BuyCrypt
Para sa mga Bot Developer

I-connect ang iyong trading bot. Parehong Binance API.

Kung ang iyong bot ay compatible na sa Binance USD-M Futures, palitan lang ang isang base URL at live ka na sa BuyCrypt. Natutuklasan ng aming mga user ang iyong bot sa leaderboard, sinusubukan ito sa libreng $1,000 demo account, at nag-gra-graduate sa tunay na key kapag na-convince na sila.

Walang code rewrite. Walang exchange-specific na quirks. Parehong HMAC-SHA256 signing, parehong WebSocket user-data stream, parehong mga order type — nakabalot sa aming demo trading engine para maikumpara ng mga user ang mga bot nang hindi nilalagay sa risk ang kanilang capital.

Bakit BuyCrypt

Demo-First na Distribution para sa Trading Bot

Libreng $1,000 na Demo Bawat User

Ang bawat user na mag-subscribe ay makakakuha ng sarili nilang demo account na may $1,000 virtual balance. Ang bot mo ang magte-trade nito. Napapanood nila ang live na PnL, drawdown, at win rate. Walang risk sa totoong puhunan nila — at walang acquisition cost sa panig mo.

Exposure sa Leaderboard

Lalabas ang sariling demo account ng bot mo sa public leaderboard na may 🤖 БОТ badge. Makikita ng mga user ang PnL ranking sa gitna ng totoong mga trader. I-tap ang row, pindutin ang "Kumonekta" — instant na subscription.

Zero Code Rewrite

Kung gumagamit ang bot mo ng anumang Binance Futures SDK (binance-connector-python, python-binance, CCXT, atbp.), itakda ang base_url nito papunta sa https://api.buycrypt.com/fapi. Magkatulad ang HMAC, recvWindow, at mga order type.

Mga key na inihahatid via Webhook

Kapag nag-subscribe ang isang user, ipinapadala namin (POST) ang bagong likhang API key + secret sa webhook URL mo — naka-sign gamit ang HMAC, ina-ulit kapag nabigo gamit ang exponential backoff, at nare-recover mula sa dead-letter. Hindi mo na kailangang hingin ang credentials mula sa user.

Paglalakbay ng User

Paano Natutuklasan at Nagsu-subscribe ang mga User sa Iyong Bot

1

Tuklasin

Bubuksan ng user ang leaderboard. Lalabas ang account ng bot mo na may 🤖 БОТ chip sa tabi ng username, kasama ang bilang ng subscriber. I-ta-tap nila ang row.

2

Subukan sa Demo

Sa profile page ng bot, makikita nila ang "Kumonekta sa demo account". Isang tap lang para makagawa ng bagong $1,000 demo para sa kanila, at magsisimula nang mag-trade dito ang bot mo.

3

Panoorin + Magpasya

Pinapanood ng user ang bot habang nagte-trade sa demo nila sa loob ng ilang araw o linggo. PnL, mga posisyon, win rate — lahat live sa app. Kung magugustuhan nila ito, ilalagay nila ang totoong Binance API key sa loob ng BuyCrypt para mag-upgrade mula demo patungong production.

4

Mag-upgrade

Idinaragdag ng user ang totoong Binance API key nila sa loob ng BuyCrypt. Inihahatid namin ito sa webhook mo sa parehong paraan gaya ng paghahatid ng demo key — parehong subscription.created event, may kasamang production credentials na lang nila. Iisang integration ang sumasaklaw sa demo at live flows.

Onboarding ng Developer

Paano Idagdag ang Iyong Bot sa BuyCrypt

1

Mag-sign Up

Magrehistro ng regular na BuyCrypt account — parehong flow ng kahit sinong user. Bibigyan ka agad ng libreng demo account na may starting balance sa mismong sandaling mag-sign up ka. Walang application form, walang review queue.

