Getting Started

We welcome trading robots, order-following platforms, strategy software providers, and other organizations to take advantage of the rich trading currency pairs and liquidity of the BitMart platform, as well as the ease of use of the API brokers themselves, to attract investors to trade on our marketplace through the trading tools they provide. We will give those API Brokers who bring in order volume a rebate on their trading fees.

Apply to be an API Broker

If you need advice on other matters, please contact

Telegram: BM Institution/VIP

Email: [email protected]

Access Process


Steps Description
1、Open API brokerage institutional account 1.API brokers need to register with BitMart and pass the audit.
2.BitMart will assign a BrokerID to the institution and set parameters such as rebate length, rebate percentage, additional incentives for new users, etc.
3.After settlement, all rebates will be credited to the API broker's spot wallet in BitMart.
2、User registration for BitMart account 1.Users need to register a BitMart account and pass at least the personal LV1 KYC.
2.Users should generate an API Key with spot trading privileges and read-only privileges on the API page (the specific benefits are based on the requirements in the trading robot documentation).
3、User binding deployment API to the tools platform provided by API brokers According to the specific needs of the API broker, the user binds the BitMart API to the tools provided by the API broker, connects to the BitMart market, and performs operations such as market information inquiry, trade order placement, and order inquiry through the tools provided by the API broker.
4、API brokers send orders to BitMart When an API broker sends an order request instead of a user, the order must carry the user's APIKey+BrokerID to identify that the order was placed through a specific API broker.
5、BitMart rebates to the API broker's account opened in BitMart 1.When an order is received and filled, BitMart must split the transaction fee (including BMX credit, etc.) and rebate it to the API broker's spot wallet account.
2.It is necessary to determine whether the user who placed the order has an inviter or not. If there is an affiliate rebate, then no refund will be given to the API broker.
6、API brokers check rebate details and statements through a particular API Check rebate details and customer orders according to the dedicated API brokerage interface provided by BitMart.

Spot Endpoints

Get Rebate Records (KEYED)

Applicable to query API Broker's rebate records

Request URL


Request Limit

See Detailed Rate Limit

Request Parameter


curl -H 'X-BM-KEY:{{AccessKey}}'
Field Type Required? Description
start_time long No Query start time stamp, if neither is filled in, then return the last 180 days of records
end_time long No Query end time stamp, if neither is filled in, then return the last 180 days of records

Response Data


Field Type Description
rebates string Daily rebate list
currency string Rebate currency
rebate_amount string Rebate amount

Error Code

Restful Error Code

List of global HTTP return codes

HTTP Description
404 Not Found-The requested interface could not be found
403 Forbidden-No permission to access the resource (KEY may not have permission, or it may be IP restrictions)
401 Unauthorized-Authentication failed (there are problems with the 3 header parameters, failed)
500 Internal Server Error-Server exception, BitMart service problem

Authentication Error Code

Example: httpStatus:200, body:{"code": 1000, "message": "OK", "trace": "12323-3243242-34334534-4353","data":{}}

error message code error code http status code
Not found 30000 404
Header X-BM-KEY is empty 30001 401
Header X-BM-KEY not found 30002 401
Header X-BM-KEY has frozen 30003 401
Header X-BM-SIGN is empty 30004 401
Header X-BM-SIGN is wrong 30005 401
Header X-BM-TIMESTAMP is empty 30006 401
Header X-BM-TIMESTAMP range. Within a minute 30007 401
Header X-BM-TIMESTAMP invalid format 30008 401
IP is forbidden. We recommend enabling IP whitelist for API trading. After that reauth your account 30010 403
Header X-BM-KEY over expire time 30011 403
Header X-BM-KEY is forbidden to request it 30012 403
Request too many requests 30013 429
Service unavailable 30014 503

API Broker Error Code

Example: httpStatus:200, body:{"code": 1000,"trace":"886fb6ae-456b-4654-b4e0-d681ac05cea1","message": "OK","data": {}}

error message code error code http status code
OK 1000 200
Bad Request 50000 400
Out of query time range 50041 400
You do not have permission to access the interface 53005 403
Method Not Allowed 57001 405
Unsupported Media Type 58001 415
Internal Server Error 59002 500

Questions And Answers

This is the Q&A section. If you cannot find answer to your question, please join us Telegram API Group in time.


1. How to apply for APIKEY?

API application site:

After successful application on the website, please keep your access key, secret key and memo.

2. Can I retrieve the secret key of API KEY?

No, you will need to create new APIKEY.

3. Is there any risk of authorizing API KEY to a third party?

This will create some risk, and it is recommended to keep it yourself for account security.

4. Can I apply for API KEY without binding my phone or Google?

No, you must bind more than 2 security items to apply for API KEY.

5. When creating an API KEY, do I have to bind an IP address?

It is not necessary. The option to bind IP when applying for API KEY is optional, but in order to increase the security of user accounts, it is recommended to bind the IP address.

6. Will different API KEY in the same account return different data?

Different API KEY data under the same account is the same.

7. How many API KEY can I apply for in one account?

Each account can create 5 sets of Api Keys, and each Api Key can be set correspondingly to various combination permissions such as cash Withdraw, Spot-trade, and Contract-trade.

