Connecte Bybit à ton trading bot

Why Bybit

Bybit is the second-largest derivatives venue and offers a Unified Trading Account (UTA) that lets one collateral pool back spot, USDT perpetuals, and inverse contracts. For futures-focused strategies, the V5 API surface is clean and the maker rebates on perp pairs are competitive.

Bybit is available globally but excludes US persons. Their KYC tiers gate higher rate limits and withdrawal sizes; for API trading the standard Verified tier is sufficient.

Before you start

Complete Bybit's Identity Verification (Level 1 is enough for most users). Enable 2FA via Google Authenticator and bind a passkey if available. Note Bybit's V5 API requires the Unified Trading Account — if your account is still on the legacy Standard Account, upgrade from Assets → My Assets → Upgrade to Unified Trading Account before issuing the key.

Create the API key

1. Log in and open Account & Security (top-right avatar) → API.
2. Click Create New Key → System-generated API Keys.
3. Pick API Transaction (not the read-only diagnostics key).
4. Name the key, e.g. noon-barbari.
5. Set an expiry — Bybit defaults to 90 days, which is healthy. You can also pick "No Expiry" but the security best practice is rotation.
6. Complete the 2FA + email challenge. The secret is shown once — copy it now.

Set the right permissions

Under Permissions, select:

• ✅ Contract — Orders and Positions (futures trading).
• ✅ Spot — Trade (spot strategies).
• ✅ Unified Trading — Trade (covers UTA flows).
• ✅ Wallet — Account Transfer is optional; only enable if a strategy needs to move funds between sub-accounts.
• ❌ Withdraw — leave OFF.
• ❌ Sub-Account Transfer (Master) — only relevant if you orchestrate sub-accounts; off by default.

Save.

IP whitelist

Strongly recommended. Under the IP Restrictions section, pick Only allow IPs in the list and add:

51.38.112.198

Bybit allows up to 20 IPs per key. Without an IP whitelist the key works from anywhere — fine for testing, less fine for production capital.

51.38.112.198

Paste keys into Noon Barbari

Once the API key is created, copy the public key and the secret into Noon Barbari from the Profile → Exchange keys section of your account. Keys are encrypted at rest with a per-user envelope key and only decrypted in memory while a strategy run is active — they never leave the worker that needs them.

If the exchange issues a third value (passphrase, API memo, sub-account label), there will be a dedicated field for it. Save the form and the dashboard will run a lightweight balance query to confirm the credentials work.

Test the connection

Noon Barbari will issue a single read-only balance request the moment you save the key. A green tick means the credentials authenticated and your permission scopes match what the strategy needs. A red error usually points to one of four things: wrong key/secret pair, missing permission, IP whitelist mismatch, or 2FA grace period not yet expired.

Once green, run a small paper trade for a day before flipping a strategy to live. Real execution exposes you to fees, partial fills, and slippage that paper mode cannot replicate.

Security tips

Treat exchange API keys like SSH keys to a production server — rotate them on a schedule and revoke them the moment you no longer need them.

1. Never grant withdraw — Noon Barbari only needs read + trade. A key without withdraw cannot move funds out of your account, no matter who steals it.
2. Use a sub-account if your exchange supports them — isolates the bot's capital from your spot stack and your manual trading.
3. Enable IP whitelist even when the exchange does not require it.
4. Rotate keys every 90 days — set a calendar reminder. The exchange's UI will let you create a new key and revoke the old one in the same session.
5. Enable exchange-side alerts for new API keys, failed logins, and large orders so you find out about a compromise within minutes, not days.

Pièges fréquents

• Creating a key on a Standard Account, then trying to call V5 endpoints. Upgrade to Unified Trading Account first or the request will return retCode 10005.
• Choosing "No Expiry" out of convenience — set 90 days and rotate.
• Forgetting that Bybit treats Unified Trading and legacy Spot wallets differently. UTA-enabled accounts have one balance pool; pre-UTA accounts have separate wallets.
• Ignoring the secret on the create dialog — Bybit only shows it once and there is no "reveal" later.

Dépannage

• retCode 10003 — API key is invalid.

  Either the key/secret pair is wrong, or the key has expired (Bybit's keys default to 90 days). Generate a new key, paste both halves, and update Noon Barbari.

• retCode 10005 — Permission denied.

  The key is missing the scope your strategy needs. Edit the key on Bybit and tick the matching trading permission (Spot, Contract, or Unified Trading).

• retCode 10010 — Unmatched IP.

  Your IP whitelist does not include Noon Barbari's egress (51.38.112.198). Add it under the key's IP restrictions.

• My futures order is rejected with `position mode not match`.

  Bybit perps support One-Way and Hedge modes; your strategy must match. Either change position mode in the Bybit UI (Derivatives → Trade → Settings), or switch the strategy to use the existing mode.