2

I-trade ang Demo Mo via API

Gumawa ng API keys direkta sa loob ng BuyCrypt mobile app: My Profile → API keys → i-tap ang demo account mo → Generate. Makakakuha ka ng bagong apiKey + apiSecret na ipapakita nang isang beses lang — kopyahin ang mga ito sa bot mo. Pagkatapos, itakda ang umiiral mo nang Binance USD-M Futures bot papunta sa https://api.buycrypt.com/fapi at gagana agad ito — parehong HMAC, parehong endpoints, parehong order types.

3

Awtomatikong Naka-flag bilang Bot

Sa sandaling matukoy namin ang API-driven trading sa demo mo, awtomatikong ma-flag ang account mo bilang bot. Lalabas ang demo mo sa leaderboard na may 🤖 БОТ chip at public profile, para matuklasan at ma-subscribe-han ito ng ibang users.

4

(Opsyonal) Tumanggap ng mga Subscriber via Webhook

Kapag handa ka nang tumanggap ng mga subscriber, magdagdag ng webhook URL sa profile ng bot mo sa settings. Sa tuwing mag-subscribe ang isang user — sa demo man o gamit ang totoong Binance keys — ipinapadala namin ang subscription.created event kasama ang API key + secret para sa account ng user na iyon. I-store ang (userId, apiKey, apiSecret) at simulan ang pag-trade sa ngalan nila.

Drop-in

Ang Umiiral Mong Binance Futures Bot, Muling Nagagamit

Karamihan sa mga Binance Futures SDK ay tumatanggap ng custom na base URL. Narito ang buong pagbabagong kailangan ng isang tipikal na Python bot:

# before — trading on real Binance
from binance.um_futures import UMFutures
client = UMFutures(key=API_KEY, secret=API_SECRET)

# after — trading on a BuyCrypt user's demo
from binance.um_futures import UMFutures
client = UMFutures(
    key=API_KEY,
    secret=API_SECRET,
    base_url="https://api.buycrypt.com/fapi",   # <- the only line that changes
)

# everything below is identical to your existing code
client.new_order(symbol="BTCUSDT", side="BUY", type="MARKET", quantity=0.01)
client.account()
client.cancel_open_orders(symbol="BTCUSDT")

CCXT, python-binance, Go's go-binance, JS node-binance-api — lahat gumagana sa parehong paraan. Gumagana rin ang mga simpleng requests.get(...).headers["X-MBX-APIKEY"] = key na bot; byte-identical ang HMAC signing rule.

Webhook

Paano Namin Ipinapadala ang API Key sa Iyong System

Kapag nag-subscribe ang isang BuyCrypt user sa iyong bot, gagawa kami ng per-user na API key + secret sa server-side at ipapadala ito gamit ang POST sa iyong nakarehistrong webhook URL. Hindi kailanman ibinabalik ang secret sa user — sa iyo lang ito napupunta, sa pamamagitan ng HTTPS, naka-sign.

TL;DR: sign up → tap «Generate API key» on your demo → generate a webhook secret → run one Python script → admin approves. ~5 minutes.

Step 1 — Sign up

Open buycrypt.com/terminal (or the mobile app). Sign in via Google or phone. A $1,000 USDT demo account is created automatically — that's the sandbox your bot will trade on.

Step 2 — Generate your trading API key (in the app)

In the app: Profile → API Keys → tap your demo account → «Bot API keys» → Generate. A dialog shows the apiKey + apiSecret once — copy both, you can't recover the secret afterwards.

# what you'll save
API_KEY    = "3fc370a4ac94b9aa756e2a97842dc04c"
API_SECRET = "3WJ86kV_VQzLWaED3hSRlY9R6wQHh_f3UEZ_q-CrwRU"

Same shape as Binance — your existing USD-M Futures bot library reads it as a regular Binance key with base URL https://api.buycrypt.com/fapi.

