Kung ang iyong bot ay compatible na sa Binance USD-M Futures, palitan lang ang isang base URL at live ka na sa BuyCrypt. Natutuklasan ng aming mga user ang iyong bot sa leaderboard, sinusubukan ito sa libreng $1,000 demo account, at nag-gra-graduate sa tunay na key kapag na-convince na sila.
Walang code rewrite. Walang exchange-specific na quirks. Parehong HMAC-SHA256 signing, parehong WebSocket user-data stream, parehong mga order type — nakabalot sa aming demo trading engine para maikumpara ng mga user ang mga bot nang hindi nilalagay sa risk ang kanilang capital.
Ang bawat user na mag-subscribe ay makakakuha ng sarili nilang demo account na may $1,000 virtual balance. Ang bot mo ang magte-trade nito. Napapanood nila ang live na PnL, drawdown, at win rate. Walang risk sa totoong puhunan nila — at walang acquisition cost sa panig mo.
Lalabas ang sariling demo account ng bot mo sa public leaderboard na may 🤖 БОТ badge. Makikita ng mga user ang PnL ranking sa gitna ng totoong mga trader. I-tap ang row, pindutin ang "Kumonekta" — instant na subscription.
Kung gumagamit ang bot mo ng anumang Binance Futures SDK (binance-connector-python, python-binance, CCXT, atbp.), itakda ang base_url nito papunta sa https://api.buycrypt.com/fapi. Magkatulad ang HMAC, recvWindow, at mga order type.
Kapag nag-subscribe ang isang user, ipinapadala namin (POST) ang bagong likhang API key + secret sa webhook URL mo — naka-sign gamit ang HMAC, ina-ulit kapag nabigo gamit ang exponential backoff, at nare-recover mula sa dead-letter. Hindi mo na kailangang hingin ang credentials mula sa user.
Bubuksan ng user ang leaderboard. Lalabas ang account ng bot mo na may 🤖 БОТ chip sa tabi ng username, kasama ang bilang ng subscriber. I-ta-tap nila ang row.
Sa profile page ng bot, makikita nila ang "Kumonekta sa demo account". Isang tap lang para makagawa ng bagong $1,000 demo para sa kanila, at magsisimula nang mag-trade dito ang bot mo.
Pinapanood ng user ang bot habang nagte-trade sa demo nila sa loob ng ilang araw o linggo. PnL, mga posisyon, win rate — lahat live sa app. Kung magugustuhan nila ito, ilalagay nila ang totoong Binance API key sa loob ng BuyCrypt para mag-upgrade mula demo patungong production.
Idinaragdag ng user ang totoong Binance API key nila sa loob ng BuyCrypt. Inihahatid namin ito sa webhook mo sa parehong paraan gaya ng paghahatid ng demo key — parehong subscription.created event, may kasamang production credentials na lang nila. Iisang integration ang sumasaklaw sa demo at live flows.
Magrehistro ng regular na BuyCrypt account — parehong flow ng kahit sinong user. Bibigyan ka agad ng libreng demo account na may starting balance sa mismong sandaling mag-sign up ka. Walang application form, walang review queue.
Gumawa ng API keys direkta sa loob ng BuyCrypt mobile app: My Profile → API keys → i-tap ang demo account mo → Generate. Makakakuha ka ng bagong apiKey + apiSecret na ipapakita nang isang beses lang — kopyahin ang mga ito sa bot mo. Pagkatapos, itakda ang umiiral mo nang Binance USD-M Futures bot papunta sa https://api.buycrypt.com/fapi at gagana agad ito — parehong HMAC, parehong endpoints, parehong order types.
Sa sandaling matukoy namin ang API-driven trading sa demo mo, awtomatikong ma-flag ang account mo bilang bot. Lalabas ang demo mo sa leaderboard na may 🤖 БОТ chip at public profile, para matuklasan at ma-subscribe-han ito ng ibang users.
Kapag handa ka nang tumanggap ng mga subscriber, magdagdag ng webhook URL sa profile ng bot mo sa settings. Sa tuwing mag-subscribe ang isang user — sa demo man o gamit ang totoong Binance keys — ipinapadala namin ang subscription.created event kasama ang API key + secret para sa account ng user na iyon. I-store ang (userId, apiKey, apiSecret) at simulan ang pag-trade sa ngalan nila.
