An API key lets external apps — trading bots, portfolio trackers, and trade journals — read your account or place orders without your password. On Bybit the whole process takes about two minutes, but the permission choices matter enormously for security. This guide walks through it and flags the settings that keep your funds safe.
Before you start
You'll need a verified Bybit account. If you don't have one yet, you can create an account on Bybit and complete KYC first — API access requires a verified account, and signing up through our link also carries a fee benefit.
Decide up front what the key is for, because that determines the permissions:
- A tracker or trade journal → read-only. Never enable trading or withdrawals.
- A trading bot → read + trade. Never enable withdrawals unless you fully trust the software.
- Nothing needs withdrawal permission except a system you built and control yourself.
Step 1: Open API management
Log in, hover your profile icon (top right), and choose API. On the API Management page click Create New Key. Bybit offers two key types: System-generated (the standard choice) and Self-generated (you provide your own public key — for advanced users). Pick System-generated.
Step 2: Name the key and set permissions
Give the key a clear name like "journal-readonly" so you remember its purpose later. Then set permissions deliberately:
- Read-Only — enable this for trackers and journals. It exposes balances and trade history but cannot move funds or place orders.
- Contract / Spot / Unified Trading — only enable the specific product the app needs, and only if it actually places orders.
- Withdrawals — leave OFF. There is almost never a legitimate reason a third-party app needs this.
Step 3: Whitelist an IP (strongly recommended)
Bybit lets you bind the key to specific IP addresses. Do it. An IP-restricted key is useless to an attacker even if it leaks. If you're running a bot on a server, enter that server's static IP. Note that keys *without* an IP whitelist expire after 90 days and can't have trade permissions on some account types — another reason to whitelist.
Step 4: Save your secret immediately
After creation Bybit shows the API Key and API Secret once. The secret is never shown again — copy both into your password manager now. If you lose the secret, you'll have to delete the key and create a new one.
Step 5: Test with the smallest possible scope
Paste the key into your app and confirm it reads balances correctly before doing anything else. For a journal or tracker, that's all you need. For a bot, run it in paper/testnet mode first if available.
Security checklist
- Read-only whenever possible; withdrawals off, always.
- IP-whitelist every key.
- One key per app — never reuse a key across services, so you can revoke one without breaking the others.
- Delete unused keys. Audit your API list every few months.
- Treat the secret like your password. Anyone with a trade-enabled key can drain you through bad fills even without withdrawal access.
Once your key is working, the natural next step is understanding what your trading actually costs. Model your Bybit fees and funding with our fee calculator and funding calculator, and see how Bybit stacks up against other venues on the exchange comparison.