Skip to main content



To learn more about the V5 API, please read the V5 upgrade guideline.



Please visit Bybit's testnet or mainnet to generate an API key

REST API Base Endpoint:

  • Testnet:
  • Mainnet (both endpoints are available):

Select Your API Key Type

  • System-generated API Keys: The API key generated by the Bybit system operates with HMAC encryption. You will be provided with a pair of public and private keys. Please treat this pair of keys as passwords and keep them safe.

    Follow HMAC sample scripts to complete encryption procedures.

  • Auto-generated API Keys: Self-generated API keys operate with RSA encryption. You must create your public and private keys through the software, and then only provide the public key to Bybit, we will never hold your private key.

    1.Use api-rsa-generator to create RSA private and public key
    2.Follow RSA sample scripts to complete encryption procedures.

Parameters for Authenticated Endpoints

The following http header keys must be used for authentication:

  • X-BAPI-API-KEY - API key
  • X-BAPI-TIMESTAMP - UTC timestamp in milliseconds
  • X-BAPI-SIGN - a signature derived from the request's parameters

We also provide X-BAPI-RECV-WINDOW (unit in millisecond and default value is 5,000) to specify how long an HTTP request is valid. It is also used to prevent replay attacks.

A smaller X-BAPI-RECV-WINDOW is more secure, but your request may fail if the transmission time is greater than your X-BAPI-RECV-WINDOW.


Please make sure that the timestamp parameter adheres to the following rule:
server_time - recv_window <= timestamp < server_time + 1000
server_time stands for Bybit server time, which can be queried via the Server Time endpoint.

Create A Request


To assist in diagnosing advanced network problems, you may consider adding cdn-request-id to your request headers. Its value should be unique for each request.

Basic steps:

  1. timestamp + API key + (recv_window) + (queryString | jsonBodyString)
  2. Use the HMAC_SHA256 or RSA_SHA256 algorithm to sign the string in step 1, and convert it to a hex string (HMAC_SHA256) / base64 (RSA_SHA256) to obtain the sign parameter.
  3. Append the sign parameter to request header, and send the HTTP request. Note: the plain text for GET and POST requests is different. Please refer to blew examples.
Example signature algorithms can be found here.

An example for how to generate plain text to encrypt

# rule:

# param_str

# parse
timestamp = "1658384314791"
api_key = "XXXXXXXXXX"
recv_window = "5000"
queryString = "category=option&symbol=BTC-29JUL22-25000-C"

HTTP request examples

GET /v5/order/realtime?category=option&symbol=BTC-29JUL22-25000-C HTTP/1.1
-H 'X-BAPI-TIMESTAMP: 1658384431891' \
-H 'cdn-request-id: test-001'

Common response parameters

retCodenumberSuccess/Error code
retMsgstringSuccess/Error msg. OK, success, SUCCESS indicate a successful response
resultObjectBusiness data result
retExtInfoObjectExtend info. Most of the time, it is {}
timenumberCurrent timestamp (ms)
"retCode": 0,
"retMsg": "OK",
"result": {
"retExtInfo": {},
"time": 1671017382656