqtrade is ahead on exchange coverage and community size as of early 2026.

Every "self-hosted" bot that is actually SaaS

I will not name individual brands here because the list changes every quarter, but the pattern is consistent. You download a Docker container, you start it, and it immediately connects to the vendor's cloud to validate your license, sync your strategy, or "enable signals." Your API keys may live on your machine, but the software is useless the moment the vendor has a bad day. That is SaaS with extra steps. Apply the four-part test from earlier in this article before trusting any vendor that markets itself as self-hosted.

Feature comparison at a glance

Read that table honestly. If you want a framework, Freqtrade wins. If you want a finished product, TradeArmor is the only entry that ticks all the product rows at once while still being self-hosted under the strict definition.

Run the same DCA logic you just read about, on your own data, for free. Open the DCA backtester and see how a 20-level DCA with an EQ-price gate performs on BTC, ETH, or SOL over the last five years. No signup, no email, runs in your browser.

How I actually run mine (founder notes)

This section is specific to TradeArmor because it is the bot I know best. The same setup principles apply to any self-hosted bot you pick.

Hardware. A Mac mini (M2, 16 GB) sitting on a shelf, plugged into ethernet, with the screen asleep. Total cost under $700, total power draw negligible. It has not missed an uptime target in over a year. If I did not already have the mini, I would use a cheap Linux mini-PC or a VPS with full disk encryption. Raspberry Pi works for small setups but I do not trust SD cards for anything that holds API keys. Use an SSD.

Network. Home network, behind the router, exposed only via a Cloudflare tunnel for remote dashboard access. The bot itself does not accept inbound connections from the internet. It reaches out to exchanges over TLS and that is it.

Keys. Every exchange key is scoped to read plus spot trade only. Withdrawal permissions are off at the exchange level. If a key were to leak, the worst case is an attacker trading my balance into a bad position. They cannot pull funds out. This is non-negotiable. If your bot asks for withdrawal permissions, stop and ask why.

Backups. The bot's data directory (positions, configs, encrypted key store) is snapshotted to an encrypted external drive every night and to a second encrypted cloud location weekly. I have restored from backup twice in four years, both after user error on my part, and it took under 10 minutes each time.

Monitoring. The dashboard runs in a browser tab on a laptop I glance at daily. I get pushed alerts on fills, errors, and balance anomalies. I do not babysit trades. That is the whole point of running a bot.

Updates. I update on Fridays after close of the US week. If a release breaks something, I have the weekend to roll back before the next signal. I never update the bot minutes before a big market move.

None of this is exotic. The discipline is boring. That is the feature.

Common mistakes I see (and what to do instead)

1. Granting withdrawal permissions. The number one way people lose money to bot compromises. No legitimate trading bot needs withdrawal permissions. Turn them off at the exchange and never turn them back on.

2. Running with no take profit. People set up a bot to buy the dip, watch it average down beautifully for weeks, and then hold through a full reversal back to their entry because they never defined what winning looks like. Decide your take-profit target before you start, and let the bot enforce it.

3. Trusting backtests more than paper trading. Backtests do not have slippage, latency, exchange outages, or a human watching an equity curve and second-guessing. Paper trade for at least two weeks before committing real capital. Paper trade on the same exchange you plan to use, because fills and fees vary.

4. Running too many strategies at once. More strategies means more surface area and more ways to confuse yourself about what actually worked. Start with one strategy, one pair, one exchange. Add a second only after you understand the first.

5. Using an exchange that is not available in your jurisdiction. This seems obvious and people still do it. Use exchanges that are licensed where you live. Binance US if you are in the US, not Binance.com. Coinbase, Bybit, OKX, Bitget, and KuCoin have different availability rules by country, check yours before you fund an account.

6. Not backing up your bot's data directory. Your position history, your configured strategies, your encrypted keys, if your hard drive dies and you have no backup, you are rebuilding from scratch. Back it up.

Frequently asked questions

Is a self-hosted crypto trading bot legal? Trading software itself is legal in virtually every jurisdiction. What is regulated is the trading activity and the exchange you connect it to. Use licensed exchanges, report your taxes, and follow local law. This guide is not legal advice.

Do I need a VPS or can I run it at home? Either works. Home is fine if your power and internet are stable. A small VPS (Hetzner, DigitalOcean, Vultr) runs under $10/month and removes the home-uptime concern. Pick what fits your operational comfort.

Can I run more than one exchange at the same time? Yes. TradeArmor supports running six exchanges from one installation. Freqtrade supports multiple exchanges via configuration. Hummingbot supports multiple connectors. This is table stakes in 2026.

How much capital do I need to start? Enough to make position sizes meaningful after exchange minimums and fees. On most exchanges that means at least a few hundred dollars per trading pair. There is no magic number. Start small enough that losing it would not hurt.

Will I make money? No guide can answer that. Read the disclaimer at the bottom of this page twice. What I can tell you is that the traders I know who have made money running bots for years all share the same habit: they run boring, well-defined strategies on tight risk budgets with infrastructure they control, and they update slowly. Find a setup you can run for two years without touching it.

Bottom line

If you are reading this in 2026, your shortlist is short.

• Want a finished product with signals, a real DCA engine, AI-assisted strategy building, and six exchanges on your own hardware? That is TradeArmor. See pricing and start a 14-day free trial.
• Want a pure open-source Python framework and you are comfortable writing your own strategy? Freqtrade is the answer.
• Want to run market-making strategies across CEX and DEX? Hummingbot.
• Anything else? Apply the four-part self-hosted test from earlier in this article and walk away from whatever fails it.

The most important decision you make is not which bot. It is the discipline you apply after installing it. Pick the tool that matches your skills and your willingness to maintain it, define your risk before you fund the account, back up your data, and do not grant withdrawal permissions. Do those four things and you are ahead of 90% of the people running bots today.

If TradeArmor looks like the fit, the 14-day free trial runs on your own hardware from day one. If you want to see how the DCA engine handles your market of choice before you install anything, the free DCA backtester runs in your browser with five years of BTC, ETH, and SOL data.

And if you migrated from ProfitTrailer or are about to, read this next, the EQ-price gate parity story is the reason most of TradeArmor's first customers switched.