If your bot already speaks Binance USD-M Futures, swap one base URL and you're live on BuyCrypt. Our users discover your bot in the leaderboard, try it on a free $1,000 demo account, and graduate to real keys when they're convinced.
No code rewrite. No exchange-specific quirks. Same HMAC-SHA256 signing, same WebSocket user-data stream, same order types — wrapped over our demo trading engine so users can compare bots without putting capital at risk.
Each user that subscribes gets their own demo account with $1,000 virtual balance. Your bot trades it. They watch live PnL, drawdown, win rate. No risk to their real capital — and no acquisition cost to you.
Your bot's own demo account shows up in the public leaderboard with a 🤖 БОТ badge. Users see PnL ranking among real traders. Tap the row, hit "Connect" — instant subscription.
If your bot uses any Binance Futures SDK (binance-connector-python, python-binance, CCXT, etc.), point its base_url at https://api.buycrypt.com/fapi. HMAC, recvWindow, order types — identical.
When a user subscribes, we POST the freshly minted API key + secret to your webhook URL — HMAC-signed, retried on failure with exponential backoff, dead-letter recoverable. You never have to ask the user for credentials.
User opens the leaderboard. Your bot's account appears with a 🤖 БОТ chip next to the username, plus subscriber count. They tap the row.
On the bot's profile page they see "Connect to demo account". One tap creates a new $1,000 demo for them and your bot starts trading on it.
User watches the bot trade their demo for days or weeks. PnL, positions, win rate — all live in the app. If they like it, they enter their real Binance API key inside BuyCrypt to upgrade from demo to production.
The user adds their real Binance API key inside BuyCrypt. We deliver it to your webhook the same way we delivered the demo key — same subscription.created event, just with their production credentials. One integration covers both demo and live flows.
Register a regular BuyCrypt account — same flow as any user. You'll be issued a free demo account with a starting balance the moment you sign up. No application form, no review queue.
Generate API keys right inside the BuyCrypt mobile app: My Profile → API keys → tap your demo account → Generate. You'll get a fresh apiKey + apiSecret shown once — copy them into your bot. Then point your existing Binance USD-M Futures bot at https://api.buycrypt.com/fapi and it just works — same HMAC, same endpoints, same order types.
As soon as we detect API-driven trading on your demo, your account is automatically flagged as a bot. Your demo shows up in the leaderboard with the 🤖 БОТ chip and a public profile, so other users can discover and subscribe to it.
When you're ready to take subscribers, add a webhook URL to your bot profile in settings. Every time a user subscribes — on demo or with real Binance keys — we POST a subscription.created event with the API key + secret for that user's account. Store (userId, apiKey, apiSecret) and start trading on their behalf.
Most Binance Futures SDKs accept a custom base URL. Here's the entire change a typical Python bot needs:
# before — trading on real Binance from binance.um_futures import UMFutures client = UMFutures(key=API_KEY, secret=API_SECRET) # after — trading on a BuyCrypt user's demo from binance.um_futures import UMFutures client = UMFutures( key=API_KEY, secret=API_SECRET, base_url="https://api.buycrypt.com/fapi", # <- the only line that changes ) # everything below is identical to your existing code client.new_order(symbol="BTCUSDT", side="BUY", type="MARKET", quantity=0.01) client.account() client.cancel_open_orders(symbol="BTCUSDT")
CCXT, python-binance, Go's go-binance, JS node-binance-api — all work the same way. Plain requests.get(...).headers["X-MBX-APIKEY"] = key bots also work; HMAC signing rule is byte-identical.
When a BuyCrypt user subscribes to your bot, we generate a per-user API key + secret server-side and POST them to your registered webhook URL. The secret is never returned to the user — it goes to you only, over HTTPS, signed.
TL;DR: sign up → tap «Generate API key» on your demo → generate a webhook secret → run one Python script → admin approves. ~5 minutes.
Open buycrypt.com/terminal (or the mobile app). Sign in via Google or phone. A $1,000 USDT demo account is created automatically — that's the sandbox your bot will trade on.
In the app: Profile → API Keys → tap your demo account → «Bot API keys» → Generate. A dialog shows the apiKey + apiSecret once — copy both, you can't recover the secret afterwards.
# what you'll save API_KEY = "3fc370a4ac94b9aa756e2a97842dc04c" API_SECRET = "3WJ86kV_VQzLWaED3hSRlY9R6wQHh_f3UEZ_q-CrwRU"
Same shape as Binance — your existing USD-M Futures bot library reads it as a regular Binance key with base URL https://api.buycrypt.com/fapi.
