Skip to main content
Make a first WhiteBIT API call — public data with no authentication, then a private request with HMAC-SHA512 signing. The walkthrough is for developers integrating the v4 REST API for the first time and includes curl and Python examples for each API call.
WhiteBIT does not offer a public testnet or sandbox environment — all API calls in this guide execute against the live API. Steps 1 and 2 are read-only public calls, safe to run freely. Step 4 only reads account balances — it places no orders and moves no funds.

Prerequisites

  • curl or Python 3.x installed
  • Steps 1–2: No account required
  • Steps 3–4: WhiteBIT account (register), 2FA enabled, API key with Info + Trading permissions (create key)
1

Check server time (public, no auth)

Verify connectivity by calling the public server time endpoint — no authentication needed.Endpoint: GET https://whitebit.com/api/v4/public/time (API Reference)
Expected response:
The time field is a Unix timestamp in seconds.For Go and PHP examples, see SDKs.
2

Fetch market data (public, no auth)

Retrieve the list of available markets — spot, futures, and TradFi futures. The endpoint requires no authentication.Endpoint: GET https://whitebit.com/api/v4/public/markets (API Reference)
Expected response (truncated — the full response contains 900+ markets):
Key fields: name (pair), minAmount (minimum order size in base asset), tradesEnabled (pair active status).
For risk-free Spot trading practice, activate Demo Tokens (DBTC + DUSDT) from the WhiteBIT Codes page. The DBTC_DUSDT pair supports the same API endpoints as any Spot market — place, query, and cancel orders without risking real funds. No KYC required.
3

Generate an API key

All private endpoints require an API key. Skip this step if a key is already available.
  1. Navigate to API key settings.
  2. Enable 2FA if not already active — key creation requires active 2FA.
  3. Create a new key with Info + Trading permissions.
  4. Optionally whitelist the current IP address (up to 50 addresses per key).
  5. Save the API key and secret immediately — the portal displays the secret only once and offers no way to retrieve it later.
Store the API secret securely in an environment variable or secrets manager. Never commit secrets to version control or embed credentials in client-side code.
4

Authenticated balance check (private)

Read the Trade account balance. This call requires HMAC-SHA512 signing.Endpoint: POST https://whitebit.com/api/v4/trade-account/balance (API Reference)Every private request requires three headers computed from the request body:
  • X-TXC-APIKEY — the API key string
  • X-TXC-PAYLOAD — Base64-encoded JSON request body
  • X-TXC-SIGNATURE — HMAC-SHA512 of the Base64 payload, hex-encoded, signed with the API secret
The JSON request body must include request (the endpoint path) and nonce (an ever-increasing integer — use Unix milliseconds).See Authentication for the full signing walkthrough.
Expected response:
Each key is an asset ticker. available is the amount ready to trade; freeze is the amount locked in open orders. An empty response ({}) means the Trade balance holds no assets — transfer funds from Main first. See Balances & Transfers for details on Main, Trade, and Collateral account types.

Troubleshooting

The payload used for Base64 encoding must be the exact same JSON string sent as the request body. Verify:
  • The request field matches the endpoint path exactly (e.g., "/api/v4/trade-account/balance").
  • The nonce is an integer larger than the previous request’s nonce — use Unix milliseconds.
  • The API secret is current — regenerating the key invalidates the old secret.
  • The HMAC uses the Base64-encoded string as input, not the raw JSON.
See Authentication for the complete signing walkthrough.
Verify:
  • Copy the API key exactly — no leading or trailing spaces.
  • The key is active. Keys auto-deactivate after 14 days of inactivity. Reactivate at whitebit.com/settings/api.
  • The key has Info + Trading permissions for balance endpoints.
If the API key has IP whitelisting enabled, the request must come from a whitelisted IP address. Add the current IP at whitebit.com/settings/api.
The nonce must be greater than the previous request’s nonce for the same API key. Use int(time.time() * 1000) to generate a millisecond-precision Unix timestamp. Avoid reusing nonces across requests.

What’s Next

Spot Trading Quickstart

Place a first order on a spot market.

WebSocket Quickstart

Stream real-time prices over WebSocket.

Market Data Overview

Browse the 14 public endpoints for tickers, orderbooks, trades, and funding rates.