Bybit API Setup Guide 2026: Copy Trading Configuration, Permissions, and What Changed
Bybit's V5 API is the current standard for connecting automated strategies and copy trading tools to the exchange. The structure is stable: Spot, Derivatives, and Options all run through one unified specification. But early 2026 brought two changes that affect anyone running live bots.
The Transaction Log endpoint rate limit dropped from 50 to 30 requests per second per user ID on February 5, 2026. Any reconciliation loop or PnL tracker polling this endpoint at volume will now hit the ceiling faster than before. And as of February 10, 2026, IP whitelist entries on master API keys can no longer be added or removed through the API itself. Manual, browser-based process now. Every time.
New accounts face a 48-hour lockout before API key generation is available. The mobile app doesn't support key creation at all. Desktop only, full stop.
If you're setting up from scratch, this step-by-step tutorial covers the exact setup. If you're already live, the rate limit change is the part to check today. Open a Bybit account if you don't have one yet.
Step-by-Step: How to Create a Bybit API Key in 2026
Bybit's API key creation requires a desktop browser and at least 48 hours of account age before the option becomes available. The mobile app has no API section. According to the Bybit Help Center, "For new users, API key creation may be restricted for the first 48 hours after registration for risk control purposes." Traders who set up a fresh account specifically to connect a bot hit this restriction constantly. Plan around it.
Log into bybit.com from a desktop browser. Go to account settings, find the API Management section, and click "Create New Key."
You'll choose between two authentication types. HMAC keys are system-generated and work for the vast majority of retail trading bots. RSA keys use auto-generated key pairs where the private key stays entirely on your side, which suits institutional setups where key material must not pass through a third-party server.
Once key creation is complete, copy both the API key and the secret the moment they appear. The secret is shown once and never again.
Every authenticated request needs four headers:
- X-BAPI-API-KEY: your key string
- X-BAPI-TIMESTAMP: Unix time in milliseconds (not seconds)
- X-BAPI-SIGN: HMAC or RSA signature
- X-BAPI-RECV-WINDOW: set to 5000 (milliseconds)
The recvWindow parameter tells Bybit how long to accept a request after the timestamp was generated. Drift too far from real time and requests fail. 5,000ms is the Bybit-recommended value. Official SDKs exist in five languages: Python, TypeScript, Java, Go, and .NET. They handle timestamp precision and signature generation automatically, which removes the two most common setup failure points. If you're building an integration from scratch, start with the SDK rather than raw HTTP.
As the Bybit API documentation states: "The V5 API brings uniformity and efficiency to Bybit's product lines, unifying Spot, Derivatives, and Options in one set of specifications."
Which Permissions to Enable for Copy Trading
Setting up the wrong permissions is the most common day-one mistake on Bybit. Too many creates a security problem. Too few and the bot simply won't function.
For copy trading and automated position management, you need order execution permissions active on the relevant market type. Read-only access lets you pull balances and position data, but it won't let the system place or close trades. If you're connecting to a platform like AO Shadow for automated copy trading on Bybit, the API key needs active trading rights on linear derivatives, spot, or whichever product type your strategy uses.
What to leave disabled: fiat withdrawal permissions. A trading bot has no reason to initiate fiat withdrawals. And since February 10, 2026, fiat-related permissions can only be set at key creation through the browser, not modified afterward via the API.
The V5 Changelog is direct: "Effective February 10, 2026, users can no longer add/remove IP whitelist entries or modify fiat-related permissions via API through the Modify Master API Key endpoint."
IP whitelisting is worth enabling if your bot runs from a fixed server IP address. It locks the key to requests from that address only, which meaningfully reduces exposure if the key is ever compromised. Any changes to the whitelist now require a browser login. You can't automate that step anymore.
One extra requirement many traders miss in 2026: if your strategy includes XAU or XAG perpetuals (gold or silver), you must call the new agreement endpoint (POST /v5/account/agreement/sign) before the bot can execute trades in those markets. Skip it and orders fail at the exchange level with no clear error message explaining why.
