Anyone who had money on FTX in 2022 knows the answer to a question almost nobody asked before: Who actually owns my capital when it sits on a platform? Back then, the answer was: nobody. At least not the customers anymore. And that experience changed an entire industry. Today, four years later, most crypto investors understand that custody is not a detail. It is the foundation.

Still, there is a surprising gap when it comes to trading bots. Most comparisons distinguish between “free” and “paid”, between “simple” and “complex”. But almost nobody asks: Who controls the capital while the bot is trading?

This guide explains what a non-custodial trading bot is, how it differs technically from other models, which categories exist in 2026, and what you should look for when choosing one.

What does non-custodial mean for trading bots?

With a custodial bot, you transfer your capital to the provider or grant it access rights that go beyond pure trading. In theory, the provider can access your funds. For many cloud bots this is the default configuration.

A non-custodial bot works differently. Your capital stays in your own exchange account. The bot connects to your exchange via an API interface and is granted trading rights only. It can buy and sell. It cannot withdraw.

This is not a marketing promise. It is a technical restriction defined directly in the exchange’s API configuration. On Binance, for example, you create an API key and enable only the “Spot Trading” permission. The “Withdrawal” permission remains disabled. In addition, you can set up an IP whitelist that restricts the key to your server’s IP address.

The result: Even if someone stole the API key, they could not trigger a withdrawal from your account. They could place trades, yes. But the money stays on your exchange, under your control.

Why this question matters more today than in 2022

FTX was not an isolated case. Celsius, Voyager, BlockFi, Terra/Luna — all these collapses shared a common pattern: customers transferred capital to third parties and lost control over it.

In 2026, regulation looks different. MiCA is in force in the EU. The Swiss regulator FINMA has tightened its requirements for crypto custodians. But regulation does not change a basic principle: If you hand over your money, you trust that the recipient will handle it responsibly. If you keep it, that trust requirement disappears.

For investors who want to use automated crypto trading, this raises a concrete question: Is there a way to use trading automation without giving up control over the capital?

The answer is yes. And the options are more diverse than most comparison sites suggest.

The three categories of trading bots in 2026

Most bot comparisons distinguish between “cloud” and “self-hosted”. That is too simplistic. In practice, there are three clearly distinguishable categories in 2026, each with a different custody profile.

Category 1: API-connected cloud bots

These are the best-known providers on the market: 3Commas, Cryptohopper, Bitsgap, Coinrule. You create an account on the provider’s platform, store your Binance API key there, and configure your strategy via their web interface.

The bots run on the provider’s servers. You do not need your own server. The setup usually takes less than 30 minutes.

Advantage: Simple, quick to deploy, no technical knowledge required. Most offer DCA, grid, and copy-trading strategies.

Disadvantage: Your API key is stored on a third party’s servers. Even if most providers market themselves as “non-custodial”, the actual security depends on how well the provider secures its own servers. The provider has no withdrawal access to your capital (as long as the API permissions are set correctly). But it does have access to your API key. And a compromised key at least allows unauthorized trades.

Typical pricing model: Monthly subscription, independent of your performance. Between 25 and 130 USD per month, depending on plan and features.

Category 2: Open-source self-hosted frameworks

On the other end of the spectrum are open-source projects such as Freqtrade, Hummingbot, OctoBot or Jesse. You download the source code, install it on your own server (VPS or local hardware), and configure everything yourself.

Advantage: Maximum control. The code is transparent. Your API key never leaves your server. There is no dependency on a company. The software is free.

Disadvantage: High technical entry barrier. You need experience with Linux, Docker, Python and the Binance API documentation. Configuration is time-consuming. Updates, monitoring, and troubleshooting are entirely your responsibility. There is no support apart from community forums and GitHub issues.

Best for: Developers and technically skilled traders who want full control and transparency over the code and are willing to operate the system themselves.

Category 3: Commercial self-hosted bots

This category is still relatively young in 2026 and is overlooked in most comparisons. Here you get professionally developed software that you run on your own server. You get the custody advantages of a self-hosted setup without the full development effort of an open-source project.

