For Coinbase we request the Read Permission from Coinbase Connect (OAuth2 flow). For the rest of the exchanges we request the user to add their API keys with restrictions for view only access (enforced by the exchanges). The instructions are listed for each exchange when you add them from the wallets page: www.cointracker.io/wallets

Mmmm, I've a similar product to yours (and the myriad of other products like this).

One thing pretty much everyone gets wrong is that many of these exchanges don't actually offer read-only keys, and saying so is wildly inaccurate. Case-in-point is Gemini, which anyone asking for the keys requests Trader level privileges. This simply blocks withdrawing; a malicious actor could still execute a trade if they got ahold of your keys, and due to the nature of it all that's very no bueno for you.

Each and every single one of these products should be badgering exchanges to support true read-only keys (or OAuth, as much as I hate the spec). I've personally emailed each one, and I dunno who else is doing so, but I'd encourage you to alter your documentation slightly and to badger the exchanges as well.

Otherwise, neat product. Congrats on launching. :)