Step 3 — Generate your webhook signing secret

A second secret, separate from API_SECRET. We use it to sign the events we POST to your webhook URL — so you can verify the request really came from us. You generate it on your side; we encrypt-store it but never reveal back:

# any of these works — pick one. Save the output.
$ openssl rand -hex 32                          # macOS / Linux
$ python3 -c "import secrets; print(secrets.token_hex(32))"   # cross-platform

# sample output
8a31c2f4d5e6789abc01234567890def8a31c2f4d5e6789abc01234567890def

Step 4 — Register the bot (one signed POST)

Drop your three secrets into one signed POST. Save this as register_bot.py and run it once. Works on any OS with Python 3.10+ and pip install requests:

import hmac, hashlib, time, urllib.parse, requests

# ─── fill these in from steps 2 and 3 ─────────────────────
API_KEY        = "3fc370a4ac94b9aa756e2a97842dc04c"
API_SECRET     = "3WJ86kV_VQzLWaED3hSRlY9R6wQHh_f3UEZ_q-CrwRU"
WEBHOOK_SECRET = "8a31c2f4d5e6789abc01234567890def8a31c2f4d5e6789abc01234567890def"

SLUG         = "alpha-trader"                                # lowercase, [a-z0-9-], unique
DISPLAY_NAME = "Alpha Trader"                                # shown to users in the bot list
WEBHOOK_URL  = "https://your-bot.example.com/buycrypt/hook"   # MUST be HTTPS, public
# ──────────────────────────────────────────────────────────

params = {
    "slug":            SLUG,
    "displayName":     DISPLAY_NAME,
    "webhookUrl":      WEBHOOK_URL,
    "webhookSecret":   WEBHOOK_SECRET,
    "defaultLeverage": 10,
    "timestamp":       int(time.time() * 1000),
}
qs  = urllib.parse.urlencode(params)
sig = hmac.new(API_SECRET.encode(), qs.encode(), hashlib.sha256).hexdigest()

r = requests.post(
    "https://api.buycrypt.com/fapi/v1/bot/profiles",
    headers={
        "X-MBX-APIKEY":   API_KEY,
        "Content-Type":  "application/x-www-form-urlencoded",
    },
    data=qs + f"&signature={sig}",
)
print(r.status_code, r.json())

Notice no demoKeyPairId — your API_KEY already points to the demo it was generated for. Need to register against a different demo? Generate a separate API key for it (step 2 again).

Expected output:

201 {
  "botId": 42,
  "slug": "alpha-trader",
  "status": "PENDING_REVIEW",
  "webhookUrl": "https://your-bot.example.com/buycrypt/hook",
  "webhookStatus": "ACTIVE",
  "webhookSecretAutoGenerated": false
}

Common errors:

{"code":-2010, "msg":"Slug already in use."}                # pick another slug
{"code":-1102, "msg":"webhookSecret must be at least 32..."}  # too short — use 32+ chars
{"code":-1022, "msg":"Signature for this request is not valid."}  # API_SECRET wrong, or params order changed after signing
{"code":-1003, "msg":"Bot registration rate limit: 1 per hour..."}  # wait it out

Step 5 — Wait for approve, then receive events

Bot lands in PENDING_REVIEW. Our admin sees your request immediately and approves it. To check status anytime:

import hmac, hashlib, time, urllib.parse, requests

API_KEY    = "3fc370a4..."
API_SECRET = "3WJ86kV..."

qs  = urllib.parse.urlencode({"timestamp": int(time.time() * 1000)})
sig = hmac.new(API_SECRET.encode(), qs.encode(), hashlib.sha256).hexdigest()
r = requests.get(
    f"https://api.buycrypt.com/fapi/v1/bot/profiles?{qs}&signature={sig}",
    headers={"X-MBX-APIKEY": API_KEY},
)
print(r.json())   # [{"botId":42, "status":"ACTIVE", ...}] when approved

Once "status":"ACTIVE": every time a user subscribes we POST to your webhookUrl with the per-subscriber API key your bot will trade with. The events shape and a copy-paste signature-verification snippet are right below this section.

