Endpoint groups
OAuth API keys
Recommended partner integration. Issue, retrieve, and delete API keys on behalf of WhiteBIT users.
Authorization and tokens
OAuth 2.0 authorization code flow: authorize, exchange code for access token, refresh.
Account read endpoints
Read account transactions, balances, orders, deals, and conversions on behalf of the authenticated user.
OAuth API key flow
The OAuth API key flow uses Authorization Code with PKCE (S256) and a 4-hour access token without refresh. The partner redirects the user to the WhiteBIT consent screen; on consent and MFA approval, the WhiteBIT platform issues a partner-issued API key for the authenticated(user, OAuth2 client) pair. The partner detects key creation through GET /oauth2/api-key/info, retrieves the secret exactly once through GET /oauth2/api-key/{externalId}/secret, and deletes the key when no longer needed through DELETE /oauth2/api-key/{externalId}. See the Fast API Key integration guide for the full integration walkthrough.
Required scopes
| Scope | Endpoint | Purpose |
|---|---|---|
apikeys.read | GET /oauth2/api-key/info | Check whether a partner-issued API key already exists for this (user, client) pair |
apikeys.read | GET /oauth2/api-key/{externalId}/secret | Retrieve the API secret once |
apikeys.delete | DELETE /oauth2/api-key/{externalId} | Delete a partner-owned API key |
Region availability
The OAuth API key endpoints (/oauth2/api-key/*) are available on the global server (https://whitebit.com) only. The EU server (https://whitebit.eu) does not expose these endpoints in this release.