8. How to fill information in when applying for APIKEY?

Fill in according to the prompt on the web page, and the memo can be filled in at will by the user; the secret key must be remembered, and it will be used when calling the API interface; binding IP is not required, but it is recommended for account security; API permissions can be checked based on user needs.

9. What is memo?

Memo is provided by users themselves. It will be used in the signing of the interface.

Authentication Q&A

1. What is the maximum difference between the timestamp parameter of the request interface and the time to reach the server?

Requests that differ by more than 1 minute between the timestamp and the API server time will be considered expired by the system and rejected. If there is a large time deviation between the user server and the API server, it is recommended that the user use the "Get Server Time" interface to query the API server time.

2. How to solve error "The request header "X-BM-TIMESTAMP" cannot be empty", which occurs from time to time?

First of all, it is recommended that the user print out whether the request header parameter X-BM-TIMESTAMP has a value. In addition, it is recommended that the user code be optimized. Before each request, determine whether X-BM-TIMESTAMP is empty.

3. What is the time used as the timestamp in the API?

UTC 0 timestamp。

4. Why does signature authentication always return invalid signatures?

Caused by incorrect signatures:

You can use the following SDK, the signature part has been packaged, you can directly debug and call:

If you are writing your own signature function, please refer to the following description step by step:

The request header of X-BM-SIGN is obtained by encrypting the timestamp + "#" + memo + "#" + queryString, and the secret key using the HMAC SHA256 method.

When checking, you can print out the request header information and the pre-signature string, focusing on the following points:

Whether the APIKey is correctly configured in the code

Your KEY is as follows:

API_KEY = "80618e45710812162b04892c7ee5ead4a3cc3e56";

API_SECRET = "6c6c98544461bbe71db2bca4c6d7fd0021e0ba9efc215f9c6ad41852df9d9df9";

API_MEMO = "test001";

Please confirm that the settings are correct:

Content-Type: application/json

X-BM-KEY: 80618e45710812162b04892c7ee5ead4a3cc3e56

Check whether the string before signing conforms to the standard format, the order of all elements must be consistent, you can use the following example to compare with your string before signing:


    echo -n '1589267764859#test001#contract_id=1&category=1' | openssl dgst -sha256 -hmac "6c6c98544461bbe71db2bca4c6d7fd0021e0ba9efc215f9c6ad41852df9d9df9"
  (stdin)= 6d5e774446448073f68e99c28ace86503451bed1fd44e43f80b9b518937c4ef1
  Host: {{host}}/v1
  Content-Type: application/json
  X-BM-KEY: 80618e45710812162b04892c7ee5ead4a3cc3e56
  X-BM-SIGN: 6d5e774446448073f68e99c28ace86503451bed1fd44e43f80b9b518937c4ef1
  X-BM-TIMESTAMP: 1589267764859

GET Example: Request address is {{host}}/v1?contract_id=1&category=1, the current timestamp=1589267764859, so queryString=1589267764859#test001#contract_id=1&category=1


    echo -n '1589267764859#test001#{"contract_id":1,"category":1,"way":1,"open_type":1,"leverage":10,"custom_id":1,"price":5000,"vol":10,"nonce":1589267764}' | openssl dgst -sha256 -hmac "6c6c98544461bbe71db2bca4c6d7fd0021e0ba9efc215f9c6ad41852df9d9df9"
  (stdin)= 595a00aa2ecbd2f7e857909497e3aa8b222da6b6055411c7f4dfce0e7dc6c6ae
  HOST: {{host}}/v1
  Body: {"contract_id":1,"category":1,"way":1,"open_type":1,"leverage":10,"custom_id":1,"price":5000,"vol":10,"nonce":1589267764}
  Content-Type: application/json
  X-BM-KEY: 80618e45710812162b04892c7ee5ead4a3cc3e56
  X-BM-SIGN: 595a00aa2ecbd2f7e857909497e3aa8b222da6b6055411c7f4dfce0e7dc6c6ae
  X-BM-TIMESTAMP: 1589267764859

POST Example: Request address is {{host}}/v1?contract_id=1&category=1, the current timestamp=1589267764859, so queryString=1589267764859#test001#{"contract_id":1,"category":1,"way":1,"open_type":1,"leverage":10,"custom_id":1,"price":5000,"vol":10,"nonce":1589267764}

Rate Limit Q&A

1.Is there a limit to how often the API is called per second?

There are limits, specific can see the menu bar 'Rate Limit' in each interface access frequency limit.

2."why do I have to complete a CAPTCHA?" comes up on the call

This time, the IP was intercepted because it was accessed too much from a different environment and was considered an attack by the system. It is recommended that you do not share IP and that applications be accessed using a separate IP.Second, use the browser to call the interface and select 'I am Human' to submit to unrestrict as prompted on the page.


3.How is the HTTP status code 429 created?

The request interface exceeds the access frequency limit. It is recommended to reduce the access frequency.

4.Will API call interfaces be blocked if they exceed the access frequency? How long letter?

No, just reduce the access frequency.

5.Access interface error overclocking, how to solve?

Reduce the frequency of access. Each interface of the document has a frequency description. You need to lower the request frequency to the frequency description.