Lost your webhook secret? Pick a new one and rotate (same signing pattern as registration):

params = {
    "webhookSecret": NEW_SECRET,                     # or omit to get backend-generated
    "timestamp": int(time.time() * 1000),
}
qs  = urllib.parse.urlencode(params)
sig = hmac.new(API_SECRET.encode(), qs.encode(), hashlib.sha256).hexdigest()
requests.post(
    "https://api.buycrypt.com/fapi/v1/bot/profiles/42/webhook/rotate-secret",
    headers={"X-MBX-APIKEY": API_KEY,
             "Content-Type": "application/x-www-form-urlencoded"},
    data=qs + f"&signature={sig}",
)

Old secret invalid the second the new one saves. Rate limit: 10 rotations/hour per bot.

Webhook event shapes (what we POST to you)

subscription.created — bago lang nag-subscribe ang user

POST https://your-bot.example.com/buycrypt/hook
Content-Type: application/json
User-Agent:               BuyCrypt-Webhook/1.0
X-BuyCrypt-Event:         subscription.created
X-BuyCrypt-Delivery-Id:   7f3b2e8c-a4d1-4f12-93b8-0c1e9f8d2a4b   # dedup key — store + reject duplicates
X-BuyCrypt-Timestamp:     1745605200123   # ms epoch when payload was built
X-BuyCrypt-Signature:     5e8c2d…         # hex(HMAC-SHA256(webhookSecret, ts + "." + body))

{
  "event":        "subscription.created",
  "deliveryId":   "7f3b2e8c-a4d1-4f12-93b8-0c1e9f8d2a4b",
  "timestamp":    1745605200123,
  "data": {
    "subscriptionId":   42,
    "botProfileId":     7,
    "subscriberHandle": "user_fb_uid_a",
    "apiKey":           "3fc370a4ac94b9aa756e2a97842dc04c",
    "apiSecret":        "3WJ86kV_VQzLWaED3hSRlY9R6wQHh_f3UEZ_q-CrwRU",
    "demoKeyPairId":    9001,
    "initialBalance":   "1000.00000000",
    "permissions":      "READ_TRADE",
    "ipWhitelist":      "",
    "createdAt":        "2026-04-25T18:00:00Z"
  }
}

subscription.deleted — nagdiskonekta ang user, na-disable ang key

X-BuyCrypt-Event: subscription.disconnected

{
  "event":      "subscription.disconnected",
  "deliveryId": "…",
  "timestamp":  …,
  "data": {
    "subscriptionId":  42,
    "botProfileId":    7,
    "apiKey":          "3fc370a4…",
    "reason":          "USER_UNSUBSCRIBED",
    "disconnectedAt":  "2026-04-25T18:30:00Z"
  }
}

secret.regenerated — pinalitan ng admin ang webhook secret mo

X-BuyCrypt-Event: secret.regenerated

{
  "event":      "secret.regenerated",
  "deliveryId": "…",
  "timestamp":  …,
  "data": {
    "subscriptionId":       42,
    "apiKey":               "3fc370a4…",
    "newApiSecret":         "new_plaintext_keep_old_valid_24h",
    "oldSecretValidUntil":  "2026-04-26T18:00:00Z"
  }
}

Verify the signature (constant-time)

Use the raw request body bytes — DO NOT parse JSON first and re-serialize, you'll lose key order and signatures will diverge. Always compare in constant time.

