Bybit API keys power bots, trackers and trade journals, and like any exchange key they're only as safe as the settings you choose. Get those right and a key is a convenience. Get them wrong and a leaked key can drain your account. Here's how to keep a Bybit key safe.
Choose the least permission that does the job
Decide what the key is for before you create it, and grant nothing extra:
- Tracker, journal or tax tool: read-only. It sees balances and history but can't trade or withdraw. A read-only key that leaks costs you nothing.
- Trading bot: enable only the specific product it trades (derivatives or spot), and never enable withdrawals.
- Withdrawals: essentially never on a third-party key. There's almost no legitimate reason for it.
Remember that even a trade-only key can be abused through a self-trade drain, where an attacker uses your key to buy an illiquid coin at absurd prices into their own sell orders. That's why IP whitelisting matters even without withdrawal permission.
Always IP-whitelist (and note the expiry)
On Bybit, bind the key to specific IP addresses. A whitelisted key is useless to an attacker from anywhere else, which neutralizes most drains. Bybit also expires keys that have no IP whitelist after 90 days, so whitelisting is both safer and more convenient. If your bot runs on a server, whitelist that server's static IP.
Create the key correctly
1. Log in, open the API management page, and create a new System-generated key. 2. Name it clearly, like "journal-readonly", so you remember its purpose. 3. Set read-only, or scope trade permissions to only what a bot needs. Leave withdrawals off. 4. Add your IP whitelist. 5. Copy the API key and secret into a password manager. The secret is shown once.
Our full walkthrough is in How to Create a Bybit API Key, and the general principles are in How to Keep Your API Keys Safe.
If a Bybit key is compromised
Move fast: delete every API key in the API management page, change your password, re-verify 2FA, enable a withdrawal address whitelist, and move remaining funds to a fresh wallet. Then scan your device for malware. For the full incident checklist, see Crypto Wallet Drained? What to Do Right Now.
The three habits that matter
Nearly every drained-account story comes down to skipping one of these: least-privilege permissions, IP whitelisting, and never sharing your secret. Lock in all three and a Bybit key becomes exactly what it should be, a safe convenience. Once it's set up, put it to work by modelling your real trading costs with our fee calculator.