> ## Documentation Index > Fetch the complete documentation index at: https://docs.whitebit.com/llms.txt > Use this file to discover all available pages before exploring further. # FAQ > Find answers to common questions about the WhiteBIT API, trading, deposits and withdrawals, webhooks, institutional onboarding, compliance, and integration. ## Rate limits and errors Rate limit 429 errors occur when an endpoint exceeds the rate limit. To resolve: * Wait for the rate limit window to reset * Check the specific rate limit value in the endpoint documentation * Implement rate limiting in code For more details, see the [API v4 overview](/api-reference/market-data/overview). For a dettrategies CORS requests to the ticker endpoint are forbidden for security reasons. Make the request from a backend server instead of client-side code. For endpoint details, see the [Market activity endpoint](/api-reference/market-data/market-activity). Nonce errors occur when timestamps or request ordering are invalid. To resolve: 1. Debug the code implementation 2. Recreate API keys 3. Ensure system time is properly synchronized For details on nonce requirements, see the [Authentication guide](/api-reference/authentication). For full details on HMAC-SHA512 signing and nonce requirements, see [Authentication](/api-reference/authentication). Smartplan endpoints are restricted to B2B partner services only. To gain access: * Contact [support@whitebit.com](mailto:support@whitebit.com) * Request permissions for Smartplan endpoints * Provide use case details For endpoint details, see the [Crypto Lending documentation](/api-reference/account-wallet/get-plans). The most frequent API errors and corresponding causes: `422` — validation failed (check required parameters); `429` — rate limit exceeded (wait for window reset); `401` — authentication failed (check API key and HMAC signature); `403` — insufficient permissions (verify API key permissions). See [Errors and Error Handling](/api-reference/rate-limits) for the complete error code reference. ## WebSocket Multiple time periods for pairs are available through multiple WebSocket connections or the HTTP method. Two solutions: 1. Open multiple WebSocket connections 2. Use the equivalent HTTP method instead For more details, see the [Kline documentation](/websocket/market-streams/kline). The system shows only the last 100 deals by default. To access more: * Subscribe to the WebSocket feed * Accumulate and store the data * Process the data as needed For more details, see the [Trades channel documentation](/websocket/market-streams/trades). WhiteBIT offers colocation across EEA/EMEA and APAC regions. Colocation provides access to a subset of 33 trading endpoints. See [Colocation](/platform/colocation) for infrastructure details and the [Market Maker Guide](/guides/market-maker-guide) for the full endpoint list. ## Transfers and withdrawals Transfers may take up to 2 seconds to complete. When making transfers and withdrawals: * Wait for transfers to complete (approximately 2 seconds) * Avoid initiating withdrawals before transfer completion * Implement proper error handling for transfer states For endpoint details, see the [Transfer between balances](/api-reference/account-wallet/transfer-between-balances) documentation. For details on account types (Main, Trade, Collateral), see [Balances & Transfers](/concepts/balances). Withdrawal amount plus fee must not exceed the available balance. Calculate the total required using the [fee endpoint](/api-reference/account-wallet/get-fees). Check the withdrawable amount before initiating a withdrawal. If the issue persists, review open orders possibly reserving funds. See [Balances & Transfers](/concepts/balances) for explanation of available vs. frozen balances. Each cryptocurrency network requires a specific number of block confirmations before a deposit is credited. The webhook payload includes `confirmations.actual` and `confirmations.required` fields. Check the [Asset Status endpoint](/api-reference/market-data/asset-status-list) for per-currency confirmation requirements. Since December 30, 2024, EEA users cannot deposit, withdraw, or create WhiteBIT Codes in USDT. Use USDC (Circle holds an EU e-money license) or EURI (euro-pegged, MiCA-compliant) as alternatives. See [Regulatory Compliance](/institutional/compliance) for details. Deposits below the minimum amount for a currency are not credited to the account balance. Check the minimum deposit amount via the [Asset Status endpoint](/api-reference/market-data/asset-status-list) before generating deposit addresses. No mechanism exists to recover below-minimum deposits. ## Webhooks HTTPS is required for Webhook API communication: * Communication occurs over port 443 * SSL/TLS encryption is mandatory * HTTP connections are not supported For more details, see the [Webhook documentation](/platform/webhook). Each webhook request includes an `X-TXC-APIKEY` header and an `X-TXC-PAYLOAD` + `X-TXC-SIGNATURE` for verification. Verify the HMAC-SHA512 signature using the webhook secret key to confirm the request originates from