Skip to content
← Back to guides
Guide · setup

How to create a Bybit API key for copy trading (without giving away your funds).

May 25, 20269m read

Why a trading-only API key is the only safe setup

A Bybit API key is essentially a delegated login — a pair of strings (an API key and a secret) that let a piece of software act on your account without your password. The permissions you grant when you create the key define what that software can do. Get the permissions right and you've separated strategy risk from theft risk entirely.

The split that matters: withdrawals. If the API key cannot withdraw, the worst possible outcome from a leak or a malicious service is that someone places trades you wouldn't have placed. That's a strategy problem — annoying, recoverable, capped at your account balance. If the API key *can* withdraw, the worst case is that an attacker drains your account in a single transaction. That's a permanent capital loss.

These two outcomes are not the same risk and should not be treated as the same setting. Glimpse, and every reputable copy-trading service, never needs withdrawal permissions. If a service asks for them, that's a hard no.

Before you start — two prerequisites

First, your Bybit account needs to be KYC-verified to use the API at meaningful size. If you haven't done KYC, do that first — the API key dialog is partly disabled until verification clears. Submit ID, wait for confirmation (usually same-day), then come back. If you're weighing Bybit against Toobit (which has lighter KYC in many regions), the exchanges page has a side-by-side on both.

Second, enable 2FA on your Bybit account (Google Authenticator or equivalent — not SMS, which is hijackable). 2FA is required to create API keys, to change their permissions, and to revoke them. If you ever need to revoke a key in a hurry, you don't want to be scrambling for an SMS code that doesn't arrive.

Once both are done, you're ready to create the key.

Step-by-step — creating the key in Bybit's dashboard

1. Log in to Bybit. Open the user menu in the top right and click API. (Direct URL: bybit.com/app/user/api-management.)

2. Create new key. Click Create New Key. Choose System-generated API Keys, not Custom, unless you have a specific reason.

3. Name the key. Use something descriptive: `glimpse-copy-trade-2026` is better than `key1`. If you ever have multiple keys, the name is how you'll tell them apart in a panic.

4. Set permissions. This is the load-bearing step. Detailed breakdown in the next section.

5. Set expiry. Bybit lets you set 30, 60, 90 days, or no expiry. Pick 90 days. No-expiry keys never get rotated, and keys that never get rotated are the ones still active when an old laptop gets stolen.

6. (Optional) Whitelist IP addresses. If the service you're connecting publishes a static egress IP, paste it here. Glimpse currently doesn't publish a static IP for the consumer copy-trade layer, so leave this blank in our case.

7. Complete 2FA. Enter your Google Authenticator code. Bybit will display the API key and secret once. Copy both somewhere safe before closing the dialog.

Once you close the dialog, the secret is unrecoverable. If you lose it, you create a new key — that's the design, and it's a feature.

What each permission actually does

Read. Lets the API key fetch balances, positions, order history, and account state. Required for copy trading. There's no privacy downside to enabling this — the service needs to know your balance to size positions correctly.

Contract Trading (Derivatives). Lets the key open, modify, and close perpetual and futures positions. This is the one Glimpse needs. It cannot move money — it can only place orders.

Spot Trading. Lets the key buy and sell spot crypto. Glimpse's copy trading runs on perpetuals, not spot, so this can stay off. If you also use a different service that trades spot, create a separate key for that — don't merge permissions across services.

Withdrawal. Lets the key move funds off the exchange. Leave this off. Every reputable copy-trade and bot service is built to function without it. Any service that requires it is asking for trust no software should have.

Internal Transfer. Lets the key move funds between sub-accounts inside Bybit. Glimpse doesn't need this. Leave it off.

Convert. Lets the key swap between assets via Bybit's internal swap interface. Not needed for copy trading. Leave it off.

Affiliate / Earn / Copy Trading (as a leader). These are for users who *are* the leader, not the follower. Not relevant to you.

IP whitelisting — when to use it and when not to

IP whitelisting restricts the API key to a specific list of source IP addresses. Connections from anywhere else get rejected. It's the strongest single defense against a stolen key being used by someone other than the intended service.

It only works if the service connecting to your exchange publishes a static egress IP — meaning their outbound traffic always comes from the same IP address. For institutional or self-hosted services this is normal. For most consumer copy-trade platforms, including the current Glimpse user-fanout layer, traffic comes from a dynamic pool, so whitelisting will block legitimate trades.

Rule of thumb. If the service tells you to whitelist IP `1.2.3.4`, do it. If they don't mention IPs, leave whitelisting off and compensate with the other defenses on this page (no withdrawal permission, 90-day key rotation, 2FA on the account).

Our current security posture is documented in detail on the security page — including which IPs we publish and which we don't.

