Per-exchange custody
Each venue offers a different shape of trade-only credential, and each one — by its own design — keeps your funds firmly in your hands. fxyz inherits all of that protection and adds product-side guarantees on top.
Hyperliquid
Model. A protocol-level "agent key" approved by your main wallet. The HL contract itself enforces that an agent can place, modify, and cancel orders, and absolutely nothing else.
What this means for you. Withdrawals, transfers, and account-setting changes require your main wallet — the same wallet you use on Hyperliquid's own UI. fxyz never holds that wallet, never sees it, and has no way to ask for it. The agent credential we hold is, by Hyperliquid's own protocol rules, trading-only, forever, with no exceptions.
Revoke. Click Disconnect Hyperliquid. One signature rotates the slot at HL to an unrecoverable address. From that moment on, the venue itself rejects every trade attempted against the slot. This isn't "we promise to forget the key" — this is the protocol turning the key off, on-chain, irrevocably.
Lighter
Model. An API key tied to your Lighter account. Lighter's L2 protocol routes any withdrawal to your registered L1 owner address. There is no recipient field on the wire. None.
What this means for you. Funds on Lighter can only ever go home to you. The protocol leaves no room — none — for anyone to redirect them. Even an attacker who somehow held the key could not point a withdrawal anywhere except your own L1 address. There is no field to set. The protocol has nowhere to send the funds other than your wallet.
Belt-and-suspenders: fxyz's own Lighter client also deliberately omits withdraw and transfer from the surface available to strategy code. Two independent walls; both stand.
Revoke. Click Disconnect Lighter. fxyz drops its copy of the key immediately. For complete revocation, rotate or delete the key on Lighter's own UI as well.
Backpack
Model. An API key generated on Backpack and held by fxyz under our vault-grade encryption.
What this means for you. fxyz's own Backpack client deliberately omits withdraw and transfer operations entirely. They are not in the surface available to strategy code. No part of the product can move funds off your Backpack account. The path does not exist in our code.
For an additional venue-side seal, configure Backpack's withdrawal-address whitelist on your account. Any withdrawal off your Backpack account would then be limited to addresses you've pre-approved — locked down at the venue level on top of our code-level guarantee.
Revoke. Click Disconnect Backpack. fxyz drops its copy of the key immediately. For complete revocation, rotate or delete the key on Backpack's UI as well.
At a glance
| Venue | What keeps funds yours |
|---|---|
| Hyperliquid | Protocol restricts agent keys to trading. Withdrawals require your main wallet — full stop. |
| Lighter | L2 protocol routes withdrawals to your registered L1 owner address. Nowhere else, ever. |
| Backpack | fxyz's client has no withdraw or transfer code path. Backpack's withdrawal-address whitelist locks it down further. |
Two independent layers on every venue — the venue's protocol and our own client surface — both standing between an attacker and your funds. Either one alone is already strong. Together, they are vault-grade.
What's next
- How your keys are kept safe — the storage and isolation model.
- What fxyz cannot do — explicit list.