Development of Verified Trading History System
Verified trading history solves the trust problem: anyone can claim high returns, but only verified history confirms results with real exchange data. This is the foundation for leaderboards, social trading, and strategy marketplaces.
Verification Models
Exchange API Verification — user provides read-only API key, system downloads order and trade history directly from exchange. Most reliable method.
OAuth-based Verification — some exchanges (Coinbase) support OAuth. User authorizes access without providing API keys.
Proof of Address — user signs a message with wallet private key, confirming address ownership. For on-chain strategies.
Implementation of API Verification
class TradingHistoryVerifier:
SUPPORTED_EXCHANGES = ['binance', 'bybit', 'okx', 'kraken', 'coinbase']
async def verify(
self,
user_id: str,
exchange: str,
api_key: str,
api_secret: str,
) -> VerificationResult:
# 1. Check that key is read-only
permissions = await self.check_key_permissions(exchange, api_key, api_secret)
if permissions.can_trade or permissions.can_withdraw:
raise SecurityError("API key must be read-only")
# 2. Download history for last 180 days
client = ExchangeClientFactory.create(exchange, api_key, api_secret)
trades = await self.download_trade_history(client, days=180)
orders = await self.download_order_history(client, days=180)
# 3. Calculate metrics
metrics = calculate_verified_metrics(trades, orders)
# 4. Save with verification confirmation
record = VerifiedHistory(
user_id=user_id,
exchange=exchange,
verified_at=datetime.utcnow(),
period_start=datetime.utcnow() - timedelta(days=180),
period_end=datetime.utcnow(),
trade_count=len(trades),
metrics=metrics,
# Store only metrics, not API key
)
await self.repo.save(record)
# 5. Revoke or mark API key as used
# (don't store key in DB!)
return VerificationResult(success=True, metrics=metrics)
async def download_trade_history(self, client, days: int) -> list[Trade]:
"""Paginated download of full history"""
all_trades = []
since = int((datetime.now() - timedelta(days=days)).timestamp() * 1000)
while True:
batch = await client.fetch_my_trades(limit=1000, since=since)
if not batch:
break
all_trades.extend(batch)
since = batch[-1]['timestamp'] + 1
await asyncio.sleep(0.5) # rate limit
return all_trades
API Key Security
User API keys are extremely sensitive data. Even read-only key reveals user trading activity. Rules for key handling:
- Never store API keys in database. Use only for one-time history download.
- Encryption in transit — TLS for all key transfers.
- Minimal retention — key lives in memory only during download, then destroyed.
- Audit log — record of verification fact without key details.
Alternative: user uploads CSV export of trading history (most exchanges support). Less convenient, but doesn't require key transfer.
Public Proof
Verified history can optionally be public. User chooses what to show: only metrics (Sharpe, drawdown, win rate) or full order history. System generates tamper-proof link:
def generate_public_proof_url(verification_id: str, secret: str) -> str:
"""Generates URL with HMAC for authenticity verification"""
sig = hmac.new(secret.encode(), verification_id.encode(), hashlib.sha256).hexdigest()[:16]
return f"https://platform.com/proof/{verification_id}?sig={sig}"
Anyone can check trader results via this link, while trader controls what exactly to disclose.
Periodic Update
Verification is not one-time — history updates. User can re-verify account each month, providing fresh temporary key or CSV file. System shows "verified as of [date]" with freshness indicator.