Key rotation — every 90 days, no exceptions

API keys are passwords. Passwords get reused, get leaked, get screenshotted, get backed up to the wrong cloud, get pasted in the wrong chat. Treating them as forever-valid is the same mistake that gets people's email accounts compromised in 2026.

Set a calendar reminder for 80 days after creating the key. When the reminder fires, create a new key with the same permissions, update Glimpse with the new credentials, then revoke the old one. This procedure takes about five minutes and forecloses an entire class of compromise.

If you want to be more aggressive — 30 or 60 days — that's fine. The marginal security benefit is real and the cost is one calendar event. Just don't go below 30 days; you'll be doing nothing but rotating.

How to revoke a key in 30 seconds

If you ever suspect a key has been leaked — a laptop was stolen, you pasted credentials in the wrong window, a service had a breach announcement, anything — revoke immediately and don't think about it.

1. Go to bybit.com/app/user/api-management.

2. Find the key by name.

3. Click Delete.

4. Confirm with 2FA.

The key is dead within seconds. Any pending orders the service had open stay on the exchange (Bybit doesn't cancel orders just because the API key that placed them is gone), so review your open positions and close anything you no longer want.

Then create a fresh key, paste the new credentials into Glimpse, and you're back. The whole cycle takes about three minutes including 2FA. There is no excuse for hesitating.

What to do if you suspect a leak

Revoke first, investigate second. The order matters. Even if you're not sure the key is compromised, the cost of revoking and re-creating is a few minutes; the cost of being wrong about whether it was compromised is your account balance.

After revoking, look for unauthorized trades in Bybit's order history. If you see them, contact Bybit support immediately — Bybit can flag the account, help you document the incident, and in some cases reverse fraudulent activity (no guarantee, but they'll try).

Then check the other accounts that might have been part of the same compromise. If your email is leaked, your other exchange logins are at risk too. Change those passwords, rotate any other exchange API keys, and enable 2FA anywhere it isn't already on.

Finally, write down what happened and how. If the leak came from a service Glimpse partners with — or from Glimpse itself — we want to know. Email the address on the security page.

How to connect the key to Glimpse

Once you've created the key with the right permissions, the Glimpse connect screen asks for two strings: the API key and the secret. Paste both, click Connect, and we run a small read-only check to confirm the key works and has the permissions we need (and *not* the ones we don't — if Withdrawal is enabled, we refuse the key and tell you to disable it). The tier you connect under determines what visibility you get beyond copy execution — see pricing for the full breakdown.

After the check passes, Glimpse will start mirroring positions on the next signal the bot publishes. The first trade you see will match the public track record tape, sized to your account. If something doesn't match, ask us — the waitlist form also accepts setup questions from existing users.

If you're still deciding between Bybit and Toobit before creating the key, our Bybit vs Toobit comparison breaks down which one fits which user. The full architecture lives on the method page.

Frequently asked questions

Can Glimpse withdraw funds from my Bybit account?
No — and Glimpse actively refuses keys that have withdrawal permissions enabled. The connect screen runs a permission check at link time and rejects any key where Withdrawal is on. This is a deliberate design choice, not a feature you turn off.
What's the difference between Read and Trade permissions?
Read lets the key fetch your balance, positions, and order history. Trade (Contract Trading) lets the key place, modify, and cancel orders. Both are required for copy trading. Neither lets the key move money off the exchange — that's Withdrawal, which stays off.
Should I create a separate API key for each service?
Yes. Don't share a single key across multiple platforms. If one of them gets compromised, you want to revoke just that key without breaking everything else. Naming the keys descriptively (e.g. `glimpse-2026`) makes the panic-revoke faster.
How long should my API key be valid for?
Pick the 90-day expiry option when creating the key. Set a calendar reminder for day 80, rotate to a new key, and delete the old one. No-expiry keys are an unforced security error — at some point you'll forget the key exists, and forgotten keys are how leaks become exploits.
Is IP whitelisting required?
No. It adds defense if the service publishes a static egress IP, but most consumer copy-trade platforms (including the current Glimpse fanout layer) use dynamic IP pools, where whitelisting would block legitimate trades. Compensate with the other defenses: trade-only permissions, key rotation, 2FA.
What if I lose the API secret?
You can't recover it — Bybit shows the secret exactly once at creation. The fix is to delete the key and create a new one. It's a five-minute process. This is a feature, not a bug; recoverable secrets are leakable secrets.
Can I use the same Bybit account for manual trading and Glimpse?
Yes. The API key controls a separate execution channel from the web/mobile interface. Manual trades and copy trades coexist on the same account. Just be aware that the bot's risk caps only apply to its own trades — your manual positions are on you.
What happens to my open positions if I revoke the key?
They stay open. Bybit doesn't auto-close orders just because the API key that placed them is gone — the orders belong to the account, not the key. After revoking, review and close any positions manually if you no longer want them.