The software is maintained and updated by the provider. You get a web interface for configuration and monitoring. But the infrastructure runs on your hardware, and your API key stays on your server.

Examples in this category are Gunbot (lifetime license, on the market since 2016) and unCoded (profit-sharing model, developed by ArrowTrade AG in Switzerland).

Advantage: Professional software with support and updates, combined with the security of a self-hosted setup. The API key never leaves your server. No cloud provider stores your credentials.

Disadvantage: You need your own server (VPS from around 7 EUR/month). The setup is somewhat more involved than with a cloud bot but much easier than with open-source frameworks because professional installation routines and documentation are provided.

Side-by-side overview of the three categories

When it comes to where the API key is stored, the answer for cloud bots is: on the provider’s servers. For open-source self-hosted bots: on your server. For commercial self-hosted bots: also on your server.

The costs for a typical 12‑month setup with 10,000 USD in capital are between 668 and 848 USD for cloud bots (subscription plus trading fees), around 164 USD for open-source frameworks (VPS plus trading fees, no software costs), and for commercial self-hosted bots between 283 USD (lifetime license plus VPS plus fees) and 464 USD (profit-sharing plus VPS plus fees, with 1,000 USD annual profit), depending on the model.

The technical skill level required ranges from low (cloud bots: create account, enter API key), to medium (commercial self-hosted: rent a VPS, start a Docker container), to high (open-source: Linux administration, Python, manual configuration).

In terms of support, cloud bots usually offer ticket systems, live chat, and extensive documentation. Commercial self-hosted providers have support teams, Telegram groups, and documentation. Open-source projects rely on community forums, GitHub issues, and Discord servers, but there is no dedicated support.

Dependency on the provider is highest with cloud bots: If the provider goes offline, the bot stops immediately. It is lowest with open source: No provider dependency, the code belongs to the community. Commercial self-hosted sits in between: The bot continues to run independently, but future updates are missing.

The trust question: What if the provider disappears?

With a cloud bot (Category 1): Your bot stops immediately. All running strategies are no longer executed. Open positions remain open until you intervene manually. Your capital on Binance is not affected as long as you have not enabled withdrawal permissions. But you lose access to the platform and your configuration.

With an open-source framework (Category 2): Nothing happens. The software runs on your server, independent of any company. The code is open source. However, there are no more updates, and security patches will only come from the community.

With a commercial self-hosted bot (Category 3): The bot continues to run on your server. Your capital is unaffected. What you lose are future updates and support. The existing installation continues to work autonomously. You are not dependent on the provider’s cloud.

How to verify a bot’s custody status

It is not enough to trust providers on their “non-custodial” marketing label. Here are five concrete checks you can perform.

Where does the software run? If you log in on the provider’s website and trade there, the software runs on their servers. If you install the software on your own server, it runs under your control. The difference sounds simple but has direct consequences for who stores your API key.

Which API permissions are required? A reputable bot only needs “Spot Trading” (or “Futures Trading”, if that is part of the product). If a provider requires withdrawal permissions, that is an immediate deal-breaker.

Where is your API key stored? With cloud bots, the key is stored on the provider’s servers. With self-hosted solutions, it is stored on your server. Ask the provider explicitly. If the answer is vague, treat that as a red flag.

Is there an IP whitelist? Binance allows you to restrict API keys to specific IP addresses. A good self-hosted bot uses this automatically: The key only works from your server’s IP.

What happens to open positions if you stop the bot? In a non-custodial setup, your coins stay on Binance when you shut the bot down. You can always intervene manually or hold positions. There is no lock-in.

Setup: How a non-custodial bot works technically

The architecture of a self-hosted, non-custodial trading bot can be broken down into three components.

Your server (VPS): A virtual server in a data center of your choice. Typical requirements: 2–4 vCPUs, 4–8 GB RAM, SSD. Costs between 5 and 15 EUR per month with providers such as Hetzner or Netcup. The bot software usually runs there in a Docker container.

