How to configure IP whitelist for Bybit API access?

Bybit API IP Whitelist Configuration Overview

1. Bybit requires strict network-level authorization for all API keys used in production environments. Each API key must be associated with a defined set of IPv4 addresses to restrict request origin points.

2. The IP whitelist is enforced at the exchange’s gateway layer before any authentication or permission checks occur. Requests from non-whitelisted IPs receive HTTP 403 Forbidden responses immediately.

3. Bybit does not support IPv6 whitelisting; only IPv4 addresses or CIDR notation (e.g., 203.0.113.42/32 or 192.0.2.0/24) are accepted during configuration.

4. A single API key can hold up to 20 distinct IPv4 entries, including individual addresses and subnet ranges, but overlapping CIDR blocks are rejected upon submission.

5. Changes to the IP whitelist take effect within 30 seconds without requiring key regeneration or service restarts.

Step-by-Step Whitelist Setup via Bybit Web Interface

1. Log into your Bybit account using official domain www.bybit.com, verify SSL certificate issued to Bybit Limited, and ensure two-factor authentication is active.

2. Navigate to Account Settings → Security → API Management and locate the target API key entry.

3. Click the pencil icon next to the key to open editing mode, then expand the “IP Whitelist” section.

4. Enter one or more IPv4 addresses or CIDR blocks separated by line breaks—no commas or semicolons allowed.

5. Confirm changes using both email verification and Google Authenticator code; failure in either step reverts the entire update.

Whitelist Validation and Troubleshooting

1. After saving, initiate a test call to /v5/account/info using curl or Postman with correct headers and signature.

2. If response contains retCode: 10004, it indicates the originating IP is not on the approved list—even if credentials are valid.

3. Use ip138.com or curl ifconfig.me to confirm the public IP address of the machine hosting your trading bot or script.

4. When deploying on cloud infrastructure, retrieve the Elastic IP or NAT Gateway address—not the private VPC address—as only public-facing IPs are evaluated.

5. Avoid using dynamic residential IPs unless paired with a reliable DDNS service that updates the whitelist automatically through Bybit’s API.

Security Implications of Misconfigured Whitelists

1. Leaving the whitelist empty disables all access regardless of key validity, effectively locking out legitimate traffic.

2. Entering 0.0.0.0/0 or similar broad masks violates Bybit’s security policy and results in immediate key deactivation by automated systems.

3. Reusing the same API key across multiple servers without updating the whitelist exposes the credential to lateral movement if one host is compromised.

4. Failure to rotate IPs after infrastructure migration leads to persistent 403 errors even when credentials remain intact and permissions unchanged.

5. Storing whitelisted IPs in version-controlled configuration files without encryption increases risk of accidental exposure during code audits or repository leaks.

Frequently Asked Questions

Q1: Can I use localhost or 127.0.0.1 in Bybit’s IP whitelist?Bybit rejects loopback addresses entirely. Local development must route through a publicly routable IP or use Bybit’s testnet environment where whitelisting is disabled.

Q2: Does Bybit allow wildcard domains or hostname-based whitelisting?No. Only numeric IPv4 addresses and CIDR blocks are accepted. DNS resolution is not performed during validation.

Q3: What happens if my server’s public IP changes while the whitelist remains static?All API requests from the new IP will fail with error code 10004 until the whitelist is manually updated with the current address.

Q4: Is there a way to programmatically update the IP whitelist using Bybit’s REST API?Bybit does not expose an endpoint for modifying API key settings. Whitelist edits require interactive authentication via the web interface or mobile app.