Extension security

Autoview

The Chrome extension is the legacy, browser-local way to run Autoview, and its security model follows from that: everything sensitive stays on your machine. That design puts more of the responsibility in your hands than the webhook platform does, so it's worth knowing exactly what you're trusting and how to check it.

Where your keys live

API keys, tokens, and passwords you save in the extension are stored in the extension's local storage, inside your browser, on your computer. They are not sent to Autoview's servers. The only place a credential travels is inside the signed requests the extension makes to your exchange when it trades.

That's the whole model. There is no server-side copy to breach, and equally, no server-side copy to recover from. Your machine is the vault, which is why the habits below matter more here than on the webhook platform. For how the two surfaces compare, see are my API keys safe?

Verify before you install

Anyone can publish a Chrome extension with a familiar name and logo. The one identifier that can't be faked is the extension ID in the Chrome Web Store URL. The genuine Autoview.com Trading Extension is:

  • hjjeplacckkpgfcmgpcnlpmabddkeioi

Check the address bar on the store listing before you click Add to Chrome. If the ID doesn't match, walk away. The official listing carries that exact ID.

The install warning, explained

During install, Chrome warns that the extension can read and change data on the websites you visit, which sounds alarming the first time you see it. Security software can pile on: some antivirus products and hardened browsers interrupt the install with their own warnings and an "install anyway" step. That step is not a verdict; it's the software asking whether you've verified what you're installing. You have, if you checked the ID above.

The permission itself is Chrome's broadest wording for host access the extension needs to talk to exchange APIs from your browser. In practice its page scripts run on TradingView, where it reads your alerts.

Habits that protect your keys

The extension's storage is only as safe as the browser and machine around it. Four habits cover most of the risk:

  • Keep your extension count low, and keep them updated. Every extension you install is code running inside the same browser that holds your keys. Fewer neighbors, less exposure.
  • Be careful what you download and where you browse. Malware on the machine defeats every other measure on this page.
  • Lock your computer when you step away. Windows key + L on Windows, Command + Control + Q on a Mac, Ctrl + Alt + L on most Linux desktops. An unlocked machine with a trading extension is an open brokerage account; a cat on the keyboard is not your reversal signal.
  • Scope the keys themselves. Grant trading permission, never withdrawal, and whitelist your IP where the exchange offers it. A key that can't move funds can't drain you, no matter what happens to the browser.

If you suspect a compromise

Don't debug first, revoke first. Delete the API key on the exchange, which kills it everywhere instantly, then issue a fresh one once the machine is clean. The key is the credential that matters; the extension entry is just a copy of it.

How Autoview handles API keys