SoarSoar
Return to dashboard
Broker setup

Connect Webull

8 steps0 fields

Webull keys need both Market Data + Trading. Lock them to your bot's IP and leave 2FA off so the bot can trade around the clock — you can pause it anytime from the dashboard.

Step by step

Getting your Webull API keys

  1. 1
    Open Webull's API Keys Management page
    You need API access first. If you don't have it yet, apply at developer.webull.com — approval is often instant. Then come to the API Keys Management page.
  2. 2
    Tap "Register an API Key Application"
    The blue button sits in the top-right corner. It opens the application form.
  3. 3
    Name your application
    In "Application Name", type "Soar Trading Bot".
    Soar Trading Bot
  4. 4
    Check BOTH API permissions
    • Turn ON: Market Data
    • Turn ON: Trading
  5. 5
    Add your bot's IP to the whitelist
    Tap "+ Add More Address Segments" and paste your bot's server (droplet) public IP. This locks the keys to your bot only. Soar shows you the exact IP during setup.
  6. 6
    DISABLE "Enable 2FA Verification"
    Leave the "Enable 2FA Verification" checkbox OFF. 2FA needs a manual in-app approval on every trade — a 24/7 headless bot can't do that, so turning it on would break automated trading.
  7. 7
    Tap "Submit"
    Webull creates the application. It appears in your API Keys list with the status "Not Generated".
  8. 8
    Generate + copy your keys
    On the list, tap the blue "Generate Key" button next to your application. Webull reveals the App Key and App Secret. Copy both right away — they are shown ONCE only.
Permissions

What to enable — and what to leave OFF

Enable these
  • Market Data
  • Trading
Never enable these
  • Enable 2FA Verification (turn OFF — a 24/7 bot can't approve a 2FA prompt on every trade)
Why this matters: Soar only ever needs read + place-order permissions. If you give a key withdraw or transfer access, anyone with that key could move funds — including a security risk if your machine is ever compromised. Disabling withdraw on the key itself means even a worst-case leak can't drain your account.
What you paste

The fields Soar asks for

    Security & trust

    Where your keys live

    Soar passes your Webullkeys straight from your browser into YOUR Cloudflare Worker. Soar's servers see them once during the ~30-second deploy window, then never again.

    The bot that talks to Webull runs on the free Cloudflare Workers tier in your own Cloudflare account. You see + control everything from your Cloudflare dashboard. You can rotate the keys, pause the bot, or destroy the Worker at any time — Soar has zero ability to undo that.

    Read the full security model
    See also

    Related help topics