The core workflow for applying for a Binance API consists of four steps: completing KYC L2 verification, accessing the API Management page via the Binance Official Website, creating your key, and setting up an IP whitelist. Once configured, you can call the API in your code using HMAC-SHA256 signatures. The entire process takes approximately 15 minutes. Keys are available immediately after creation, and there are no monthly fees. If you haven't installed the Binance mobile app for 2FA management yet, you can fetch the Android version via the Binance Official APP; iPhone users should refer to the iOS Setup Guide. This article is divided into seven sections covering application, signatures, error handling, and rate-limiting strategies, with full code examples in Python and Node.js.
I. Prerequisites for Applying for a Binance API Key
1. Complete KYC L2 Verification
Binance API requires accounts to have at least L2 Intermediate Identity Verification (ID submission + facial recognition). Accounts with only L1 Basic verification cannot create API keys. L2 verification is typically reviewed within 24 hours.
2. Enable 2FA (Mandatory)
2FA verification is required during the API key creation process. If you haven't bound an authenticator yet, go to Security Center → Two-Factor Authentication → Google Authenticator to complete the setup.
3. Deposits or Holdings are Not Mandatory
You can create an API key even with a zero balance, allowing you to prepare your keys before depositing funds.
II. Creating an API Key (5 Steps)
Step 1: Access the API Management Page
Log in to the Binance Official Website → Click your avatar in the top right → API Management. The direct URL is binance.com/en/my/settings/api-management.
Step 2: Select Key Type
Binance offers two types of API keys:
| Type | Purpose | Recommended For |
|---|---|---|
| System generated | System-generated key pair | Recommended for 90% of users; simple and stable. |
| Self-generated | You provide an Ed25519 public key | Advanced users; the secret key never leaves your machine. |
Beginners should choose System generated.
Step 3: Enter a Key Label
Give your key a label (name) for easier management later. For example:
python-grid-bot— Grid trading botnodejs-monitor— Price monitoring scriptquantitative-strategy-v2— Quantitative strategy v2
Labels are only visible to you; Binance does not distinguish keys based on labels.
Step 4: Pass 2FA Verification
Enter:
- The 6-digit code sent to your email.
- The 6-digit code sent via SMS.
- The 6-digit dynamic code from Google Authenticator.
Once all three codes are verified, the key generation is complete.
Step 5: Save the Secret Key (Critical)
The key page will display:
- API Key: Permanently visible; you can always return to check it.
- Secret Key: Displayed only once. You will never see it again after closing the page.
You must immediately copy the Secret Key to a secure local location (such as a password manager or encrypted note), otherwise you will have to delete and recreate the key.
III. Configuring Key Permissions and IP Whitelist
By default, all permissions are disabled after creation. You must enable them manually:
Permission Options
| Permission | Purpose | Risk Level |
|---|---|---|
| Enable Reading | Query balance, orders, and market data | Low |
| Enable Spot & Margin Trading | Place spot/margin orders | Medium |
| Enable Futures | Place futures orders | High |
| Enable Withdrawals | Withdraw funds (requires an IP whitelist) | Extreme |
| Permits Universal Transfer | Transfer funds between internal accounts | Medium |
Security Recommendation: Only enable the permissions you absolutely need. For market data, only check Enable Reading. For spot trading, check Enable Reading + Enable Spot & Margin Trading. Never enable "Enable Withdrawals" unless it is strictly necessary.
IP Whitelist (Highly Recommended)
On the key settings page, enter the IP addresses of the servers allowed to use this key (up to 30). Once configured, only requests from these IPs can operate the account using this key.
If your server uses a dynamic IP (e.g., home broadband), you can select Unrestricted (Less Secure). However, permissions will be downgraded—Enable Withdrawals cannot be enabled on unrestricted keys, which is a mandatory security rule from Binance.
IV. Generating Signatures to Call the API
In the Binance REST API, all requests involving account operations require a signature. The signing algorithm used is HMAC-SHA256.
Signing Rules
Signature Content = A string of all request parameters URL-encoded and joined with &.
