Idan bot ɗinku ya riga ya yi magana da Binance USD-M Futures, canza base URL guda ɗaya kawai kuma za ku fara aiki a BuyCrypt. Masu amfaninmu suna gano bot ɗinku a cikin Manyan 'Yan Kasuwa, su gwada shi a asusun demo na kyauta na $1,000, sannan su koma zuwa maɓallan gaske idan sun gamsu.
Babu sake rubuta code. Babu wata matsala ta musaya. Irin wannan sa hannun HMAC-SHA256, irin wannan WebSocket user-data stream, irin wannan nau'ikan oda — an nade shi bisa injin cinikin demo namu domin masu amfani su iya kwatanta bots ba tare da sanya babban jari cikin haɗari ba.
Kowane mai amfani da ya biya kuɗi yana samun asusun demo nasa da ma'auni na kama-da-wane na $1,000. Bot ɗinku yana yin ciniki da shi. Suna kallon PnL kai-tsaye, drawdown, da adadin nasara. Babu haɗari ga babban jarinsu na gaske — kuma babu kuɗin samun abokin ciniki a gare ku.
Asusun demo na bot ɗinku yana bayyana a cikin Manyan 'Yan Kasuwa na jama'a tare da alamar 🤖 БОТ. Masu amfani suna ganin matsayin PnL a tsakanin 'yan kasuwa na gaske. Danna layin, danna "Haɗa" — biyan kuɗi nan take.
Idan bot ɗinku yana amfani da kowane Binance Futures SDK (binance-connector-python, python-binance, CCXT, da sauransu), sa base_url ɗinsa ya nufi https://api.buycrypt.com/fapi. HMAC, recvWindow, nau'ikan oda — daidai suke.
Lokacin da mai amfani ya biya kuɗi, muna POST sabon maɓallin API + sirri zuwa webhook URL ɗinku — an sa hannu da HMAC, ana sake gwadawa idan ya kasa da exponential backoff, kuma ana iya dawo da shi daga dead-letter. Ba za ku taɓa buƙatar tambayar mai amfani game da bayanan shiga ba.
Mai amfani yana buɗe Manyan 'Yan Kasuwa. Asusun bot ɗinku yana bayyana tare da alamar 🤖 БОТ kusa da sunan mai amfani, tare da adadin masu biyan kuɗi. Suna danna layin.
A shafin bayanin bot suna ganin "Haɗa zuwa asusun demo". Dannawa ɗaya yana ƙirƙirar sabon demo na $1,000 gare su kuma bot ɗinku yana fara ciniki a kansa.
Mai amfani yana kallon bot yana ciniki da demo ɗinsu na kwanaki ko makonni. PnL, matsayi, adadin nasara — duk kai-tsaye a cikin manhaja. Idan suna so, sai su shigar da maɓallin API na Binance na gaske a cikin BuyCrypt domin haɓaka daga demo zuwa production.
Mai amfani yana ƙara maɓallin API na Binance na gaske a cikin BuyCrypt. Muna isar da shi zuwa webhook ɗinku kamar yadda muka isar da maɓallin demo — irin wannan taron subscription.created, kawai da bayanan shiga na production nasu. Haɗi guda ɗaya yana rufe duka tsarin demo da na gaske.
Yi rajistar asusun BuyCrypt na yau da kullun — irin wannan tsari kamar kowane mai amfani. Za a ba ku asusun demo na kyauta tare da ma'auni na farawa da zarar kun yi rajista. Babu fom ɗin nema, babu jerin bita.
Ƙirƙiri maɓallan API kai-tsaye a cikin manhajar wayar hannu ta BuyCrypt: My Profile → API keys → danna asusun demo ɗinku → Generate. Za ku samu sabon apiKey + apiSecret da za a nuna sau ɗaya kawai — kwafi su zuwa bot ɗinku. Sannan sa bot ɗinku na Binance USD-M Futures da ake da shi ya nufi https://api.buycrypt.com/fapi kuma zai yi aiki kawai — irin wannan HMAC, irin waɗannan endpoints, irin waɗannan nau'ikan oda.
Da zarar mun gano ciniki mai tuki ta API a demo ɗinku, ana yiwa asusunku alama kai-tsaye a matsayin bot. Demo ɗinku yana bayyana a Manyan 'Yan Kasuwa tare da alamar 🤖 БОТ da bayanin martaba na jama'a, don sauran masu amfani su iya gano su biya masa kuɗi.
