Connecte Bitfinex à ton trading bot

Why Bitfinex

Bitfinex was one of the first crypto exchanges and remains a reference book for many alts. Its margin and funding markets are unique — funding is an order book where you lend or borrow at a competitive rate, useful for cash-and-carry trades. The V2 REST + WebSocket API is mature, and the sub-account feature lets you isolate the bot's funds from the rest of your portfolio.

Bitfinex restricts US persons and a few other jurisdictions; check eligibility before signing up.

Before you start

Complete Bitfinex's Intermediate verification — Basic accounts cannot create API keys for trading. Enable 2FA via Google Authenticator or U2F. Optionally create a sub-account from Account → Sub-Accounts; the sub-account model is the cleanest way to ring-fence a bot's capital and audit its activity separately.

Create the API key

1. Sign in and open Account (top-right) → API Keys (or directly: setting.bitfinex.com/api).
2. Click Create New Key.
3. Enter a Label, e.g. noon-barbari.
4. Tick the permission boxes (next section).
5. Optionally set an IP whitelist in the same dialog.
6. Complete 2FA. Bitfinex shows the API Key and API Secret once; copy both.

For sub-account scope, switch the account dropdown to the sub-account before clicking Create — the key inherits that sub-account's permissions.

Set the right permissions

Bitfinex uses a granular grid of permissions. Tick:

• ✅ Account History — Read
• ✅ Orders — Read & Write
• ✅ Margin Trading — Read & Write (only if the strategy uses margin)
• ✅ Derivatives Trading — Read & Write (only for perp / futures pairs)
• ✅ Wallets — Read
• ❌ Withdraw — leave OFF.
• ❌ Wallets — Transfer between wallets — only enable if the strategy explicitly needs it.
• ❌ Funding Offers — Write — only if you are running a funding strategy.

Click Create.

IP whitelist

Strongly recommended. In the create dialog (or under the existing key's Edit screen) add:

51.38.112.198

Bitfinex allows comma-separated IPs and ranges. Without a whitelist, the key works from anywhere on the public internet.

51.38.112.198

Paste keys into Noon Barbari

Once the API key is created, copy the public key and the secret into Noon Barbari from the Profile → Exchange keys section of your account. Keys are encrypted at rest with a per-user envelope key and only decrypted in memory while a strategy run is active — they never leave the worker that needs them.

If the exchange issues a third value (passphrase, API memo, sub-account label), there will be a dedicated field for it. Save the form and the dashboard will run a lightweight balance query to confirm the credentials work.

Test the connection

Noon Barbari will issue a single read-only balance request the moment you save the key. A green tick means the credentials authenticated and your permission scopes match what the strategy needs. A red error usually points to one of four things: wrong key/secret pair, missing permission, IP whitelist mismatch, or 2FA grace period not yet expired.

Once green, run a small paper trade for a day before flipping a strategy to live. Real execution exposes you to fees, partial fills, and slippage that paper mode cannot replicate.

Security tips

Treat exchange API keys like SSH keys to a production server — rotate them on a schedule and revoke them the moment you no longer need them.

1. Never grant withdraw — Noon Barbari only needs read + trade. A key without withdraw cannot move funds out of your account, no matter who steals it.
2. Use a sub-account if your exchange supports them — isolates the bot's capital from your spot stack and your manual trading.
3. Enable IP whitelist even when the exchange does not require it.
4. Rotate keys every 90 days — set a calendar reminder. The exchange's UI will let you create a new key and revoke the old one in the same session.
5. Enable exchange-side alerts for new API keys, failed logins, and large orders so you find out about a compromise within minutes, not days.

Pièges fréquents

• Creating the key on the master account but funding the sub-account (or vice versa). The key's scope is the account it was issued under.
• Forgetting that Bitfinex pair codes start with t (e.g. tBTCUSD). CCXT translates this for you but raw responses will look unfamiliar.
• Enabling Funding Offers — Write without realising it lets the key open lending positions. Leave OFF unless you intentionally run a funding strategy.
• Skipping the 2FA step at key creation time — Bitfinex blocks the request and the key never persists.

Dépannage

• 10100 — apikey: invalid.

  The key or secret is wrong. Re-paste from your password manager; Bitfinex keys are case-sensitive and 43 chars long.

• 10114 — nonce too small.

  Two clients are racing on the same key, or the server clock skewed. Avoid sharing the same key between Noon Barbari and a local script; create a second key for local development.

• Method not allowed for this key.

  The action requires a permission the key does not have. Edit the key on the Bitfinex side and tick the corresponding scope.

• Should I use a sub-account?

  Yes if you want to ring-fence the bot's capital. Sub-account API keys cannot reach the master account's funds, which is a strong safety property if a key ever leaks.