How to manage API token lifecycle on Bybit platform?

Token Generation and Permission Assignment

1. Bybit requires API key creation through its official dashboard under the “API Management” section, where users must explicitly enable specific permissions per key.

2. Each token must be assigned granular scopes—such as account.read, asset.transfer, or order.write—to enforce least-privilege access.

3. Tokens generated without IP whitelisting are automatically restricted to read-only operations unless explicitly enabled during creation.

4. The platform enforces mandatory two-factor authentication (2FA) for any API key with withdrawal or fund transfer permissions.

5. Keys created via Bybit’s V5 API endpoints must include a type parameter specifying whether the token is for spot, derivatives, or unified trading accounts.

Secure Storage and Environment Isolation

1. Bybit recommends storing API keys outside application source code using environment variables or vault-backed secret injection mechanisms.

2. Developers integrating Bybit’s Python SDK must avoid hardcoding credentials in pybit.unified_trading.HTTP initialization blocks.

3. Production deployments should use dedicated service accounts with isolated network policies rather than personal API keys.

4. Dockerized applications must mount secrets via volume mounts or Kubernetes Secrets instead of passing them as build arguments.

5. Local development environments require strict .gitignore rules to prevent accidental commits of .env files containing BYBIT_API_KEY and BYBIT_API_SECRET.

Usage Monitoring and Anomaly Detection

1. Bybit provides real-time API call logs accessible only via authenticated dashboard sessions, showing timestamp, endpoint, status code, and request size.

2. Rate limits are enforced per API key—not per user—and violations trigger immediate 429 responses without grace periods.

3. Unusual geographic origin spikes, such as sudden requests from high-risk ASN ranges, trigger automated key suspension within 90 seconds.

4. The platform flags repeated failed signature validation attempts as potential credential leakage events.

5. Users receive email alerts when API keys exceed 75% of their daily quota threshold, prompting manual review before throttling occurs.

Key Rotation and Decommissioning Procedures

1. Bybit does not auto-expire API keys, making scheduled rotation a developer responsibility enforced via CI/CD pipelines.

2. Every rotation cycle must involve generating a new key pair, updating all dependent services, and verifying functionality before deleting the old key.

3. The DELETE /api/auth/token endpoint requires the exact key ID returned during initial creation—not the key string itself.

4. Revoked keys remain visible in audit logs for 90 days but cannot be reactivated or reused under any circumstance.

5. Automated scripts performing key rotation must validate response codes from Bybit’s /api/auth/tokens endpoint before proceeding to deletion.

Frequently Asked Questions

Q: Can I reuse an API key after deletion?No. Once deleted via DELETE /api/auth/token, the key is permanently invalidated and cannot be recovered or regenerated with identical parameters.

Q: Does Bybit support OAuth 2.0 for third-party integrations?No. Bybit exclusively uses HMAC-SHA256 signed requests with API key–secret pairs. OAuth 2.0 is not implemented across any public API surface.

Q: What happens if my API key exceeds rate limits on multiple endpoints simultaneously?Each endpoint operates under independent rate limiting. Exceeding limits on order placement does not affect asset balance queries, but global abuse detection may suspend the entire key.

Q: Are testnet API keys subject to the same security policies as mainnet keys?Yes. Testnet keys require identical permission scoping, IP whitelisting, and 2FA enforcement. They also appear in the same audit log interface as production keys.