Karamihan sa mga Binance Futures SDK ay tumatanggap ng custom na base URL. Narito ang buong pagbabagong kailangan ng isang tipikal na Python bot:
# before — trading on real Binance from binance.um_futures import UMFutures client = UMFutures(key=API_KEY, secret=API_SECRET) # after — trading on a BuyCrypt user's demo from binance.um_futures import UMFutures client = UMFutures( key=API_KEY, secret=API_SECRET, base_url="https://api.buycrypt.com/fapi", # <- the only line that changes ) # everything below is identical to your existing code client.new_order(symbol="BTCUSDT", side="BUY", type="MARKET", quantity=0.01) client.account() client.cancel_open_orders(symbol="BTCUSDT")
CCXT, python-binance, Go's go-binance, JS node-binance-api — lahat gumagana sa parehong paraan. Gumagana rin ang mga simpleng requests.get(...).headers["X-MBX-APIKEY"] = key na bot; byte-identical ang HMAC signing rule.
Kapag nag-subscribe ang isang BuyCrypt user sa iyong bot, gagawa kami ng per-user na API key + secret sa server-side at ipapadala ito gamit ang POST sa iyong nakarehistrong webhook URL. Hindi kailanman ibinabalik ang secret sa user — sa iyo lang ito napupunta, sa pamamagitan ng HTTPS, naka-sign.
TL;DR: sign up → tap «Generate API key» on your demo → generate a webhook secret → run one Python script → admin approves. ~5 minutes.
Open buycrypt.com/terminal (or the mobile app). Sign in via Google or phone. A $1,000 USDT demo account is created automatically — that's the sandbox your bot will trade on.
In the app: Profile → API Keys → tap your demo account → «Bot API keys» → Generate. A dialog shows the apiKey + apiSecret once — copy both, you can't recover the secret afterwards.
# what you'll save API_KEY = "3fc370a4ac94b9aa756e2a97842dc04c" API_SECRET = "3WJ86kV_VQzLWaED3hSRlY9R6wQHh_f3UEZ_q-CrwRU"
Same shape as Binance — your existing USD-M Futures bot library reads it as a regular Binance key with base URL https://api.buycrypt.com/fapi.
A second secret, separate from API_SECRET. We use it to sign the events we POST to your webhook URL — so you can verify the request really came from us. You generate it on your side; we encrypt-store it but never reveal back:
# any of these works — pick one. Save the output. $ openssl rand -hex 32 # macOS / Linux $ python3 -c "import secrets; print(secrets.token_hex(32))" # cross-platform # sample output 8a31c2f4d5e6789abc01234567890def8a31c2f4d5e6789abc01234567890def
Drop your three secrets into one signed POST. Save this as register_bot.py and run it once. Works on any OS with Python 3.10+ and pip install requests:
import hmac, hashlib, time, urllib.parse, requests # ─── fill these in from steps 2 and 3 ───────────────────── API_KEY = "3fc370a4ac94b9aa756e2a97842dc04c" API_SECRET = "3WJ86kV_VQzLWaED3hSRlY9R6wQHh_f3UEZ_q-CrwRU" WEBHOOK_SECRET = "8a31c2f4d5e6789abc01234567890def8a31c2f4d5e6789abc01234567890def" SLUG = "alpha-trader" # lowercase, [a-z0-9-], unique DISPLAY_NAME = "Alpha Trader" # shown to users in the bot list WEBHOOK_URL = "https://your-bot.example.com/buycrypt/hook" # MUST be HTTPS, public # ────────────────────────────────────────────────────────── params = { "slug": SLUG, "displayName": DISPLAY_NAME, "webhookUrl": WEBHOOK_URL, "webhookSecret": WEBHOOK_SECRET, "defaultLeverage": 10, "timestamp": int(time.time() * 1000), } qs = urllib.parse.urlencode(params) sig = hmac.new(API_SECRET.encode(), qs.encode(), hashlib.sha256).hexdigest() r = requests.post( "https://api.buycrypt.com/fapi/v1/bot/profiles", headers={ "X-MBX-APIKEY": API_KEY, "Content-Type": "application/x-www-form-urlencoded", }, data=qs + f"&signature={sig}", ) print(r.status_code, r.json())
Notice no demoKeyPairId — your API_KEY already points to the demo it was generated for. Need to register against a different demo? Generate a separate API key for it (step 2 again).