Lokacin da kuke shirye don karɓar masu biyan kuɗi, ƙara webhook URL zuwa bayanin martabar bot ɗinku a cikin saituna. Duk lokacin da mai amfani ya biya — akan demo ko da maɓallan Binance na gaske — muna POST taron subscription.created tare da maɓallin API + sirri na asusun wannan mai amfani. Ajiye (userId, apiKey, apiSecret) kuma ku fara ciniki a madadinsu.
Yawancin Binance Futures SDK suna karɓar base URL na musamman. Ga cikakkiyar canjin da bot na Python na yau da kullun yake bukata:
# before — trading on real Binance from binance.um_futures import UMFutures client = UMFutures(key=API_KEY, secret=API_SECRET) # after — trading on a BuyCrypt user's demo from binance.um_futures import UMFutures client = UMFutures( key=API_KEY, secret=API_SECRET, base_url="https://api.buycrypt.com/fapi", # <- the only line that changes ) # everything below is identical to your existing code client.new_order(symbol="BTCUSDT", side="BUY", type="MARKET", quantity=0.01) client.account() client.cancel_open_orders(symbol="BTCUSDT")
CCXT, python-binance, Go's go-binance, JS node-binance-api — duk suna aiki iri ɗaya. Bots masu amfani da kai-tsaye da requests.get(...).headers["X-MBX-APIKEY"] = key suma suna aiki; ka'idar sa hannu ta HMAC iri ɗaya ce daidai gwargwado (byte-identical).
Lokacin da mai amfani da BuyCrypt ya biya kuɗi zuwa bot ɗinku, muna samar da maɓallin API + sirri na kowane mai amfani a sabar sannan mu POST su zuwa webhook URL ɗinku da aka yi rijista. Ba a taɓa mayar da sirrin ga mai amfani ba — yana zuwa gare ku kaɗai, ta HTTPS, tare da sa hannu.
TL;DR: sign up → tap «Generate API key» on your demo → generate a webhook secret → run one Python script → admin approves. ~5 minutes.
Open buycrypt.com/terminal (or the mobile app). Sign in via Google or phone. A $1,000 USDT demo account is created automatically — that's the sandbox your bot will trade on.
In the app: Profile → API Keys → tap your demo account → «Bot API keys» → Generate. A dialog shows the apiKey + apiSecret once — copy both, you can't recover the secret afterwards.
# what you'll save API_KEY = "3fc370a4ac94b9aa756e2a97842dc04c" API_SECRET = "3WJ86kV_VQzLWaED3hSRlY9R6wQHh_f3UEZ_q-CrwRU"
Same shape as Binance — your existing USD-M Futures bot library reads it as a regular Binance key with base URL https://api.buycrypt.com/fapi.
A second secret, separate from API_SECRET. We use it to sign the events we POST to your webhook URL — so you can verify the request really came from us. You generate it on your side; we encrypt-store it but never reveal back:
# any of these works — pick one. Save the output. $ openssl rand -hex 32 # macOS / Linux $ python3 -c "import secrets; print(secrets.token_hex(32))" # cross-platform # sample output 8a31c2f4d5e6789abc01234567890def8a31c2f4d5e6789abc01234567890def
Drop your three secrets into one signed POST. Save this as register_bot.py and run it once. Works on any OS with Python 3.10+ and pip install requests:
import hmac, hashlib, time, urllib.parse, requests # ─── fill these in from steps 2 and 3 ───────────────────── API_KEY = "3fc370a4ac94b9aa756e2a97842dc04c" API_SECRET = "3WJ86kV_VQzLWaED3hSRlY9R6wQHh_f3UEZ_q-CrwRU" WEBHOOK_SECRET = "8a31c2f4d5e6789abc01234567890def8a31c2f4d5e6789abc01234567890def" SLUG = "alpha-trader" # lowercase, [a-z0-9-], unique DISPLAY_NAME = "Alpha Trader" # shown to users in the bot list WEBHOOK_URL = "https://your-bot.example.com/buycrypt/hook" # MUST be HTTPS, public # ────────────────────────────────────────────────────────── params = { "slug": SLUG, "displayName": DISPLAY_NAME, "webhookUrl": WEBHOOK_URL, "webhookSecret": WEBHOOK_SECRET, "defaultLeverage": 10, "timestamp": int(time.time() * 1000), } qs = urllib.parse.urlencode(params) sig = hmac.new(API_SECRET.encode(), qs.encode(), hashlib.sha256).hexdigest() r = requests.post( "https://api.buycrypt.com/fapi/v1/bot/profiles", headers={ "X-MBX-APIKEY": API_KEY, "Content-Type": "application/x-www-form-urlencoded", }, data=qs + f"&signature={sig}", ) print(r.status_code, r.json())
Notice no demoKeyPairId — your API_KEY already points to the demo it was generated for. Need to register against a different demo? Generate a separate API key for it (step 2 again).
