Skip to main content

Integration Guidance


To learn more about the V5 API, please read the Introduction.

API Resources and Support Channels



Please visit Bybit's testnet or mainnet to generate an API key

REST API Base Endpoint:

  • Testnet:
  • Mainnet (both endpoints are available):
  • Netherland users: use for mainnet
  • Hong Kong users: use for mainnet
    Bybit cannot promise the stability and performance if you are still using, and this domain has the possibility to be shutdown at any time for users from these two countries/areas.

Select Your API Key Type

System-generated API Keys: The API key generated by the Bybit system operates with HMAC encryption. You will be provided with a pair of public and private keys. Please treat this pair of keys as passwords and keep them safe.

Follow HMAC sample scripts to complete encryption procedures.

Auto-generated API Keys: Self-generated API keys operate with RSA encryption. You must create your public and private keys through the software, and then only provide the public key to Bybit, we will never hold your private key.

  1. Use api-rsa-generator to create RSA private and public keys
  2. Follow the RSA sample scripts to complete encryption procedures.

Parameters for Authenticated Endpoints

The following HTTP header keys must be used for authentication:

  • X-BAPI-API-KEY - API key
  • X-BAPI-TIMESTAMP - UTC timestamp in milliseconds
  • X-BAPI-SIGN - a signature derived from the request's parameters
  • X-Referer or Referer - the header for broker users only

We also provide X-BAPI-RECV-WINDOW (unit in millisecond and default value is 5,000) to specify how long an HTTP request is valid. It is also used to prevent replay attacks.

A smaller X-BAPI-RECV-WINDOW is more secure, but your request may fail if the transmission time is greater than your X-BAPI-RECV-WINDOW.


Please make sure that the timestamp parameter adheres to the following rule:
server_time - recv_window <= timestamp < server_time + 1000
server_time stands for Bybit server time, which can be queried via the Server Time endpoint.

Create A Request


To assist in diagnosing advanced network problems, you may consider adding cdn-request-id to your request headers. Its value should be unique for each request.

Basic steps:

  1. timestamp + API key + (recv_window) + (queryString | jsonBodyString)
  2. Use the HMAC_SHA256 or RSA_SHA256 algorithm to sign the string in step 1, and convert it to a hex string (HMAC_SHA256) / base64 (RSA_SHA256) to obtain the sign parameter.
  3. Append the sign parameter to request header, and send the HTTP request. Note: the plain text for GET and POST requests is different. Please refer to blew examples.
Example signature algorithms can be found here.

An example for how to generate plain text to encrypt

# rule:

# param_str

# parse
timestamp = "1658384314791"
api_key = "XXXXXXXXXX"
recv_window = "5000"
queryString = "category=option&symbol=BTC-29JUL22-25000-C"

HTTP request examples

GET /v5/order/realtime?category=option&symbol=BTC-29JUL22-25000-C HTTP/1.1
-H 'X-BAPI-TIMESTAMP: 1658384431891' \

Common response parameters

retCodenumberSuccess/Error code
retMsgstringSuccess/Error msg. OK, success, SUCCESS, "" indicate a successful response
resultObjectBusiness data result
retExtInfoObjectExtend info. Most of the time it is {}
timenumberCurrent timestamp (ms)
"retCode": 0,
"retMsg": "OK",
"result": {
"retExtInfo": {},
"time": 1671017382656