What are HitBTC API keys?
API keys are unique identifiers used to authenticate private requests in HitBTC API.
Public market data is available without authentication, and all requests associated with account management require authentication via API keys.
API keys can be used to gain access to the full range of our platform’s features through a programming interface.
API key consists of two parts:
- Public API key - your API identifier.
- Secret key - secret part used to sign your requests to our API. Make sure to keep it a secret.
How to create an API key?
Creating an API key is as simple as accessing your API setting page and clicking the ‘New API key’ button:
Clicking it will create and show you an active Public API key and Secret key without any access rights. Further accessing this page will hide a secret key. But you are always able to receive it via email by clicking the ‘show secret key’ button:
As Secret key is used to sign requests, it is vital to keep it safe and never show it to anyone.
API keys management
API key access rights
For your convenience, it is possible to restrict certain actions in a certain key. By checking corresponding checkboxes you might separately grant access to:
- Order book, History, Trading balance (viewing exchange data and trading history and trading balance of your account);
- Place/cancel orders (managing your active orders and creating the new ones);
- Payment information (generate/view deposit addresses, review main account balances);
- Withdraw cryptocurrencies.
This might be useful if you want a certain program to have access only to a certain type of requests, restricting it from gathering data you don’t want it to gather.
Granting access rights for managing orders and initiating withdrawals will require confirmation via email and 2FA code (if enabled).
Also you have an option to grant All rights to an API key by checking “Allow all” box - easily and quickly.
Revoking, enabling and deleting an API key
To revoke (deactivate) an API key you would just need to set the ON/OFF switch to OFF position at your API keys settings page. To enable it back you would need to set it to ON position.
A revoked key is not capable of authenticating requests. It might be a good idea to have a key revoked if you don’t plan to use it in the nearest future.
Alternatively, you might completely delete the key by clicking the trash bin icon:
A deleted API key can not be retrieved and can not be used to authenticate requests. It is a good idea to delete a key in case it was compromised.
Operations initiated through API (initiating withdrawals, placing orders, etc.) don’t require 2FA code nor email confirmations. API and Secret keys are sufficient to initiate those actions through a programming interface. Therefore, it is essential to keep them safe.
Here are some tips on it:
- Keep track and audit your keys’ access rights once in a certain period of time.
- Use different keys for different services.
- Never share your API and Secret keys to anyone including HitBTC representatives.
- Always thoroughly check the software you’re planning to use. There is always a chance that it has some hidden features or was designed to steal your personal data.