Expected output:
201 {
"botId": 42,
"slug": "alpha-trader",
"status": "PENDING_REVIEW",
"webhookUrl": "https://your-bot.example.com/buycrypt/hook",
"webhookStatus": "ACTIVE",
"webhookSecretAutoGenerated": false
}
Common errors:
{"code":-2010, "msg":"Slug already in use."} # pick another slug
{"code":-1102, "msg":"webhookSecret must be at least 32..."} # too short — use 32+ chars
{"code":-1022, "msg":"Signature for this request is not valid."} # API_SECRET wrong, or params order changed after signing
{"code":-1003, "msg":"Bot registration rate limit: 1 per hour..."} # wait it out
Bot lands in PENDING_REVIEW. Our admin sees your request immediately and approves it. To check status anytime:
import hmac, hashlib, time, urllib.parse, requests API_KEY = "3fc370a4..." API_SECRET = "3WJ86kV..." qs = urllib.parse.urlencode({"timestamp": int(time.time() * 1000)}) sig = hmac.new(API_SECRET.encode(), qs.encode(), hashlib.sha256).hexdigest() r = requests.get( f"https://api.buycrypt.com/fapi/v1/bot/profiles?{qs}&signature={sig}", headers={"X-MBX-APIKEY": API_KEY}, ) print(r.json()) # [{"botId":42, "status":"ACTIVE", ...}] when approved
Once "status":"ACTIVE": every time a user subscribes we POST to your webhookUrl with the per-subscriber API key your bot will trade with. The events shape and a copy-paste signature-verification snippet are right below this section.
Lost your webhook secret? Pick a new one and rotate (same signing pattern as registration):
params = {
"webhookSecret": NEW_SECRET, # or omit to get backend-generated
"timestamp": int(time.time() * 1000),
}
qs = urllib.parse.urlencode(params)
sig = hmac.new(API_SECRET.encode(), qs.encode(), hashlib.sha256).hexdigest()
requests.post(
"https://api.buycrypt.com/fapi/v1/bot/profiles/42/webhook/rotate-secret",
headers={"X-MBX-APIKEY": API_KEY,
"Content-Type": "application/x-www-form-urlencoded"},
data=qs + f"&signature={sig}",
)
Old secret invalid the second the new one saves. Rate limit: 10 rotations/hour per bot.
subscription.created — mai amfani ya kawai biyaPOST https://your-bot.example.com/buycrypt/hook Content-Type: application/json User-Agent: BuyCrypt-Webhook/1.0 X-BuyCrypt-Event: subscription.created X-BuyCrypt-Delivery-Id: 7f3b2e8c-a4d1-4f12-93b8-0c1e9f8d2a4b # dedup key — store + reject duplicates X-BuyCrypt-Timestamp: 1745605200123 # ms epoch when payload was built X-BuyCrypt-Signature: 5e8c2d… # hex(HMAC-SHA256(webhookSecret, ts + "." + body)) { "event": "subscription.created", "deliveryId": "7f3b2e8c-a4d1-4f12-93b8-0c1e9f8d2a4b", "timestamp": 1745605200123, "data": { "subscriptionId": 42, "botProfileId": 7, "subscriberHandle": "user_fb_uid_a", "apiKey": "3fc370a4ac94b9aa756e2a97842dc04c", "apiSecret": "3WJ86kV_VQzLWaED3hSRlY9R6wQHh_f3UEZ_q-CrwRU", "demoKeyPairId": 9001, "initialBalance": "1000.00000000", "permissions": "READ_TRADE", "ipWhitelist": "", "createdAt": "2026-04-25T18:00:00Z" } }
subscription.deleted — mai amfani ya katse, an kashe maɓalliX-BuyCrypt-Event: subscription.disconnected { "event": "subscription.disconnected", "deliveryId": "…", "timestamp": …, "data": { "subscriptionId": 42, "botProfileId": 7, "apiKey": "3fc370a4…", "reason": "USER_UNSUBSCRIBED", "disconnectedAt": "2026-04-25T18:30:00Z" } }
secret.regenerated — admin ya canza sirrin webhook ɗinkuX-BuyCrypt-Event: secret.regenerated { "event": "secret.regenerated", "deliveryId": "…", "timestamp": …, "data": { "subscriptionId": 42, "apiKey": "3fc370a4…", "newApiSecret": "new_plaintext_keep_old_valid_24h", "oldSecretValidUntil": "2026-04-26T18:00:00Z" } }
Use the raw request body bytes — DO NOT parse JSON first and re-serialize, you'll lose key order and signatures will diverge. Always compare in constant time.
