Skip to main content
GET
/
oauth2
/
api-key
/
{externalId}
/
secret
Retrieve OAuth API key secret
curl --request GET \
  --url https://whitebit.com/oauth2/api-key/{externalId}/secret \
  --header 'Authorization: Bearer <token>'
{
  "data": {
    "apiSecret": "YOUR_API_SECRET"
  }
}

Authentication

OAuth 2.0 Bearer token. Required scope: apikeys.read. See Authentication. The endpoint is available on https://whitebit.com only.

Cache

No caching. The response carries Cache-Control: no-store.

Notes

Store the API secret in encrypted backend storage on first retrieval. The secret is not recoverable after this call returns.
The endpoint returns the secret exactly once per key. A subsequent call for the same key returns 409 Conflict. Recovery from 409 requires deleting the key via Delete OAuth API key and restarting the OAuth API key flow to issue a new key — the secret cannot be re-issued for an existing key. A 423 Locked response indicates a concurrent secret-retrieval attempt against the same key. Retry the request after a short delay. Use exponential backoff starting at 5–10 seconds, doubling per attempt, capped at 60 seconds, with a total budget of 3–5 minutes. The platform does not currently send a Retry-After header.
  • Obtain the externalId path parameter from Check OAuth API key existence.
  • The endpoint does not return the public apiKey string. The WhiteBIT frontend delivers the public apiKey to the partner at consent completion. [PENDING: confirm with the WhiteBIT frontend team where exactly the partner receives the public apiKey (callback parameter name and URL location) — update this note with the wire-level details once confirmed.]

Authorizations

Authorization
string
header
required

OAuth 2.0 Bearer Token authentication. Include the access token in the Authorization header.

Example: Authorization: Bearer YOUR_ACCESS_TOKEN

Path Parameters

externalId
string<uuid>
required

External UUID of the API key. Obtain the value from GET /oauth2/api-key/info.

Example:

"550e8400-e29b-41d4-a716-446655440000"

Response

Successful response. The secret is returned exactly once.

data
object