What Changed in Early 2026 and What It Means for Algo Traders
The 2026 changes to Bybit's API are mostly tightening moves: tighter rate limits, stricter security controls, and a handful of new endpoints for institutional risk management. Here's a timeline of what actually changed and who it hits:
| Date | Change | Who It Affects |
|---|---|---|
| 2026-01-28 | Crypto Loan repayment fee update | Crypto Loan users |
| 2026-02-05 | Transaction Log rate limit: 50 to 30 req/sec per user ID | Algo traders, reconciliation systems |
| 2026-02-10 | IP whitelist + fiat permissions via API: disabled | All master API key holders |
| 2026-02-26 | Perpetual funding settlement: auto-adjusted 1h intervals, revert on normalization | Perpetual futures traders |
| 2026-03-17 | BYUSDT Crypto Loan repayment: gradual rollout begins | Crypto Loan traders |
| 2026-03-24 | BYUSDT repayment: fully live | Crypto Loan traders |
The February 5 rate limit change is the one that catches live bots. If your system was built against the 50 req/sec ceiling on the Transaction Log endpoint, it will now throttle at 30. Check polling frequency in any reconciliation or PnL-tracking scripts and add backoff logic where it's missing.
The February 26 funding settlement update matters for any strategy that models funding rate behaviour. Bybit changed how 1-hour funding intervals work: they auto-revert to default once threshold conditions normalise. Strategies that assumed interval persistence through a full session need updating.
The additions are worth noting. New pre-order IMR/MMR impact calculators for Unified Trading Account users let you simulate the margin impact of an order before placing it. That's a real upgrade for position-sizing logic in automated strategies. Traders who watch volatile crypto markets, like the kind of rapid moves that generated the recent Fartcoin 20% surge, benefit from having margin checks built into their order logic before execution fires.
The Mistakes Most Retail Traders Make on Day One
The most common mistake is trying to create the API key from the mobile app. You can't. The option isn't there. Desktop browser, always.
Second: not accounting for the 48-hour wait on new accounts. Someone registers an account to connect a bot that same evening and hits a blank wall. There's no override.
Third: using seconds instead of milliseconds for the timestamp. In Python, time.time() returns seconds. The V5 API wants milliseconds. Multiply by 1,000. The SDK handles this automatically. Raw HTTP requests don't.
Fourth: setting recvWindow too low. Bybit recommends 5000ms. Lower it too aggressively and time-window errors appear during brief network latency spikes. Requests that should succeed start failing intermittently.
Fifth (new in 2026): trying to update IP whitelist entries through code. Teams that automate infrastructure provisioning sometimes built this into their deployment pipeline. That no longer works. As of February 10, whitelist management is browser-only. Any script that touches IP whitelist configuration on master API keys needs to be replaced with a manual process.
FAQ
How to setup API on Bybit?
Log into bybit.com on a desktop browser, go to Account Settings, then API Management, and select Create New Key. Choose HMAC for standard bot setups or RSA for institutional environments. Copy your key and secret immediately. New accounts must wait 48 hours after registration before the option unlocks. The mobile app does not support API key creation at all.
What is the Bybit promo code for 2026?
Use referral code XXPVJX when registering through the Bybit invite link to access available sign-up offers. Bybit adjusts bonus amounts based on active campaigns and account tier, so check the promotions page after registering to see what applies to your account at that specific point in time.
What are the disadvantages of using Bybit?
The main friction points are the 48-hour API key restriction on new accounts, desktop-only key creation, and the February 2026 removal of programmatic IP whitelist management. Authentication header requirements and millisecond timestamp precision add initial complexity for first-time algo traders. XAU and XAG perpetuals also require a one-time agreement endpoint call before trading can begin.
Does Bybit's V5 API work for both spot and derivatives trading?
Yes. The V5 API covers Spot, Derivatives, and Options through a single unified specification, replacing the older V3 endpoints that had separate interfaces for each product type. One API key can access all markets. Permissions must be set appropriately per product type. Five official SDKs are available: Python, TypeScript, Java, Go, and .NET.
What changed about the Bybit API in early 2026?
Two major changes. The Transaction Log endpoint rate limit dropped from 50 to 30 requests per second per user ID on February 5, 2026, affecting any bot that polls transaction history at volume. As of February 10, 2026, IP whitelist entries and fiat-related permissions on master API keys can no longer be modified through the API. Both changes require action from anyone running live automated strategies.
If you want the execution side of crypto trading handled automatically, AO Shadow manages position entries, exits, and stop placement on Bybit accounts directly. No fixed monthly cost to get started.