The bot software: It receives market data from the exchange, computes trading signals based on the configured strategy, and sends buy or sell orders back to the exchange via the API. You control the configuration (strategy parameters, risk limits, trading pairs) via a web interface or configuration files.

Your Binance account: This is where your capital is held. The connection to the bot uses only the API key with restricted permissions. The exchange executes the trades. The bot only sends the instructions.

Setting up a commercial self-hosted bot takes between 30 minutes (with premium setup service) and three hours (do-it-yourself), depending on the product. For open-source frameworks, it can easily be ten hours or more, depending on your technical background.

Risk management: What a non-custodial bot does not solve

A common misunderstanding: Non-custodial does not eliminate trading risk. It eliminates custody risk.

Price risk remains. If Bitcoin falls by 40%, your positions lose value, regardless of whether the bot is custodial or non-custodial. You own the coins, yes. But they are worth less.

What non-custodial actually reduces: – The risk that a third party disappears with your capital (counterparty risk). – The risk that a provider becomes insolvent and your capital falls into the bankruptcy estate. – The risk that a hack at the bot provider triggers withdrawals from your account (because withdrawals are technically impossible).

What remains: – The price risk of the assets you hold. – The possibility that the bot makes bad trades and you incur losses. – Responsibility for your own server setup (for self-hosted solutions). – Security of your own Binance account (2FA, password, anti‑phishing measures).

A good trading bot gives you tools to manage price risk: maximum trade size, stop‑loss settings, pair filters, drawdown limits. But you decide how much capital to deploy and which risk parameters to choose.

Common mistakes when setting up a non-custodial bot

From practice, these are the five most frequent user mistakes.

Creating an API key with excessive permissions. Some users enable all permissions for convenience. That is like giving someone your car keys plus a blank power of attorney over your bank account. Only enable what the bot needs. For spot bots: spot trading only.

Forgetting the IP whitelist. Without an IP whitelist, the API key works from any IP address worldwide. That massively increases the attack surface. Enter your VPS IP and you are done.

Neglecting VPS security. Your server is now your infrastructure. That means: SSH keys instead of passwords, firewall enabled, regular updates, Docker in an isolated environment. Many providers supply hardening guides. Read them.

Deploying too much capital at once. No matter how safe the architecture is, start with an amount you can afford to lose. Test the configuration, watch it for a few days, and scale up later.

Starting the bot and forgetting about it. Non-custodial means you stay in control. It also means you are responsible. Check performance, server connectivity, and whether the bot behaves as expected. Once a week is usually enough, but “set and forget forever” is not a strategy.

Which bot type fits which investor?

This depends on three factors: your technical background, your security needs, and how much time you are willing to invest in setup.

If you want to start quickly and prioritize simplicity, an API‑connected cloud bot (3Commas, Cryptohopper, Bitsgap) is the pragmatic choice. Your API key lies on their servers, but custody of your funds remains with you as long as you configure permissions correctly.

If you want maximum control over the code and are willing to build and maintain everything yourself, open-source frameworks (Freqtrade, Hummingbot) are the right choice. No company stands between you and your setup.

If you want professional software with support and updates but do not want your API key on a third‑party server, a commercial self-hosted bot is the middle ground. You get a finished product that runs on your infrastructure.

The choice is not between “good” and “bad”. It is a trade‑off between comfort and control. Both ends of the spectrum are valid.

Regulatory perspective: MiCA and FINMA

Since 2024, the Markets in Crypto‑Assets Regulation (MiCA) has applied in the EU. It defines, among other things, requirements for crypto custodians and service providers. For trading bots, one key question is classification: Is a bot provider a custodian or a software provider?

A non-custodial bot that merely relays trade orders via API and never has access to users’ capital will typically not fall under MiCA’s custody obligations. It is a software tool, not a financial intermediary.

The Swiss FINMA takes a similar approach. Software that runs on the user’s server and only communicates with the exchange via API does not require a financial intermediary license as long as it does not perform custody functions.