Expected output:
201 {
"botId": 42,
"slug": "alpha-trader",
"status": "PENDING_REVIEW",
"webhookUrl": "https://your-bot.example.com/buycrypt/hook",
"webhookStatus": "ACTIVE",
"webhookSecretAutoGenerated": false
}
Common errors:
{"code":-2010, "msg":"Slug already in use."} # pick another slug
{"code":-1102, "msg":"webhookSecret must be at least 32..."} # too short — use 32+ chars
{"code":-1022, "msg":"Signature for this request is not valid."} # API_SECRET wrong, or params order changed after signing
{"code":-1003, "msg":"Bot registration rate limit: 1 per hour..."} # wait it out
Bot lands in PENDING_REVIEW. Our admin sees your request immediately and approves it. To check status anytime:
import hmac, hashlib, time, urllib.parse, requests API_KEY = "3fc370a4..." API_SECRET = "3WJ86kV..." qs = urllib.parse.urlencode({"timestamp": int(time.time() * 1000)}) sig = hmac.new(API_SECRET.encode(), qs.encode(), hashlib.sha256).hexdigest() r = requests.get( f"https://api.buycrypt.com/fapi/v1/bot/profiles?{qs}&signature={sig}", headers={"X-MBX-APIKEY": API_KEY}, ) print(r.json()) # [{"botId":42, "status":"ACTIVE", ...}] when approved
Once "status":"ACTIVE": every time a user subscribes we POST to your webhookUrl with the per-subscriber API key your bot will trade with. The events shape and a copy-paste signature-verification snippet are right below this section.
Lost your webhook secret? Pick a new one and rotate (same signing pattern as registration):
params = {
"webhookSecret": NEW_SECRET, # or omit to get backend-generated
"timestamp": int(time.time() * 1000),
}
qs = urllib.parse.urlencode(params)
sig = hmac.new(API_SECRET.encode(), qs.encode(), hashlib.sha256).hexdigest()
requests.post(
"https://api.buycrypt.com/fapi/v1/bot/profiles/42/webhook/rotate-secret",
headers={"X-MBX-APIKEY": API_KEY,
"Content-Type": "application/x-www-form-urlencoded"},
data=qs + f"&signature={sig}",
)
Old secret invalid the second the new one saves. Rate limit: 10 rotations/hour per bot.
subscription.created — bago lang nag-subscribe ang userPOST https://your-bot.example.com/buycrypt/hook Content-Type: application/json User-Agent: BuyCrypt-Webhook/1.0 X-BuyCrypt-Event: subscription.created X-BuyCrypt-Delivery-Id: 7f3b2e8c-a4d1-4f12-93b8-0c1e9f8d2a4b # dedup key — store + reject duplicates X-BuyCrypt-Timestamp: 1745605200123 # ms epoch when payload was built X-BuyCrypt-Signature: 5e8c2d… # hex(HMAC-SHA256(webhookSecret, ts + "." + body)) { "event": "subscription.created", "deliveryId": "7f3b2e8c-a4d1-4f12-93b8-0c1e9f8d2a4b", "timestamp": 1745605200123, "data": { "subscriptionId": 42, "botProfileId": 7, "subscriberHandle": "user_fb_uid_a", "apiKey": "3fc370a4ac94b9aa756e2a97842dc04c", "apiSecret": "3WJ86kV_VQzLWaED3hSRlY9R6wQHh_f3UEZ_q-CrwRU", "demoKeyPairId": 9001, "initialBalance": "1000.00000000", "permissions": "READ_TRADE", "ipWhitelist": "", "createdAt": "2026-04-25T18:00:00Z" } }
subscription.deleted — nagdiskonekta ang user, na-disable ang keyX-BuyCrypt-Event: subscription.disconnected { "event": "subscription.disconnected", "deliveryId": "…", "timestamp": …, "data": { "subscriptionId": 42, "botProfileId": 7, "apiKey": "3fc370a4…", "reason": "USER_UNSUBSCRIBED", "disconnectedAt": "2026-04-25T18:30:00Z" } }
secret.regenerated — pinalitan ng admin ang webhook secret moX-BuyCrypt-Event: secret.regenerated { "event": "secret.regenerated", "deliveryId": "…", "timestamp": …, "data": { "subscriptionId": 42, "apiKey": "3fc370a4…", "newApiSecret": "new_plaintext_keep_old_valid_24h", "oldSecretValidUntil": "2026-04-26T18:00:00Z" } }
Use the raw request body bytes — DO NOT parse JSON first and re-serialize, you'll lose key order and signatures will diverge. Always compare in constant time.
