I built AO Shadow because I was tired of missing trades. But here's a problem I didn't expect after launch: right now, 27 traders in our group have connected to the platform, filled in their details, and then stalled — all at the same step. Bybit API key setup. It's not complicated, but if you've never done it before, the Bybit interface can feel like it was designed to slow you down. This guide fixes that. I'll walk you through the exact steps, show you which permissions to tick (and which to never touch), and explain exactly what Shadow can and cannot do with your key once it's connected.

Why This Matters

AO Shadow can't trade for you without access to your Bybit account. That connection happens through an API key — a credential that lets Shadow communicate directly with Bybit on your behalf. Without it, signals fire, the system tries to execute, and nothing happens on your account. You miss every trade.

We currently have 75 traders with active, working API connections. Another 27 are stuck at the API step. I know this because I can see it on the backend — they've registered, they've set up their profile, but their connection status is still showing as pending. If you're one of those 27, this guide is written specifically for you.

The good news: it takes under two minutes once you know the path.

Step-by-Step: Create Your Bybit API Key

  1. Go to bybit.com and log in to your account. Click the profile icon in the top-right corner, then select Account Settings from the dropdown menu.
  2. In the left-hand sidebar, click API Management. This opens your list of existing API keys (or an empty list if this is your first one).
  3. Click Create New Key. Bybit will ask you to choose a key type. Select System-Generated API Key. Do not choose the "Self-Generated" option — Shadow requires the system-generated format.
  4. In the Note field (Bybit's label for the key name), type AO Shadow. This just helps you identify the key later. Use something clear so you can recognise it if you need to revoke or check it.
  5. Under API Key Permissions, tick API Trading only. This is the only permission Shadow needs. Do not enable Withdrawal, Transfer, or any other permission. I'll explain why in the next section.
  6. Under Linked IP address, you can leave this blank unless you want to restrict access to a specific IP. For most traders, leaving it open is fine.
  7. Complete the verification step — Bybit will send an email code or prompt your 2FA app depending on your security settings. Enter the code to confirm.
  8. Bybit will display your API Key and Secret Key. Copy both immediately. The Secret Key is shown exactly once. If you close this dialog without copying it, you will need to delete the key and create a new one. There is no way to retrieve the Secret after this point.

What to Select Under Permissions

The permissions step is where most mistakes happen. Here's a clear breakdown:

Permission Select? Reason
API Trading Yes — required Allows Shadow to open and close derivative positions on Bybit
Read Not needed Shadow doesn't need to read account history through the API
Withdrawal Never — do not enable Shadow does not need withdrawal access and you should never grant it to any third-party tool
Transfer Never — do not enable Shadow does not move funds between sub-accounts or wallets

API Trading is the only permission Shadow requires. Enabling Withdrawal or Transfer does not improve functionality — it only increases your exposure. Keep it minimal. Trade-only is the correct setting.

Connecting the Key to Shadow

Once you have your API Key and Secret Key copied from Bybit, go to shadow.aotrading.io and log in to your Shadow account.

  1. Navigate to Settings in the Shadow dashboard sidebar.
  2. Find the Bybit API Connection section.
  3. Paste your API Key into the first field and your Secret Key into the second field.
  4. Click Save.
  5. Shadow will run a connection test automatically. If the credentials are correct and the permissions are set to API Trading, you'll see a green connected status within a few seconds.

If the test fails, the most common cause is incorrect permissions on the Bybit side — usually the key was created for Spot trading rather than Derivatives, or the API Trading permission wasn't ticked. Delete the key in Bybit, recreate it following the steps above, and try again.

What Shadow Can and Cannot Do With Your Key

I want to be completely transparent about this because it's a legitimate concern when you're connecting a third-party tool to your exchange account.

What AO Shadow can do with your API key:

  • Open long and short positions on your Bybit derivatives account (USDT perpetuals)
  • Place take-profit and stop-loss orders on the exchange
  • Close open positions when a signal exits or a TP/SL level is hit
  • Adjust position sizing according to your configured settings in Shadow

What AO Shadow cannot do with your API key:

  • Withdraw funds from your Bybit account
  • Transfer funds between wallets or sub-accounts
  • Access your Bybit spot wallet
  • Change your Bybit account settings or security details
  • Log in to your Bybit account directly

The API key is trade-only by design. Shadow interacts exclusively with your derivatives trading account. Your funds stay in your Bybit account at all times.

Common Mistakes

These are the errors I see most often when traders come to me saying their connection failed:

  • Wrong account type in Bybit settings. If you have a Unified Trading Account on Bybit, make sure you're setting API permissions for Derivatives (USDT Perpetual), not just Spot. The API Trading permission needs to cover the derivatives product specifically.
  • Not copying the Secret Key before closing the dialog. This is the most common mistake by far. The Secret Key is shown once. If you clicked away or refreshed the page before copying it, you need to delete the key entirely and start again. This takes two minutes and doesn't affect any open positions.
  • Using an expired or IP-restricted key. If you set an expiry date or restricted the key to a specific IP address that has since changed, the connection will fail. Check your key settings in Bybit's API Management page and update or recreate the key as needed.
  • Creating a Read-only key instead of an API Trading key. Read-only keys look similar in Bybit's interface but can't execute trades. Shadow will appear to connect but won't be able to place orders.

What Happens After You Connect

Once your API key is connected and Shadow shows a green status, you're live. Here's what that actually means in practice:

The next time one of the traders you're copying generates a signal, Shadow receives it and submits your entry order to Bybit within 200 milliseconds. Simultaneously, it places your take-profit levels (TP1 through TP4) and your stop loss directly on the exchange — not held in Shadow's software, but sitting as live orders on Bybit's order book.

You'll see these orders appear in your Bybit Open Orders tab immediately after execution. If you want to verify the connection worked, this is the easiest way to check — open Bybit after the next signal fires and look for the open position and associated TP/SL orders.

Our Shadow Sentinel system then manages those positions automatically. When TP1 hits, it moves your stop loss to breakeven. The whole thing runs in the background while you get on with your day.

Ready to connect? Start your free trial at shadow.aotrading.io — the Sentinel tier is free forever with no credit card required.

FAQ

Is it safe to connect my Bybit account to AO Shadow?

Yes. AO Shadow uses trade-only API keys with no withdrawal or transfer permissions. Shadow can open and close positions on your Bybit derivatives account but cannot access your spot wallet or move funds. Even if the API credentials were ever compromised, an attacker could not withdraw your funds without your Bybit account password and 2FA.

What permissions does AO Shadow need on Bybit?

API Trading only, applied to Bybit Derivatives (USDT perpetuals). You do not need Read, Withdrawal, Transfer, or any other permission. Only API Trading is required for Shadow to enter and exit positions.

What if I lose my Secret Key?

The Secret Key only appears once in Bybit — immediately after you create the key. If you did not copy it, delete the key in Bybit's API Management and create a new one. It takes another 2 minutes and does not affect your open positions.

Can I use one Bybit API key for multiple trading tools?

You can create multiple API keys in Bybit — one per tool. We recommend creating a dedicated key named "AO Shadow" so you can revoke it independently if needed without affecting other connected services.

How do I know if Shadow is connected correctly?

After saving your API key in Shadow settings, the connection status shows green. You can also go to Bybit → API Management and confirm the key shows recent activity after Shadow's first trade execution.

Trading involves risk. Past performance is not indicative of future results. This is not financial advice. DYOR.