Authentication
Authentication
REST API Base Endpoint:
- Testnet:
https://api-testnet.bybit.com - Mainnet (both endpoints are available):
https://api.bybit.comhttps://api.bytick.com
Select Your API Key Type
System-generated API Keys: The API key generated by the Bybit system operates with HMAC encryption. You will be provided with a pair of public and private keys. Please treat this pair of keys as passwords and keep them safe.
Follow HMAC sample scripts to complete encryption procedures.
Auto-generated API Keys: Self-generated API keys operate with RSA encryption. You must create your public and private keys through the software, and then only provide the public key to Bybit, we will never hold your private key.
- Use api-rsa-generator to create RSA private and public keys
- Follow the RSA sample scripts to complete encryption procedures.
Parameters for Authenticated Endpoints
The following HTTP header keys must be used for authentication:
X-BAPI-API-KEY- API keyX-BAPI-TIMESTAMP- UTC timestamp in millisecondsX-BAPI-SIGN- a signature derived from the request's parametersX-RefererorReferer- the header for broker users only
We also provide X-BAPI-RECV-WINDOW (unit in millisecond and default value is 5,000) to specify how long an HTTP request is valid. It is also used to prevent replay attacks.
A smaller X-BAPI-RECV-WINDOW is more secure, but your request may fail if the transmission time is greater than your X-BAPI-RECV-WINDOW.
Please make sure that the timestamp parameter adheres to the following rule:
server_time - recv_window <= timestamp < server_time + 1000
server_time stands for Bybit server time, which can be queried via the Server Time endpoint.
Create A Request
To assist in diagnosing advanced network problems, you may consider adding cdn-request-id to your request headers. Its value should be unique for each request.
Basic steps:
- timestamp + API key + (recv_window) + (queryString | jsonBodyString)
- Use the HMAC_SHA256 or RSA_SHA256 algorithm to sign the string in step 1, and convert it to a hex string (HMAC_SHA256) / base64 (RSA_SHA256) to obtain the sign parameter.
- Append the
signparameter to request header, and send the HTTP request. Note: the plain text for GET and POST requests is different. Please refer to blew examples.
An example for how to generate plain text to encrypt
- GET
- POST
# rule:
timestamp+api_key+recv_window+queryString
# param_str
"1658384314791XXXXXXXXXX5000category=option&symbol=BTC-29JUL22-25000-C"
# parse
timestamp = "1658384314791"
api_key = "XXXXXXXXXX"
recv_window = "5000"
queryString = "category=option&symbol=BTC-29JUL22-25000-C"
# rule:
timestamp+api_key+recv_window+raw_request_body
# param_str
1658385579423XXXXXXXXXX5000{
"category": "option"
}
# parse
timestamp = 1658385579423
api_key = XXXXXXXXXX
recv_window = 5000
raw_request_body = {"category": "option"}
HTTP request examples
- GET
- POST
GET /v5/order/realtime?category=option&symbol=BTC-29JUL22-25000-C HTTP/1.1
Host: api-testnet.bybit.com
-H 'X-BAPI-SIGN: XXXXXXXXXX' \
-H 'X-BAPI-API-KEY: XXXXXXXXXX' \
-H 'X-BAPI-TIMESTAMP: 1658384431891' \
-H 'X-BAPI-RECV-WINDOW: 5000'
POST /v5/order/create HTTP/1.1
Host: api-testnet.bybit.com
-H 'X-BAPI-SIGN: XXXXXXXXXX' \
-H 'X-BAPI-API-KEY: XXXXXXXXXX' \
-H 'X-BAPI-TIMESTAMP: 1658385589135' \
-H 'X-BAPI-RECV-WINDOW: 5000' \
-H 'Content-Type: application/json' \
-d '{
"category": "option"
}'
Common response parameters
| Parameter | Type | Comments |
|---|---|---|
| retCode | number | Success/Error code |
| retMsg | string | Success/Error msg. OK, success, SUCCESS, "" indicate a successful response |
| result | Object | Business data result |
| retExtInfo | Object | Extend info. Most of the time it is {} |
| time | number | Current timestamp (ms) |
{
"retCode": 100000,
"retMsg": "OK",
"result": {
},
"retExtInfo": {},
"time": 1671017382656
}