# Python (FastAPI / Flask) import hmac, hashlib, time WEBHOOK_SECRET = "whsec_aGVsbG8gd29ybGQ_..." # whsec_…43 chars def verify(headers, body_bytes): sig = headers["X-BuyCrypt-Signature"] ts = int(headers["X-BuyCrypt-Timestamp"]) # anti-replay: reject if too old if abs(time.time() * 1000 - ts) > 5 * 60 * 1000: return False payload = f"{ts}.".encode() + body_bytes expected = hmac.new(WEBHOOK_SECRET.encode(), payload, hashlib.sha256).hexdigest() return hmac.compare_digest(expected, sig)
// Node.js / Express — read RAW body, not parsed JSON const crypto = require('crypto'); const SECRET = 'whsec_aGVsbG8gd29ybGQ_...'; app.post('/buycrypt/hook', express.raw({ type: 'application/json' }), // raw, not json()! (req, res) => { const sig = req.headers['x-buycrypt-signature']; const ts = parseInt(req.headers['x-buycrypt-timestamp'], 10); if (Math.abs(Date.now() - ts) > 5 * 60 * 1000) return res.status(401).end(); const expected = crypto.createHmac('sha256', SECRET) .update(`${ts}.`).update(req.body).digest('hex'); if (!crypto.timingSafeEqual(Buffer.from(expected), Buffer.from(sig))) { return res.status(401).end(); } // req.body is a Buffer here — JSON.parse(req.body.toString('utf8')) res.sendStatus(200); });
6 na pagsubok gamit ang exponential backoff: 1m, 5m, 30m, 2h, 6h, 12h. Kapag nabigo ang lahat ng 6, mapupunta ang event sa dead-letter table namin at maaari itong i-replay ng admin.
Kung mabigo ang endpoint mo nang 10 beses nang sunud-sunod, mama-markahan itong disabled at ihihinto namin ang pagpapadala ng events. Makipag-ugnayan sa amin para i-enable itong muli. Pumipigil ito sa isang patay na bot na harangan ang mga bagong subscriber nang walang katapusan.
Bawat body ay naka-sign gamit ang HMAC-SHA256 kasama ang secret na ibinahagi namin noong registration. I-verify sa constant time bago pagkatiwalaan ang payload. May mga halimbawa sa partner guide namin.
Base URL: https://api.buycrypt.com/fapi. Auth: X-MBX-APIKEY header + HMAC-SHA256 signature sa mga signed endpoint. Recv window: 5,000 ms default, 60,000 ms max.
{}.MARKET, LIMIT, STOP_MARKET, TAKE_PROFIT_MARKET, STOP, TAKE_PROFIT (limit-flavor), TRAILING_STOP_MARKET. Mga flag: reduceOnly, closePosition, timeInForce (GTC/IOC/FOK), newClientOrderId para sa idempotency, workingType, callbackRate.orderId o origClientOrderId.{dualSidePosition: false}.ORDER_TRADE_UPDATE, ACCOUNT_UPDATE, MARGIN_CALL. Parehong hugis ng payload gaya ng Binance.subscribe/unsubscribe/list_subscriptions control messages — passthrough papunta sa upstream Binance.X-MBX-USED-WEIGHT-1M, X-MBX-ORDER-COUNT-10S, Retry-After sa 429.Retry-AfterWalang application form, walang review queue, walang integration fee. Mag-sign up tulad ng ibang user, gumawa ng API key sa mobile app, at itugma ang iyong bot sa https://api.buycrypt.com/fapi — iyon na ang buong onboarding.