A second secret, separate from API_SECRET. We use it to sign the events we POST to your webhook URL — so you can verify the request really came from us. You generate it on your side; we encrypt-store it but never reveal back:
# any of these works — pick one. Save the output. $ openssl rand -hex 32 # macOS / Linux $ python3 -c "import secrets; print(secrets.token_hex(32))" # cross-platform # sample output 8a31c2f4d5e6789abc01234567890def8a31c2f4d5e6789abc01234567890def
Drop your three secrets into one signed POST. Save this as register_bot.py and run it once. Works on any OS with Python 3.10+ and pip install requests:
import hmac, hashlib, time, urllib.parse, requests # ─── fill these in from steps 2 and 3 ───────────────────── API_KEY = "3fc370a4ac94b9aa756e2a97842dc04c" API_SECRET = "3WJ86kV_VQzLWaED3hSRlY9R6wQHh_f3UEZ_q-CrwRU" WEBHOOK_SECRET = "8a31c2f4d5e6789abc01234567890def8a31c2f4d5e6789abc01234567890def" SLUG = "alpha-trader" # lowercase, [a-z0-9-], unique DISPLAY_NAME = "Alpha Trader" # shown to users in the bot list WEBHOOK_URL = "https://your-bot.example.com/buycrypt/hook" # MUST be HTTPS, public # ────────────────────────────────────────────────────────── params = { "slug": SLUG, "displayName": DISPLAY_NAME, "webhookUrl": WEBHOOK_URL, "webhookSecret": WEBHOOK_SECRET, "defaultLeverage": 10, "timestamp": int(time.time() * 1000), } qs = urllib.parse.urlencode(params) sig = hmac.new(API_SECRET.encode(), qs.encode(), hashlib.sha256).hexdigest() r = requests.post( "https://api.buycrypt.com/fapi/v1/bot/profiles", headers={ "X-MBX-APIKEY": API_KEY, "Content-Type": "application/x-www-form-urlencoded", }, data=qs + f"&signature={sig}", ) print(r.status_code, r.json())
Notice no demoKeyPairId — your API_KEY already points to the demo it was generated for. Need to register against a different demo? Generate a separate API key for it (step 2 again).
Expected output:
201 {
"botId": 42,
"slug": "alpha-trader",
"status": "PENDING_REVIEW",
"webhookUrl": "https://your-bot.example.com/buycrypt/hook",
"webhookStatus": "ACTIVE",
"webhookSecretAutoGenerated": false
}
Common errors:
{"code":-2010, "msg":"Slug already in use."} # pick another slug
{"code":-1102, "msg":"webhookSecret must be at least 32..."} # too short — use 32+ chars
{"code":-1022, "msg":"Signature for this request is not valid."} # API_SECRET wrong, or params order changed after signing
{"code":-1003, "msg":"Bot registration rate limit: 1 per hour..."} # wait it out
Bot lands in PENDING_REVIEW. Our admin sees your request immediately and approves it. To check status anytime:
import hmac, hashlib, time, urllib.parse, requests API_KEY = "3fc370a4..." API_SECRET = "3WJ86kV..." qs = urllib.parse.urlencode({"timestamp": int(time.time() * 1000)}) sig = hmac.new(API_SECRET.encode(), qs.encode(), hashlib.sha256).hexdigest() r = requests.get( f"https://api.buycrypt.com/fapi/v1/bot/profiles?{qs}&signature={sig}", headers={"X-MBX-APIKEY": API_KEY}, ) print(r.json()) # [{"botId":42, "status":"ACTIVE", ...}] when approved
Once "status":"ACTIVE": every time a user subscribes we POST to your webhookUrl with the per-subscriber API key your bot will trade with. The events shape and a copy-paste signature-verification snippet are right below this section.
Lost your webhook secret? Pick a new one and rotate (same signing pattern as registration):
params = {
"webhookSecret": NEW_SECRET, # or omit to get backend-generated
"timestamp": int(time.time() * 1000),
}
qs = urllib.parse.urlencode(params)
sig = hmac.new(API_SECRET.encode(), qs.encode(), hashlib.sha256).hexdigest()
requests.post(
"https://api.buycrypt.com/fapi/v1/bot/profiles/42/webhook/rotate-secret",
headers={"X-MBX-APIKEY": API_KEY,
"Content-Type": "application/x-www-form-urlencoded"},
data=qs + f"&signature={sig}",
)
Old secret invalid the second the new one saves. Rate limit: 10 rotations/hour per bot.
