GridBTAPI Keys
Before the bot can trade on your behalf, it needs authenticated access to your Bybit account. This page covers what permissions are needed, how to create the key safely, and how to add it to GridBT.
What the bot does with your keys
GridBT uses your API credentials to:
- Place and cancel orders across all configured pairs in real time, cycling through every grid level as price moves.
- Read positions and trade history to track exposure, detect imbalances, and calculate your grid PnL accurately.
Without valid API keys the bot cannot interact with your exchange account.
Prerequisites checklist
Before creating your API key:
- You are using a subaccount (recommended) to isolate bot funds
- Your Bybit account is a Unified Trading Account (UTA)
- Leverage is set to 5x on your trading pairs. Set this in Bybit's position panel for each symbol.
- Hedge Mode is enabled at the account level. How to enable Hedge Mode on Bybit
Recommended: use a Bybit subaccount
If you only have one Bybit master account, create a subaccount for the bot so trading risk is isolated.
Why this matters:
- Your bot API key is scoped to the subaccount balance and permissions.
- If something goes wrong, exposure is limited to subaccount funds.
- Your main account is never affected from the api key configured for GridBT.
Suggested setup:
- In Bybit, create a dedicated subaccount for GridBT.
- Transfer only the funds you want the bot to use into that subaccount.
- Switch into the subaccount context.
- Create API key and secret from that subaccount.
- Use that subaccount API key on the API Keys page.
Rate limits differ by account type. Subaccounts are limited to 10 requests per second, while main accounts can be up to 400 requests per second. In busy markets, subaccounts can hit throttling sooner. As a practical starting point, keep subaccounts to 3 instruments or fewer.
Creating your API key
- Create an API key with Read-Write permission and whitelist the bot IP:
13.212.248.185. - Grant only the required permissions:
- Unified Trading > Contract > Orders and Positions
- Assets > Exchange > Convert, Exchange History (used to calculate your grid PnL)
- Leave Withdraw Assets unchecked. GridBT will never withdraw or transfer your funds.
- Whitelist only the symbols you intend to trade. This is the single most effective security control.
Add a key in GridBT
- Open the API Keys page.
- Select Add Key.
- Paste API key and API secret.
- Save and confirm the key appears in the key list.
Why symbol whitelisting matters
Restricting your API key to the specific symbols you trade makes it much harder for stolen credentials to be abused. Even if your key were leaked, an attacker cannot pump a low-liquidity pair to profit from it when your key only covers deep markets like HYPEUSDT or ETHUSDT. Combined with withdrawal disabled, these two controls cover the realistic attack vectors.
Real-world example: the 2022 3commas incident
In 2022, 3commas experienced an API security incident where user keys and secrets were leaked. Even though many affected users had withdrawal disabled, attackers exploited the stolen credentials by trading low-liquidity pairs through the platform itself, pumping prices while profiting from short positions on separate accounts. IP whitelisting did not help because the trades originated from the platform's own whitelisted infrastructure.
- What really happened during the hack (Reddit)
- API security incident FAQ (3commas)
- Notice on API data disclosure incident (3commas)
How GridBT protects your keys
GridBT is built by engineers with over a decade of experience working at leading cryptocurrency exchanges, having firsthand knowledge of every major industry security incident. That experience directly shapes how we handle your credentials.
Encryption and storage
- Encrypted at rest. API keys and secrets are encrypted with AES-256-GCM (authenticated encryption with unique IV and auth tag per credential) before they are written to the database. Plaintext credentials never touch persistent storage.
- Double-layered database protection. The database stores both the encrypted blob and a separate pre-computed masked value (first 8 characters only). Even the encrypted column itself is never returned to any user-facing API. The only value your browser ever sees is the mask.
- Separate encryption key. The decryption key lives in AWS Secrets Manager under a dedicated secret, isolated from application code, config files, and environment variables in the production runtime. A database breach alone cannot decrypt your credentials.
Application-level controls
- Never logged. Our structured logging system (Pino) automatically redacts sensitive fields including API keys, secrets, passwords, and tokens across all log output.
- No export endpoints. There is no API endpoint to retrieve, view, or export your full plaintext credentials. This is by design, not an oversight. Even authenticated users cannot read back their own keys.
- Key lifecycle. Your credentials are decrypted once at bot startup, held in process memory only for signing HMAC-SHA256 trade requests to Bybit, and never re-transmitted or stored elsewhere.
Infrastructure security
No sensitive values are stored in application configuration or environment variables in the production environment. All secrets are resolved at runtime from AWS Secrets Manager.
Our AWS account is secured with multiple layers of access control: a locked-down root account with MFA, scoped IAM roles following least-privilege principles, VPC network isolation, and encrypted storage at every tier. Infrastructure access is auditable and restricted to authorized personnel only.
At the network edge, Cloudflare provides enterprise-grade DDoS protection, SSL termination, and request filtering before traffic reaches our application servers.
Your controls
You can revoke your API key directly on Bybit at any time, instantly cutting off all access. For teams who want to manage their own infrastructure, a self-hosted deployment option is planned.