How to generate Bitfinex API keys? (Trading bot setup)

Account Verification and Access Requirements

1. Users must complete full Know Your Customer (KYC) verification before accessing API key generation functionality.

2. Bitfinex restricts API creation to accounts with two-factor authentication (2FA) enabled via authenticator app or hardware token.

3. Accounts flagged for suspicious activity or under regulatory review are denied API key issuance until resolution.

4. Corporate accounts require additional documentation including incorporation certificates and authorized signatory lists.

5. IP address geolocation must match the jurisdiction of the registered account; mismatched locations trigger manual review.

Step-by-Step Key Generation Process

1. Log into the Bitfinex web interface using verified credentials and active 2FA session.

2. Navigate to Account → API → Create New Key to access the key configuration panel.

3. Select permission scopes: read-only, trade execution, wallet management, or margin lending — each requiring explicit confirmation.

4. Define IP whitelisting rules; keys without at least one approved IPv4 or IPv6 address are automatically rejected.

5. Confirm creation using a time-based one-time password (TOTP) generated by the linked authenticator device.

Security Configuration Protocols

1. All newly generated keys inherit default rate limits: 15 requests per second for public endpoints, 5 per second for private endpoints.

2. Withdrawal permissions require separate email confirmation sent to the verified account address.

3. Keys assigned trading privileges must undergo mandatory 72-hour cooling-off period before executing first order.

4. Session timeout is enforced after 90 days of inactivity; expired keys cannot be reactivated and must be regenerated.

5. Bitfinex enforces TLS 1.3 encryption exclusively; attempts to use keys over unsecured connections result in immediate revocation.

Integration Testing and Validation

1. Developers must validate key functionality using the /v2/auth/r/wallets endpoint before initiating live trading operations.

2. Test orders placed via API must use the sandbox environment first; production keys are blocked from sandbox usage.

3. Signature validation errors return HTTP 401 responses with cryptographically signed error payloads containing timestamp and nonce values.

4. Orderbook depth queries require separate key permissions distinct from ticker or trade history access.

5. Margin position synchronization endpoints demand elevated permissions not granted by default even on full-access keys.

Frequently Asked Questions

Q: Can I generate multiple API keys with identical permission sets?Yes, Bitfinex allows unlimited key generation per account as long as each key has unique IP whitelisting rules and descriptive labels.

Q: What happens if my API key is exposed in client-side JavaScript code?Bitfinex immediately invalidates any key detected in publicly accessible frontend code through automated scanning systems operating across GitHub, npm, and CDN archives.

Q: Do API keys expire automatically after major platform updates?No, keys remain valid unless explicitly revoked or compromised; however, deprecated endpoints may return HTTP 410 errors without warning upon infrastructure upgrades.

Q: Is there a way to audit which endpoints a specific API key has accessed?Yes, the Audit Logs section under API Management displays timestamped records of every authenticated request including path, method, response status, and processing latency.