# Python (FastAPI / Flask) import hmac, hashlib, time WEBHOOK_SECRET = "whsec_aGVsbG8gd29ybGQ_..." # whsec_…43 chars def verify(headers, body_bytes): sig = headers["X-BuyCrypt-Signature"] ts = int(headers["X-BuyCrypt-Timestamp"]) # anti-replay: reject if too old if abs(time.time() * 1000 - ts) > 5 * 60 * 1000: return False payload = f"{ts}.".encode() + body_bytes expected = hmac.new(WEBHOOK_SECRET.encode(), payload, hashlib.sha256).hexdigest() return hmac.compare_digest(expected, sig)
// Node.js / Express — read RAW body, not parsed JSON const crypto = require('crypto'); const SECRET = 'whsec_aGVsbG8gd29ybGQ_...'; app.post('/buycrypt/hook', express.raw({ type: 'application/json' }), // raw, not json()! (req, res) => { const sig = req.headers['x-buycrypt-signature']; const ts = parseInt(req.headers['x-buycrypt-timestamp'], 10); if (Math.abs(Date.now() - ts) > 5 * 60 * 1000) return res.status(401).end(); const expected = crypto.createHmac('sha256', SECRET) .update(`${ts}.`).update(req.body).digest('hex'); if (!crypto.timingSafeEqual(Buffer.from(expected), Buffer.from(sig))) { return res.status(401).end(); } // req.body is a Buffer here — JSON.parse(req.body.toString('utf8')) res.sendStatus(200); });
Yunƙuri 6 tare da exponential backoff: 1m, 5m, 30m, 2h, 6h, 12h. Bayan duk 6 sun kasa, taron yana saukowa a teburin dead-letter namu kuma admin na iya sake kunna shi.
Idan endpoint ɗinku ya kasa sau 10 a jere, muna yiwa alama an kashe shi kuma mu daina aika taruruka. Tuntube mu don sake kunnawa. Wannan yana hana bot da ya mutu daga toshe sabbin masu biyan kuɗi har abada.
Kowace body an sa mata hannu da HMAC-SHA256 tare da sirrin da muka raba lokacin rajista. Tabbatar a lokaci akai-akai kafin amincewa da payload. Misalai a cikin jagorar abokan huldarmu.
Base URL: https://api.buycrypt.com/fapi. Tantancewa: X-MBX-APIKEY header + sa hannun HMAC-SHA256 akan endpoints masu sa hannu. Recv window: 5,000 ms default, 60,000 ms max.
{}.MARKET, LIMIT, STOP_MARKET, TAKE_PROFIT_MARKET, STOP, TAKE_PROFIT (nau'in limit), TRAILING_STOP_MARKET. Flags: reduceOnly, closePosition, timeInForce (GTC/IOC/FOK), newClientOrderId don idempotency, workingType, callbackRate.orderId ko origClientOrderId.{dualSidePosition: false}.ORDER_TRADE_UPDATE, ACCOUNT_UPDATE, MARGIN_CALL. Irin wannan siffar payload kamar Binance.subscribe/unsubscribe/list_subscriptions — passthrough zuwa Binance na sama.X-MBX-USED-WEIGHT-1M, X-MBX-ORDER-COUNT-10S, Retry-After akan 429.Retry-AfterBabu fom ɗin nema, babu jerin bita, babu kuɗin haɗawa. Yi rajista kamar kowane mai amfani, ƙirƙiri maɓallan API a cikin manhajar wayar hannu, sa bot ɗinku ya nufi https://api.buycrypt.com/fapi — wannan shine dukan tsarin shiga.