How to Set Up Your Bybit API Keys in 2026
Bybit's API setup process changed significantly in March 2026. The exchange now offers 253 API endpoints across six modules, and a new AI Skills feature that lets traders execute orders through ChatGPT, Claude, and Gemini without writing code. But whether you're connecting a third-party trading bot, building your own system, or experimenting with AI-powered execution, the first step is the same: you need an API key with the right permissions.
Here's the problem. Most guides skip the parts that actually trip people up. They show you where to click "Create API Key" and call it a day. They don't mention that a subaccount key can't access main account balances. They don't warn you that forgetting to whitelist your server's IP address locks you out silently, with no error message that makes sense. And they definitely don't explain why your bot placed zero trades even though the connection looked fine.
This Bybit API setup guide covers the full process for 2026, including the V5 unified API changes and the 20+ new endpoints Bybit added in March alone, according to the V5 API Changelog. If you're setting up API access for copy trading tools like AO Shadow or any other automated system, these are the steps and mistakes that actually matter.
Step 1: Create Your Bybit API Key With the Right Permission Scope
Creating an API key on Bybit takes about two minutes. Getting the permissions right takes understanding what you're actually trying to do. Bybit's V5 unified API consolidated spot, derivatives, and options into a single interface, which means one key can access multiple markets. But the permission toggles during key creation determine what that key is allowed to touch.
Log into your Bybit account and go to Account Settings, then API Management. Click "Create New Key." You'll see two options: System-generated API keys and Self-generated keys using your own RSA key pair. For most traders connecting bots or portfolio trackers, system-generated is fine.
The permission screen is where mistakes happen. Bybit groups permissions into categories: Read, Trade, Wallet, and Exchange. A common error is enabling only "Read" permissions and then wondering why your bot can pull price data but can't place orders. If you're running a trading bot, you need Read and Trade at minimum.
| Permission | What It Allows | When You Need It |
|---|---|---|
| Read | Market data, account balances, position info | Always (every integration needs this) |
| Trade | Place orders, modify orders, cancel orders | Trading bots, signal execution, copy trading |
| Wallet | Transfers between accounts, withdrawals | Fund management tools (use carefully) |
| Exchange | Convert between assets | Portfolio rebalancers |
One thing that catches people: if you're using a UTA (Unified Trading Account), your API key automatically has access to spot, derivatives, and options through a single account. If you're on the old standard account structure, you might need separate keys or explicit toggles for each product. Check your account type in settings before creating your key.
Don't enable Wallet permissions unless your tool specifically requires transfers. And never enable withdrawal permissions for a third-party bot. That's not security theater. That's the one rule that actually prevents you from losing money to a compromised tool.
Step 2: IP Whitelisting and Rate Limits That Break Bots
Bybit requires IP whitelisting for API keys, and this single setting causes more failed integrations than anything else.
When you create an API key, Bybit asks you to enter trusted IP addresses. If you leave this blank on some account types, the key works from any IP, but Bybit restricts what it can do. On other configurations, leaving it blank means the key simply won't authenticate. The behavior isn't consistent, and the error messages don't always point to IP whitelisting as the cause.
If you're running a bot on a VPS or cloud server, you need that server's public IP address in the whitelist. Running locally? You need your home IP. And here's the part nobody mentions: if your ISP assigns dynamic IPs, your key will stop working every time your IP changes. You'll wake up to a bot that's been offline for hours.
For traders running multiple tools, Bybit allows up to 20 IP addresses per key. But you can also create multiple API keys with different permissions and different IP restrictions. That's the better approach: one read-only key for your portfolio tracker, one trade-enabled key for your bot, each locked to the specific server that uses it.
Rate limits matter too. Bybit enforces an HTTP rate limit of 600 requests per 5 seconds at the IP level. Per-endpoint limits are tighter: roughly 10 orders per second on core trading paths. If your bot is polling the orderbook, placing orders, and checking positions all on the same key, you can hit these walls fast. The March 2026 update improved spot orderbook push frequency from 200ms to 100ms via WebSocket (V5 API Changelog), so switching from REST polling to WebSocket streams cuts your rate limit usage dramatically.
Step 3: Connecting Your Key to Trading Bots, AI Agents, and Third-Party Tools
Once your API key exists with the right permissions and IP settings, connecting it to external tools follows a standard pattern. Most tools ask for three things: your API key, your API secret, and whether you're on mainnet or testnet.