subscription.created — user just subscribedPOST https://your-bot.example.com/buycrypt/hook Content-Type: application/json User-Agent: BuyCrypt-Webhook/1.0 X-BuyCrypt-Event: subscription.created X-BuyCrypt-Delivery-Id: 7f3b2e8c-a4d1-4f12-93b8-0c1e9f8d2a4b # dedup key — store + reject duplicates X-BuyCrypt-Timestamp: 1745605200123 # ms epoch when payload was built X-BuyCrypt-Signature: 5e8c2d… # hex(HMAC-SHA256(webhookSecret, ts + "." + body)) { "event": "subscription.created", "deliveryId": "7f3b2e8c-a4d1-4f12-93b8-0c1e9f8d2a4b", "timestamp": 1745605200123, "data": { "subscriptionId": 42, "botProfileId": 7, "subscriberHandle": "user_fb_uid_a", "apiKey": "3fc370a4ac94b9aa756e2a97842dc04c", "apiSecret": "3WJ86kV_VQzLWaED3hSRlY9R6wQHh_f3UEZ_q-CrwRU", "demoKeyPairId": 9001, "initialBalance": "1000.00000000", "permissions": "READ_TRADE", "ipWhitelist": "", "createdAt": "2026-04-25T18:00:00Z" } }
subscription.deleted — user disconnected, key disabledX-BuyCrypt-Event: subscription.disconnected { "event": "subscription.disconnected", "deliveryId": "…", "timestamp": …, "data": { "subscriptionId": 42, "botProfileId": 7, "apiKey": "3fc370a4…", "reason": "USER_UNSUBSCRIBED", "disconnectedAt": "2026-04-25T18:30:00Z" } }
secret.regenerated — admin rotated your webhook secretX-BuyCrypt-Event: secret.regenerated { "event": "secret.regenerated", "deliveryId": "…", "timestamp": …, "data": { "subscriptionId": 42, "apiKey": "3fc370a4…", "newApiSecret": "new_plaintext_keep_old_valid_24h", "oldSecretValidUntil": "2026-04-26T18:00:00Z" } }
Use the raw request body bytes — DO NOT parse JSON first and re-serialize, you'll lose key order and signatures will diverge. Always compare in constant time.
# Python (FastAPI / Flask) import hmac, hashlib, time WEBHOOK_SECRET = "whsec_aGVsbG8gd29ybGQ_..." # whsec_…43 chars def verify(headers, body_bytes): sig = headers["X-BuyCrypt-Signature"] ts = int(headers["X-BuyCrypt-Timestamp"]) # anti-replay: reject if too old if abs(time.time() * 1000 - ts) > 5 * 60 * 1000: return False payload = f"{ts}.".encode() + body_bytes expected = hmac.new(WEBHOOK_SECRET.encode(), payload, hashlib.sha256).hexdigest() return hmac.compare_digest(expected, sig)
// Node.js / Express — read RAW body, not parsed JSON const crypto = require('crypto'); const SECRET = 'whsec_aGVsbG8gd29ybGQ_...'; app.post('/buycrypt/hook', express.raw({ type: 'application/json' }), // raw, not json()! (req, res) => { const sig = req.headers['x-buycrypt-signature']; const ts = parseInt(req.headers['x-buycrypt-timestamp'], 10); if (Math.abs(Date.now() - ts) > 5 * 60 * 1000) return res.status(401).end(); const expected = crypto.createHmac('sha256', SECRET) .update(`${ts}.`).update(req.body).digest('hex'); if (!crypto.timingSafeEqual(Buffer.from(expected), Buffer.from(sig))) { return res.status(401).end(); } // req.body is a Buffer here — JSON.parse(req.body.toString('utf8')) res.sendStatus(200); });
6 attempts with exponential backoff: 1m, 5m, 30m, 2h, 6h, 12h. After all 6 fail, the event lands in our dead-letter table and an admin can replay it.
If your endpoint fails 10 times in a row, we mark it disabled and stop sending events. Contact us to re-enable. Prevents a dead bot from blocking new subscribers indefinitely.
Every body is HMAC-SHA256 signed with the secret we shared at registration. Verify in constant time before trusting the payload. Examples in our partner guide.
Base URL: https://api.buycrypt.com/fapi. Auth: X-MBX-APIKEY header + HMAC-SHA256 signature on signed endpoints. Recv window: 5,000 ms default, 60,000 ms max.
{}.MARKET, LIMIT, STOP_MARKET, TAKE_PROFIT_MARKET, STOP, TAKE_PROFIT (limit-flavor), TRAILING_STOP_MARKET. Flags: reduceOnly, closePosition, timeInForce (GTC/IOC/FOK), newClientOrderId for idempotency, workingType, callbackRate.orderId or origClientOrderId.{dualSidePosition: false}.ORDER_TRADE_UPDATE, ACCOUNT_UPDATE, MARGIN_CALL. Same payload shape as Binance.subscribe/unsubscribe/list_subscriptions control messages — passthrough to upstream Binance.X-MBX-USED-WEIGHT-1M, X-MBX-ORDER-COUNT-10S, Retry-After on 429.Retry-AfterNo application form, no review queue, no integration fees. Sign up like any user, generate API keys in the mobile app, point your bot at https://api.buycrypt.com/fapi — that's the entire onboarding.