WhiteBIT. See the [Webhook](/platform/webhook) reference for the full verification flow. WhiteBIT retries failed webhook deliveries 5 times at 10-minute intervals, providing up to 50 minutes of coverage. There is no replay mechanism after the retry window expires. Implement polling of the deposit and withdrawal history endpoints as a fallback for outages exceeding 50 minutes. See [Webhook](/platform/webhook) for details. ## API and assets Check currency status through the assets endpoint: * URL: [https://whitebit.com/api/v4/public/assets](https://whitebit.com/api/v4/public/assets) * The endpoint provides real-time status of all currencies * Check the currency-specific enabled/disabled flags For endpoint details and response schema, see the [Asset status list](/api-reference/market-data/asset-status-list) documentation. ## Trading The API uses "collateral" as a shared prefix for both Margin Trading (up to 10x leverage on spot pairs like `BTC_USDT`) and Futures Trading (up to 100x leverage on perpetual pairs like `BTC_PERP`). The market pair determines the product — not the endpoint path. All endpoints under `/api/v4/order/collateral/` and `/api/v4/collateral-account/` serve both products. See [Margin Trading](/products/margin/overview) and [Futures Trading](/products/futures/overview). Each market has a minimum order amount (`minAmount`) and minimum order value (`minTotal`). Retrieve these values from `GET /api/v4/public/markets` (spot) or `GET /api/v4/public/futures` (futures). Orders below the minimum are rejected. See [Markets & Trading Pairs](/concepts/markets). The kill-switch automatically cancels all active orders after a configurable timeout. Activate via `POST /api/v4/order/kill-switch` with a `timeout` parameter (in seconds). Use `POST /api/v4/order/kill-switch/status` to check the current state. Designed as a safety mechanism for automated trading strategies. See the [Market Maker Guide](/guides/market-maker-guide) for usage patterns. The bulk order endpoint (`POST /api/v4/order/bulk`) accepts up to 20 limit orders in a single request. All orders in the batch must be for the same market pair. The collateral bulk endpoint (`POST /api/v4/order/collateral/bulk`) follows the same 20-order limit. The price returned in a market order response may reflect an internal limit price, not the actual execution price. To obtain the true fill price, check the trade history via `POST /api/v4/trade-account/executed-history` or subscribe to the WebSocket deals channel. See [Order Types](/concepts/order-types) for market order execution details. A reduce-only order guarantees that the order only decreases or closes an existing position — the order cannot increase the position or open a new one. Set `reduceOnly: true` on any collateral order creation endpoint. Available on margin and futures markets only. If no open position exists or the order direction matches the position direction, the API returns error code `116`. If the order amount exceeds the current position size, the system reduces the order to match automatically. Pending reduce-only orders are auto-canceled with status `AUTO_CANCELED_REDUCE_ONLY` when the associated position closes. See [Order Types — Reduce-only orders](/concepts/order-types#reduce-only-orders) for full details. ## Security and API keys Store API keys securely using environment variables, restrict IP access, and use minimum required permissions. Never commit keys to version control. For details, see the [Authentication guide](/api-reference/authentication). For comprehensive security guidance, see [Security Best Practices](/best-practices/security). Immediately delete the compromised key, review account activity for unauthorized actions, and create new API keys. Contact support if unauthorized activity is detected. For details, see the [Authentication guide](/api-reference/authentication). API keys without IP address binding are automatically deactivated after 14 days of inactivity. Bind keys to specific IP addresses to prevent unexpected deactivation. See [Authentication](/api-reference/authentication) for API key management details. ## API usage Use WebSocket for real-time data, batch requests when possible, implement proper rate limiting, and cache frequently accessed data. For details, see the [WebSocket API](/websocket/market-streams/overview). For rate limit tiers and endpoint-specific limits, see [Rate Limits](/api-reference/rate-limits). For colocation infrastructure, see the [Market Maker Guide](/guides/market-maker-guide). Implement automatic reconnection with exponential backoff. Maintain local order state and set up monitoring and alerts for connection issues. For details, see the [WebSocket API](/websocket/market-streams/overview). For a pre-launch readiness checklist including reconnection testing, see the [Go-Live Checklist](/best-practices/go-live-checklist). Start with the [First API Call](/guides/first-api-call) guide for an orientation. The recommended path: create an API key, make a public endpoint call (no auth required), then authenticate a private endpoint call. Official SDKs exist for