# Python (FastAPI / Flask)
import hmac, hashlib, time

WEBHOOK_SECRET = "whsec_aGVsbG8gd29ybGQ_..."   # whsec_…43 chars

def verify(headers, body_bytes):
    sig = headers["X-BuyCrypt-Signature"]
    ts  = int(headers["X-BuyCrypt-Timestamp"])

    # anti-replay: reject if too old
    if abs(time.time() * 1000 - ts) > 5 * 60 * 1000:
        return False

    payload = f"{ts}.".encode() + body_bytes
    expected = hmac.new(WEBHOOK_SECRET.encode(), payload, hashlib.sha256).hexdigest()

    return hmac.compare_digest(expected, sig)
// Node.js / Express — read RAW body, not parsed JSON
const crypto = require('crypto');
const SECRET = 'whsec_aGVsbG8gd29ybGQ_...';

app.post('/buycrypt/hook',
  express.raw({ type: 'application/json' }),   // raw, not json()!
  (req, res) => {
    const sig = req.headers['x-buycrypt-signature'];
    const ts  = parseInt(req.headers['x-buycrypt-timestamp'], 10);

    if (Math.abs(Date.now() - ts) > 5 * 60 * 1000) return res.status(401).end();

    const expected = crypto.createHmac('sha256', SECRET)
      .update(`${ts}.`).update(req.body).digest('hex');

    if (!crypto.timingSafeEqual(Buffer.from(expected), Buffer.from(sig))) {
      return res.status(401).end();
    }
    // req.body is a Buffer here — JSON.parse(req.body.toString('utf8'))
    res.sendStatus(200);
});

Patakaran sa Retry

6 na pagsubok gamit ang exponential backoff: 1m, 5m, 30m, 2h, 6h, 12h. Kapag nabigo ang lahat ng 6, mapupunta ang event sa dead-letter table namin at maaari itong i-replay ng admin.

Awtomatikong Pag-disable

Kung mabigo ang endpoint mo nang 10 beses nang sunud-sunod, mama-markahan itong disabled at ihihinto namin ang pagpapadala ng events. Makipag-ugnayan sa amin para i-enable itong muli. Pumipigil ito sa isang patay na bot na harangan ang mga bagong subscriber nang walang katapusan.

Pag-verify ng Signature

Bawat body ay naka-sign gamit ang HMAC-SHA256 kasama ang secret na ibinahagi namin noong registration. I-verify sa constant time bago pagkatiwalaan ang payload. May mga halimbawa sa partner guide namin.

Saklaw ng API

Bawat Binance USD-M Futures Method na Sinusuportahan Namin

Base URL: https://api.buycrypt.com/fapi. Auth: X-MBX-APIKEY header + HMAC-SHA256 signature sa mga signed endpoint. Recv window: 5,000 ms default, 60,000 ms max.

Pampublikong market data (walang auth)

GET
/v1/ping
Health check. Nagbabalik ng {}.
GET
/v1/time
Oras ng server sa ms — i-sync ang orasan mo para maiwasan ang hindi pagtutugma sa recvWindow.
GET
/v1/exchangeInfo
Mga symbol, filter, precision, leverage tiers.
GET
/v1/ticker/price · /ticker/24hr · /ticker/bookTicker
Huling presyo ng trade · 24h stats · pinakamahusay na bid/ask.
GET
/v1/depth?symbol=&limit=
Snapshot ng order-book (limit ∈ {5,10,20,50,100,500,1000}).
GET
/v1/klines
OHLCV candlesticks para sa anumang interval (1m, 5m, 1h, 4h, 1d).
GET
/v1/markPrice · /v1/fundingRate · /v1/premiumIndex
Mark price para sa liquidation calc · funding history · premium index.
GET
/v1/trades · /v1/aggTrades
Mga kamakailang trade at aggregated trades.

Account & Mga Posisyon (naka-sign)

GET
/v1/account · /v2/account · /v3/account
Buong snapshot ng account — balances, total margin, per-asset, kasalukuyang mga posisyon. Ang lahat ng tatlong bersyon ng path ay nagbabalik ng parehong payload (Binance compat).
GET
/v2/balance · /v3/balance
Per-asset wallet balance. USDT lang ang inilalabas namin.
GET
/v2/positionRisk · /v3/positionRisk
Mga aktibong posisyon kasama ang mark price, entry price, unrealised PnL, liquidation price.
GET
/v1/userTrades · /v1/income · /v1/commissionRate · /v1/leverageBracket
Trade history · realised income · per-symbol fee rate · leverage tiers.