Here's a breakdown of common connection types:
| Tool Type | What It Needs | Watch Out For |
|---|---|---|
| Trading bots (3Commas, Cornix) | API key + secret, Trade permission | Some require "Contract" toggle for futures |
| Portfolio trackers (CoinGecko, Delta) | API key + secret, Read-only permission | Don't give Trade access to read-only tools |
| Copy trading platforms | API key + secret, Trade + Read permission | Subaccount keys may not see main balances |
| Custom scripts (Python, Node.js) | API key + secret + endpoint URL | Use api.bybit.com for mainnet, api-testnet.bybit.com for test |
| AI agents (via AI Skills) | No API key needed for AI Skills | Requires Bybit account linked to AI platform |
Bybit's new AI Skills feature, launched March 13, 2026 from Dubai, takes a different approach entirely. According to Chainwire, AI Skills lets external AI assistants execute trades through natural language with no SDK, no CLI, no configuration files. The system supports ChatGPT, Claude, Gemini, Cursor, and Windsurf. New users start on testnet before going live, which is a smart guardrail for anyone experimenting.
For developers building custom integrations, the Bybit Developer Portal has the full V5 API documentation. March 2026 brought Alpha Trading on-chain endpoints (March 23), Advanced-Earn DualAssets APIs (March 24), and portfolio margin info endpoints, per the V5 API Changelog. If you built an integration before March, check whether new response fields or categories affect your code.
If you're looking to connect Bybit to a position management tool without building anything yourself, platforms like AO Shadow handle the API connection and automate exits on your behalf. Worth considering if you trade actively but don't want to manage trailing stops manually across positions.
Step 4: Subaccounts, UTA, and the Mistakes That Silently Break Everything
Bybit's account structure has a quirk that burns traders who manage multiple strategies. Main account API keys and subaccount API keys don't share access. If you create a key under your main account, it can't read or trade on your subaccounts. If you create a key under a subaccount, it can't see your main account balances.
This sounds obvious when written out. In practice, people set up a subaccount for their bot, create the API key on their main account, paste it into the bot, and then see empty balances. No error. Just zeros. The key is valid, the connection succeeds, but the key is looking at the wrong account.
The Unified Trading Account adds another layer. UTA merges your spot, derivatives, and USDC options balances into one pool. If your tool was built for Bybit's old account structure, it might request separate balance endpoints that no longer apply. Since March 2026, Bybit also rolled out BYUSDT repayment support in a gradual release from March 17 to full availability on March 24, according to the V5 API Changelog. Older integrations that assume specific repayment behavior may need updates.
Three things to check if your integration shows connected but behaves wrong:
- Confirm the API key belongs to the same account (main vs sub) where your funds sit.
- Verify your account is UTA and your tool supports V5 unified endpoints.
- Check the API changelog for new required fields or deprecated parameters since you last configured your tool.
Bybit serves 80 million+ users across its platform, according to Blockchain Magazine. The exchange has been the second-largest by trading volume for some time. That means the developer community around Bybit's API is large, and most common errors have answers in public forums and GitHub repos. When something goes wrong, the fix is usually one wrong setting, not a fundamental platform issue.
FAQ
How do I create a Bybit API key?
Log into your Bybit account, go to Account Settings, then API Management, and click "Create New Key." Choose system-generated for most use cases. Select Read and Trade permissions for trading bots. Add your server's IP address to the whitelist. Save the API key and secret immediately, as the secret won't be shown again.
What permissions should I give my Bybit API key for a trading bot?
Trading bots need Read and Trade permissions at minimum. Read pulls market data and account info. Trade allows order placement, modification, and cancellation. Never enable Wallet or Withdrawal permissions for third-party bots. If using a UTA account, one key covers spot and derivatives without separate toggles.
Why is my Bybit API key not working?
The three most common causes are wrong IP whitelist settings, mismatched account scope (main vs subaccount key), and insufficient permissions. Bybit silently rejects requests that fail IP checks rather than returning a clear error. Verify your server's public IP matches the whitelisted address and that the key belongs to the account holding your funds.
What are Bybit's API rate limits in 2026?
Bybit enforces 600 HTTP requests per 5 seconds at the IP level and roughly 10 orders per second per endpoint per UID. WebSocket connections for real-time data don't count against HTTP limits. Since March 2026, spot orderbook Level 200 pushes improved to 100ms frequency, making WebSocket the preferred method for high-frequency data.
Can I use AI to trade on Bybit without writing code?
Yes. Bybit launched AI Skills on March 13, 2026, giving AI assistants like ChatGPT, Claude, and Gemini access to 253 API endpoints through natural language. No SDK or configuration needed. New users begin on testnet before live trading. The system translates plain English instructions into API calls with platform security checks.
Setting up Bybit API access doesn't need to be complicated, but the small details, like IP whitelisting, account scope, and permission toggles, are what separate a working integration from a silently broken one. If you trade crypto actively on Bybit and want automated position management without building your own system, AO Shadow connects directly to Bybit's V5 API and handles exits, trailing stops, and DCA management for you. It's free to use, with a 30% profit share model, and over 5,000 traders are already in the AO Trading community.