Go, Python, and PHP. A multi-language quickstart repository provides examples in additional languages including Node.js and Rust. See the [SDKs page](/sdks) for installation instructions and GitHub links. WhiteBIT does not offer a public testnet or sandbox. For risk-free Spot testing, activate Demo Tokens (DBTC + DUSDT) from the [WhiteBIT Codes page](https://whitebit.com/codes) — no KYC required. Trade the `DBTC_DUSDT` pair via the standard API to validate the full order lifecycle without real funds. For Margin, Futures, and fund-movement testing, use minimum order sizes on the live API. See the [Go-Live Checklist](/best-practices/go-live-checklist) for the complete testing strategy. Use the REST API for one-time requests: placing orders, checking balances, fetching trade history. Use the WebSocket API for real-time streaming data: live orderbook updates, trade feeds, account balance changes. REST polling at high frequency consumes rate limits — switch to WebSocket for data that updates continuously. See [Rate Limits](/api-reference/rate-limits) for REST constraints and [WebSocket Quickstart](/guides/websocket-quickstart) for streaming setup. Official SDKs are available for Go, Python, and PHP. Check the [SDKs page](/sdks) for current version, maintenance status, and whether each SDK handles HMAC signing automatically. The [api-quickstart repository](https://github.com/whitebit-exchange/api-quickstart) provides additional examples in Node.js and Rust. Public endpoints (market data, tickers, orderbook) require no account or authentication. Private endpoints (trading, account management) require API keys — create them in account Settings. Institutional features (colocation, OTC, Broker Program) require [institutional onboarding](/institutional/onboarding). See [First API Call](/guides/first-api-call) for the recommended integration path. ## Institutional and partner onboarding WhiteBIT offers Market-Making Programs, Broker Program (40% fee share), Sub-Account management, OTC trading, Crypto Lending for business, colocation, and Liquidity Provision. See the [Institutional Overview](/institutional/overview) for the full catalog. Onboarding has two phases: Phase 1 (crypto access) requires account registration, KYC for the director, and KYB verification. Phase 2 (fiat/SEPA access) requires additional documentation through the fiat processing partner. See [Institutional Onboarding](/institutional/onboarding) for the step-by-step process. Base trading fees are 0.1% maker / 0.1% taker. The Market-Making Program offers rebates up to -0.012% maker. The Broker Program provides 40% fee share on referred user trading fees, with WBT holding boost tiers (200–2M WBT = 40–50% share). Contact [institutional@whitebit.com](mailto:institutional@whitebit.com) for volume-based arrangements. WhiteBIT does not offer a public testnet or sandbox. However, free Demo Tokens (0.5 DBTC + 1,000 DUSDT) are available for risk-free Spot trading via the [WhiteBIT Codes page](https://whitebit.com/codes) — no KYC required. The `DBTC_DUSDT` pair works with all standard Spot API endpoints. For Margin, Futures, and deposit/withdrawal testing, use minimum order sizes on the live API. See the [Go-Live Checklist](/best-practices/go-live-checklist) for the complete testing strategy. WhiteBIT holds licenses in multiple EU jurisdictions and is audited by Hacken for security (ISO 27001, PCI DSS, CCSS). GDPR compliance is maintained for data processing. For specific VASP authorization details and jurisdiction information, contact [institutional@whitebit.com](mailto:institutional@whitebit.com). See [Regulatory Compliance](/institutional/compliance). Colocation is available across EEA/EMEA and APAC regions. Access is limited to a subset of 33 trading endpoints. See [Colocation](/platform/colocation) for setup details and the [Market Maker Guide](/guides/market-maker-guide) for the full endpoint list. ## Compliance and regulatory Since December 30, 2024, EEA accounts cannot deposit, withdraw, or create WhiteBIT Codes in USDT under MiCA regulation. USDC and EURI are available as compliant alternatives. See [Regulatory Compliance](/institutional/compliance) for the full list of affected operations and recommended alternatives. Since May 19, 2025, crypto withdrawals from EEA accounts require a travelRule object in the withdrawal request containing originator details (name, address, birth date, account number). The travelRule object is part of the withdrawal API request body. See [Regulatory Compliance](/institutional/compliance) for the field reference and code examples. WhiteBIT is audited by Hacken. Certifications include ISO 27001, PCI DSS, and CCSS. GDPR is a regulation (not a certification) — WhiteBIT processes data in accordance with GDPR requirements. For audit reports or verification details, contact [institutional@whitebit.com](mailto:institutional@whitebit.com). ## What's Next First steps for API integration — account setup, API keys, and the first authenticated call. Find the recommended integration path for market makers, brokers, payment providers, and algo traders.