Trading (naka-sign)

POST
/v1/order
Maglagay ng order. Sinusuportahan ang MARKET, LIMIT, STOP_MARKET, TAKE_PROFIT_MARKET, STOP, TAKE_PROFIT (limit-flavor), TRAILING_STOP_MARKET. Mga flag: reduceOnly, closePosition, timeInForce (GTC/IOC/FOK), newClientOrderId para sa idempotency, workingType, callbackRate.
GET
/v1/order
Mag-query ng iisang order gamit ang orderId o origClientOrderId.
DELETE
/v1/order
Kanselahin ang iisang order.
DELETE
/v1/allOpenOrders?symbol=X
Kanselahin ang lahat ng open order sa isang symbol sa isang tawag lang.
GET
/v1/openOrders
Lahat ng kasalukuyang aktibong (non-filled, non-canceled) na mga order.
GET
/v1/allOrders
Kasaysayan ng order. 500 na pinakabago bilang default.
POST
/v1/leverage · /v1/marginType · /v1/positionMargin
Itakda ang leverage (1×–125×) · ISOLATED/CROSS · mag-top up ng isolated margin.
GET
/v1/positionSide/dual
Flag ng hedge-mode. One-way lang muna kami sa ngayon — nagbabalik ng {dualSidePosition: false}.

User-data WebSocket (pribado)

POST
/v1/listenKey
Gumawa ng 60-min na listenKey. Gamitin ito para i-authenticate ang WS handshake.
PUT
/v1/listenKey
Palawigin ang listenKey lease ng isa pang 60 min. Tumawag bawat < 60 min para panatilihing buhay ang stream.
DELETE
/v1/listenKey
Isara ang listenKey kapag nag-shu-shutdown.
WS
wss://api.buycrypt.com/fapi/ws/<listenKey>
Push events para sa mga order, balance, posisyon: ORDER_TRADE_UPDATE, ACCOUNT_UPDATE, MARGIN_CALL. Parehong hugis ng payload gaya ng Binance.

Market-data WebSocket (pampubliko)

WS
wss://api.buycrypt.com/fapi/stream?streams=btcusdt@trade/btcusdt@kline_1m
Multi-stream subscription. Sinusuportahan ang subscribe/unsubscribe/list_subscriptions control messages — passthrough papunta sa upstream Binance.
Mga Limit at Error

Mga Rate Limit at Error Code

Mga Bucket Kada API-key

  • Weight: 2,400 / minuto
  • Paglalagay ng order: 300 / 10 segundo
  • Signed reads: 1,200 / minuto
  • Mga header sa bawat reply: X-MBX-USED-WEIGHT-1M, X-MBX-ORDER-COUNT-10S, Retry-After sa 429.

Karaniwang Mga Error Code

  • -1003 Sobrang dami ng requests — mag-back off gamit ang Retry-After
  • -1021 Timestamp sa labas ng recvWindow
  • -1022 Hindi wastong signature
  • -1102 Hindi naipadala ang mandatory parameter
  • -1116 Hindi wastong order type
  • -2010 Tinanggihan ang order (hindi sapat na balance, atbp.)
  • -2011 Hindi kilalang order
  • -2014 Hindi wastong format ng API-key
  • -2015 Hindi wastong API-key, IP, o permissions
  • -2019 Hindi sapat ang margin

Handa nang I-plug In ang Iyong Bot?

Walang application form, walang review queue, walang integration fee. Mag-sign up tulad ng ibang user, gumawa ng API key sa mobile app, at itugma ang iyong bot sa https://api.buycrypt.com/fapi — iyon na ang buong onboarding.