For example, for the account balance endpoint:
GET /api/v3/account
Parameters: timestamp=1712876400000
Signature Content: timestamp=1712876400000
Signature: HMAC_SHA256(secret_key, "timestamp=1712876400000")
Final Request:
GET /api/v3/account?timestamp=1712876400000&signature=<calculated_signature>
Header: X-MBX-APIKEY: <your_API_Key>
Python Example
import hmac, hashlib, time, requests
API_KEY = "Your_API_Key"
SECRET_KEY = "Your_Secret_Key"
BASE_URL = "https://api.binance.com"
def sign(params: dict) -> str:
query = "&".join([f"{k}={v}" for k, v in params.items()])
return hmac.new(SECRET_KEY.encode(), query.encode(), hashlib.sha256).hexdigest()
def get_account():
params = {"timestamp": int(time.time() * 1000)}
params["signature"] = sign(params)
headers = {"X-MBX-APIKEY": API_KEY}
r = requests.get(f"{BASE_URL}/api/v3/account", params=params, headers=headers)
return r.json()
print(get_account())
Node.js Example
const crypto = require('crypto');
const axios = require('axios');
const API_KEY = 'Your_API_Key';
const SECRET_KEY = 'Your_Secret_Key';
const BASE_URL = 'https://api.binance.com';
function sign(params) {
const query = Object.keys(params).map(k => `${k}=${params[k]}`).join('&');
return crypto.createHmac('sha256', SECRET_KEY).update(query).digest('hex');
}
async function getAccount() {
const params = { timestamp: Date.now() };
params.signature = sign(params);
const r = await axios.get(`${BASE_URL}/api/v3/account`, {
params,
headers: { 'X-MBX-APIKEY': API_KEY }
});
return r.data;
}
getAccount().then(console.log);
V. Rate Limiting and Weight
The Binance API uses Weight to control the frequency of calls:
| Item | Default Limit |
|---|---|
| Max Weight per Minute | 6000 |
| Max Orders per 10 Seconds | 100 |
| Max Orders per Day | 200,000 |
| Max Subscriptions per WebSocket Connection | 1024 |
| Max WebSocket Connections per IP | 300 |
Weights for Common Endpoints:
GET /api/v3/ticker/price— Weight: 1GET /api/v3/depth— Weight: 1-50 (depending on thelimitparameter)GET /api/v3/account— Weight: 10POST /api/v3/order— Weight: 1 (but counts toward the order frequency limit)
Response headers return current weight status:
X-MBX-USED-WEIGHT-1m: Weight used within the current minute.X-MBX-ORDER-COUNT-10s: Number of orders placed within the current 10 seconds.
Exceeding the weight limit results in a 429 Too Many Requests error. Serious violations may return a 418 error and a temporary IP ban (ranging from 2 minutes to 3 days).
VI. Common Errors and Solutions
Error: -1022 Signature for this request is not valid
Cause: Incorrect signature. Most often due to mismatched parameter order or incorrect URL encoding. Solution:
- Ensure the string used for signing is identical to the query string in the request.
- Do not enclose numeric parameters in quotes (e.g.,
timestamp=1712876400000nottimestamp="1712876400000"). - Apply correct URL encoding for special characters.
Error: -1021 Timestamp for this request was 1000ms ahead of the server's time
Cause: Local time differs from the Binance server time by more than 1 second. Solution:
- Sync your local system time (NTP).
- Add the
recvWindow=10000parameter to your request to increase the tolerance to 10 seconds. - For servers in mainland China, use
time.windows.comorntp.aliyun.com.
Error: -2014 API-key format invalid
Cause: Incorrect API key string. Solution: Check for extra spaces or newlines when copying. The key should be a 64-character alphanumeric string.
Error: -1003 Too many requests; current limit is X requests per minute
Cause: Exceeded the weight limit. Solution:
- Reduce call frequency or combine requests (e.g., use
/api/v3/ticker/24hrto fetch all pairs at once). - Use WebSockets for real-time data to reduce REST calls.
- Wait 1 minute and retry.
VII. API Security Best Practices
- Never expose your Secret Key in frontend code — Frontends should call your own backend, which then interacts with the Binance API.
- Exclude key files in .gitignore — Prevent keys from being scanned by bots if pushed to GitHub.
- Use an IP Whitelist in production — Only allow requests from your specific server IPs.
- Rotate keys regularly — Manually delete and recreate keys every 6 months.
- Monitor for abnormal calls — Check daily usage statistics on the API Management page and deactivate keys if anomalies are found.
Common Questions FAQ
Q1: Is the Binance API key free?
A: Yes, it is completely free. Binance does not charge for API calls (only trading fees apply when orders are filled), and no deposit is required to create a key. However, each account is limited to a maximum of 30 API keys.
Q2: Are trading fees lower when using the API?
A: Not automatically. Fees depend on your VIP level and BNB holdings, applying the same rate schedule whether trading manually or via API. However, APIs are ideal for high-frequency trading where precise execution is key.
Q3: Can I simulate trades in a test environment?
A: Yes. Binance provides a Spot Testnet and a Futures Testnet where you can practice API calls with test funds without affecting your real account.
Q4: Is it better to use a library like CCXT or call the API directly?
A: It depends. CCXT is excellent for projects requiring multi-exchange support, as it handles signing and parameter normalization. Direct API calls are better for Binance-only, performance-sensitive scenarios where minimal abstraction is preferred. Beginners should start with CCXT and switch to native calls if needed.
Q5: What should I do if my API key is stolen?
A: Immediately delete the key on the Binance API Management page (deletion takes effect in seconds). Then, check your recent trade and withdrawal history, and contact support if you find anomalies. If "Enable Withdrawals" was not checked, the attacker can only place orders and cannot withdraw funds, typically limiting the loss. For detailed procedures, see the [Risk Control](/en/vault/Risk Control/) category.
Need to know how to handle account risk control? Return to the [Category Navigation](/en/vault/Risk Control/) and select "Risk Control" for the full procedure.