Important: This is not legal advice. Regulatory classification depends on the individual case, and the law is evolving. If you are an institutional investor or family office evaluating automated trading, seek tailored advice from a specialized lawyer.

Total cost of ownership: What non-custodial really costs

A common argument against self-hosted solutions is: “That must be more expensive once you include the server.” Is that true?

Let’s run the numbers. Assumptions: 10,000 USD capital, 10% annual return (1,000 USD gross), 12 months.

A typical cloud bot (3Commas Pro, Cryptohopper Adventurer, Bitsgap Advanced) costs between 49 and 64 USD per month. That is 588 to 768 USD per year. Binance trading fees add about 80 USD (assuming 0.1% standard fees and typical trade frequency). Total: 668 to 848 USD. From 1,000 USD profit you keep 152 to 332 USD.

A commercial self-hosted bot with profit sharing (for example, 30% on realized profits) costs 300 USD on 1,000 USD profit. Add a VPS at Hetzner (about 84 USD/year) and the same Binance fees (80 USD). Total: 464 USD. You keep 536 USD.

The key difference appears in bad years. If your bot earns only 500 USD, you pay 150 USD with a profit-sharing model (plus VPS and fees, roughly 314 USD total). A subscription bot still costs the full 588 to 768 USD, regardless of profitability. In this scenario, most subscription bots run at a loss: You earn 500 USD but pay 668 to 848 USD in costs. Net negative.

Profit sharing scales with your performance. In good years you pay more but also earn more. In bad years you pay less. A subscription costs the same whether or not it pays off for you.

Architecture in detail: What happens between your server and Binance

For technically interested readers, here is how the data flow of a self-hosted, non-custodial trading bot works.

Market data stream. The bot opens a WebSocket connection to Binance and receives live price data in real time. These are not delayed quotes; they are the same order book updates professional traders see. Latency depends on your server’s location. A VPS in Frankfurt or Amsterdam typically has 1–5 ms to Binance.
Signal computation. Based on incoming market data and the configured strategy (DCA intervals, grid levels, trend filters, take‑profit targets), the bot computes whether a buy or sell is appropriate. This calculation runs locally on your server. No data leaves your server at this stage.
Order execution. When the bot decides to trade, it sends a signed API request to Binance. The request contains the API key, order parameters (pair, size, price, type), and a digital signature (HMAC‑SHA256) created with your secret key. Binance verifies the signature, checks the IP whitelist, and executes the trade.
Trade confirmation. Binance sends a confirmation. The bot logs the trade in its local database. You see it in the bot’s dashboard and simultaneously in your Binance account.
Monitoring loop. The bot repeats this cycle continuously, 24/7. It monitors connection status, account balance, open orders, and risk parameters. If the connection drops, it stops automatically and attempts to reconnect.

The key security aspect: Your secret key (the “password” for your API key) is stored only on your server. It is never transmitted to Binance. Instead, it is used locally to create the signature. Binance can verify the signature because it knows the same secret, but the key itself is never sent across the network.

Spot‑only as an extra safety layer

Closely related to non-custodial, but often discussed separately, is the question of whether a bot trades spot or futures.

Many cloud bots offer leveraged futures trading. That sounds attractive because potential returns are higher. But leverage introduces a risk that does not exist in spot markets: liquidation.

If you open a 10x leveraged position and the price moves 10% against you, your position is forcibly closed. Your capital is gone. That cannot happen with spot trading. If BTC drops 50%, you lose 50% of your coins’ value, but you still own the coins. No margin call, no liquidation. You can wait for a recovery.

Many non-custodial bots, especially in the self-hosted space, therefore focus intentionally on spot-only. That is not a technical limitation but a design choice: No leverage, no liquidation risk, no total loss through margin.

The setup process: From empty server to running bot

For anyone wondering how much work it really is to set up a self-hosted bot, here is the typical process using a commercial provider as an example.

Step 1: Rent a VPS (10 minutes). Choose Hetzner, Netcup or a similar provider. Select Ubuntu as the operating system. The smallest plan with 2–4 vCPUs and 4 GB RAM is enough to start.

