How to Use API Trading on Bybit? Developer Beginner Guide

API Access and Key Management

1. Log in to your Bybit account via the official website or desktop application.

2. Navigate to Account Settings → API Management → Create API Key.

3. Assign a descriptive name, select IP whitelist restrictions, and enable only necessary permissions such as 'Read Only', 'Trade', or 'Withdrawal'.

4. Confirm creation using 2FA; store both API Key and API Secret offline in an encrypted vault.

5. Never expose API Secret in frontend code, browser console, or public repositories.

Supported API Versions and Endpoints

1. Bybit V5 REST API serves spot, derivatives, and asset endpoints with unified structure and consistent response schema.

2. WebSocket Public Channels deliver real-time market data including order book depth (orderbook.50), tickers (tickers), and trade execution (publicTrade).

3. WebSocket Private Channels support position updates, order status changes, wallet balance notifications, and execution reports.

4. Unified Trading Account endpoints allow cross-margin operations across spot and derivatives without manual fund transfers.

5. All endpoints require strict timestamp synchronization—clock skew beyond 30 seconds triggers rejection.

Authentication Workflow

1. Each request must include X-BAPI-API-KEY header containing your active API Key.

2. X-BAPI-SIGN header carries HMAC SHA256 hash of concatenated string: timestamp + api_key + recv_window + payload.

3. X-BAPI-TIMESTAMP header contains current Unix timestamp in milliseconds.

4. X-BAPI-RECV-WINDOW defines acceptable time window for signature validation, defaulting to 5000 ms.

5. Payload must be JSON-serialized with no whitespace and sorted keys lexicographically before signing.

Rate Limiting and Error Handling

1. REST API enforces 120 requests per minute per API key for public endpoints and 60 per minute for private endpoints.

2. WebSocket connections are limited to 100 subscriptions per connection; exceeding triggers automatic disconnect.

3. HTTP 429 responses indicate rate limit exhaustion; clients must implement exponential backoff and jitter.

4. Common error codes include 10001 (invalid signature), 10002 (expired timestamp), and 30087 (insufficient margin).

5. All error bodies contain retCode, retMsg, and additional context fields like orderId or symbol for debugging.

Frequently Asked Questions

Q: Can I use the same API key for both testnet and mainnet?No. Testnet and mainnet require separate API keys generated from their respective domains. Keys issued on https://api-testnet.bybit.com are invalid on production.

Q: Does Bybit support Webhook integrations for order fills?No. Bybit does not provide webhook delivery. Clients must maintain persistent WebSocket connections or poll REST endpoints for fill confirmations.

Q: Is it possible to revoke an API key programmatically?Yes. Use the DELETE /v5/user/api-key endpoint with valid authentication. The operation requires the target key’s ID and cannot be undone.

Q: Are there SDKs officially maintained by Bybit for Python or JavaScript?Bybit provides community-supported SDKs on GitHub but does not publish or endorse any officially maintained language-specific libraries. Developers rely on pybit and bybit-api packages maintained by third parties.