Exchanges: CEX vs DEX

API Trading for Beginners

Pomegra Learn

What Is API Trading in Cryptocurrency, and How Do You Get Started?

Cryptocurrency exchange APIs allow programmers to connect directly to exchange infrastructure and execute trades, place orders, and manage accounts programmatically. API trading enables automation, faster execution, and data analysis—but also introduces complexity, security risks, and new failure modes. Understanding API basics is essential before automating your trading.

Quick Definition

API trading in cryptocurrency means writing or running code that connects to an exchange's Application Programming Interface (API) to execute trades, fetch market data, and manage your account—without manual interaction on the exchange website. APIs can be simple (REST-based HTTP requests) or complex (WebSocket streams, FIX protocol).

Key Takeaways

Exchanges provide public APIs (market data, order books) and private APIs (your account, orders, balances) secured with API keys and secrets
REST APIs use HTTP requests (GET, POST) for stateless operations; WebSocket APIs stream real-time data
Rate limits restrict how many requests you can make per second or minute; exceeding them causes blocking
API key security is critical: a leaked key allows thieves to withdraw all your funds
Beginners should start with a small account, test orders on testnet if available, and use library abstractions to avoid protocol mistakes

How Exchange APIs Work

Cryptocurrency exchange APIs follow a request-response model where your code sends instructions and the exchange responds with order confirmations, account data, or error messages.

API Endpoints: An endpoint is a specific URL path on the exchange's servers that performs one action. For example, Coinbase's endpoint /orders (with POST method) creates a new order. /accounts (with GET) retrieves your account balances. Each endpoint has specific input parameters and response formats.

HTTP Methods: REST APIs use standard HTTP verbs. GET requests retrieve data (your balances, market prices). POST requests create resources (place a new order). DELETE requests cancel orders. PATCH or PUT requests modify existing resources.

Request and Response Format: Requests and responses are typically JSON (JavaScript Object Notation). Your code sends a JSON request like {"product_id": "BTC-USD", "side": "buy", "order_type": "market", "size": 0.1} and receives a JSON response confirming the order was placed, including the order ID, status, and execution details.

Status Codes: HTTP responses include status codes. 200-299 means success. 400-499 means client error (invalid parameters, missing authentication). 500-599 means server error (exchange overloaded, maintenance). Always check the status code and error message before assuming your request succeeded.

Authentication and API Keys

Every private API request must be authenticated to prove you own the account.

API Key and Secret: When you enable API access on an exchange, the platform generates an API key (a string that identifies your account to the exchange) and an API secret (a secret token used to sign requests). The key is public-facing; the secret is private.

Request Signing: To authenticate a private API request, your code creates a cryptographic signature of the request using your secret key. The exchange verifies this signature proves the request came from you, not an attacker. The signing algorithm varies by exchange (HMAC-SHA256 is common). Your code appends the signature to the request headers, and the exchange validates it before processing your order.

Nonce or Timestamp: To prevent replay attacks (an attacker captures your signed request and sends it again), exchanges require a nonce (a number used once) or timestamp in every request. Your code includes the current time or a counter, signs it, and the exchange rejects requests with old timestamps or repeated nonces.

Scope and Permissions: When creating an API key, you specify what permissions it has. A key can be read-only (fetch data, no trading), trading-enabled (place and cancel orders), or withdrawal-enabled (move funds to external addresses). Always create keys with the minimum permissions needed. A trading bot does not need withdrawal permissions.

Real-World API Authentication Example

You want to place a buy order on Coinbase. Here is the simplified flow:

You have API key abc123xyz and secret secret456.
Your code constructs the request: POST /orders with body {"product_id": "BTC-USD", "side": "buy", "size": 0.1, "order_type": "market"} and timestamp 1234567890.
Your code creates a signature by combining the timestamp, method, path, and body, then encrypting them with your secret using HMAC-SHA256. The signature is sig789abc.
Your code sends the request with headers: Authorization: BTC-USD abc123xyz sig789abc (simplified; actual format varies).
Coinbase receives the request, re-calculates the signature using your secret, and compares it to the signature you sent. If they match, the request is authenticated.
Coinbase checks your API key permissions (does this key have trading enabled?), your account balance (do you have USD to buy BTC?), and rate limits (have you exceeded your request limit?).
Coinbase executes the order, records it, and responds with {"id": "order123", "product_id": "BTC-USD", "side": "buy", "size": 0.1, "status": "done", "executed_value": 4215.75}.
Your code parses the response, extracts the order ID, and stores it for future reference.