Step 2: Prepare the server (15 minutes). Connect via SSH. Install Docker (often a one‑liner with commercial bots). Configure the firewall.

Step 3: Install the bot (5 minutes). Most commercial self-hosted bots offer an install script. One command, and the software runs in a Docker container.

Step 4: Create a Binance API key (10 minutes). In your Binance account, open API Management, create a new key, enable spot trading only, and set the VPS IP in the whitelist.

Step 5: Configure the bot (15–30 minutes). In the bot’s web interface, enter your API key, select trading pairs, set strategy parameters, and define risk limits.

Step 6: Start and monitor. Activate the bot. Watch the first trades. Verify everything behaves as expected. Adjust parameters if needed.

Total time: roughly 60–90 minutes for someone with basic skills. Many providers offer a setup service for less technical users, handling the entire process so your own effort shrinks to a short call and handing over details.

What to look for when choosing a provider

Six criteria, in order of importance.

Custody model. Where is your API key stored? Where does the software run? Does the provider require withdrawal permissions? If yes, discard immediately.

Registered entity and legal form. A registered company (AG, GmbH, Ltd.) with an identifiable team is more trustworthy than an anonymous project with no legal imprint. Check the company register.

Pricing model. Subscription or profit sharing? Fixed or variable costs? Compute TCO over 12 months, not just the monthly price.

Track record. How long has the provider existed? Are there independent reviews? Are updates released regularly?

Transparency. Can you track every trade? Is there a real‑time dashboard? Or do you only see a single number at month end?

Support and community. What happens when something breaks? Is there documentation, a support channel, a community? For open source, how active is development on GitHub?

FAQ

Can a non-custodial trading bot withdraw my money? No, not if the API key is configured correctly. On Binance you disable withdrawal permission when creating the key. The bot can then trade only.

What happens if my VPS goes down? The bot stops. Your capital on Binance is not affected. Open positions remain open. You can intervene manually via Binance at any time. Once the server is back up, the bot resumes operation.

Do I need technical knowledge for a self-hosted bot? For open-source frameworks (Freqtrade etc.) yes, ideally Linux and Python experience. For commercial self-hosted bots, basic skills are enough. Most offer guided installation or setup services.

How safe is an API key on my own server? As safe as you secure your server. With IP whitelist, SSH key authentication, firewall, and regular updates, the risk is low. It is your responsibility to implement these measures.

How much does a self-hosted trading bot cost? Open source: free (but you invest time). Commercial: from one‑time licenses (e.g. Gunbot from about 199 USD) to profit-sharing models (e.g. unCoded with 30% of realized profits), plus VPS costs of about 5–15 EUR per month.

Is non-custodial always better than custodial? For capital safety: yes. For convenience: not necessarily. Non-custodial requires more personal responsibility. The key question is how much control you are willing to trade for convenience.

Which exchanges support API‑based trading? Binance, Kraken, Coinbase Pro, Bybit, OKX and many others. API configuration differs per exchange, but the basic principle (restricted permissions, IP whitelist) is similar everywhere.

How many trades can a non-custodial bot execute per day? That depends on the software, strategy, and the exchange’s API rate limits. DCA bots do a few trades per day, grid bots can do several hundred, and HFT‑style micro‑trading bots can do thousands.

Do I have to pay taxes on bot trades? Yes, in most countries. Each realized trade is a taxable event. The exact rules differ by jurisdiction. Crypto tax tools can help with reporting.

Can I run multiple bots at the same time? Yes. You can create separate API keys for different bots or configure one bot to manage multiple pairs. Just be aware of your exchange’s API rate limits.

The category that did not have a name yet

Until recently most traders had two mental drawers: cloud bots on one side, open-source on the other. The idea that there could be professional, commercially developed software that still runs on your own server and never passes your API key to a third party was barely on the radar.

That is now changing. Commercial self-hosted bots are a category of their own. They combine the security and control of an open-source setup with the comfort and support of a professional product. They are not the right choice for everyone. But for investors who want to use crypto automation without compromising on custody, they are an option worth knowing.