Rate Limits and Throttling

Exchanges limit the number of API requests to prevent abuse and system overload.

Request Rate Limits: Coinbase allows up to 10 requests per second (or 15 per second for some endpoints). If you send 20 requests per second, the exchange rejects requests 11-20 with status code 429 (Too Many Requests). You must retry these requests after a delay.

Burst vs. Sustained Rates: Some exchanges allow a burst of requests (e.g., 50 requests in the first second) but enforce stricter limits over longer periods (e.g., 100 requests per minute). Your code should spread requests over time and handle 429 responses gracefully.

Handling Rate Limit Errors: When you receive a 429, read the Retry-After or X-RateLimit-Reset header, which tells you when you can retry. Implement exponential backoff: wait 1 second, retry; if rejected again, wait 2 seconds, retry; wait 4 seconds, etc. Do not immediately retry rate-limited requests.

Optimizing Requests: Use batch endpoints if available. Instead of fetching each coin's price individually (10 requests), fetch all prices in one request. Use WebSocket streams for real-time data instead of polling via REST (which would exceed rate limits).

WebSocket APIs and Real-Time Data

While REST APIs are request-response, WebSockets maintain an open connection and stream real-time updates.

WebSocket Connection: Your code opens a persistent TCP connection to the exchange's WebSocket endpoint (e.g., wss://ws-feed.exchange.com). Once connected, the exchange pushes data to you without you requesting it.

Subscriptions and Channels: You subscribe to specific channels: ticker (price updates), matches (recent trades), full (detailed order book). The exchange streams updates as they happen. For example, when a new BTC trade executes, the exchange sends a JSON message to all subscribed clients.

Real-Time Order Book: Instead of polling /order-book via REST (which hits rate limits and is stale), subscribe to the order book channel and receive updated snapshots and deltas in real-time. This enables high-frequency trading algorithms that react to order book changes in milliseconds.

Latency Advantage: WebSocket latency (updates in 10-100 milliseconds) is faster than REST polling (updates every second or slower). For fast trading strategies, WebSocket is essential.

Rate Limiting and API Complexity

Connection Drops: WebSocket connections occasionally break due to network issues or exchange maintenance. Your code must detect disconnections and re-connect, potentially re-subscribing to channels and replaying missed events.

Message Ordering: Messages may arrive out of order or duplicated, especially during network turbulence. Your code must handle idempotency: if a message arrives twice, your application does not execute the trade twice.

Common API Mistakes

Not Checking Status Codes: Beginners sometimes assume every response is successful. If you do not check the status code, a failed request (status 400, invalid parameters) looks like success if you do not parse the error. Always check if (response.status >= 400) { handle_error() }.

Hardcoding API Secrets: Never paste your API secret in code. Use environment variables or secure configuration files. If you commit code with secrets to GitHub, assume the secret is compromised. Immediately rotate your API keys.

Ignoring Rate Limits: Code that makes unlimited requests will be blocked. Implement rate limiting in your code before the exchange blocks you. Count requests per second and enforce delays.

Not Handling Partial Fills: If you place a market order for 1 BTC, the exchange may execute it as multiple trades (0.5 BTC from one seller, 0.3 BTC from another, 0.2 BTC from a third) due to order book fragmentation. Your code must handle partial fills and track the filled quantity and average execution price.

Missing Error Handling: Networks fail, exchanges go down for maintenance, your code has bugs. If you do not implement try-catch blocks and error logging, you will not know when your bot stops working. A bot that fails silently and stops trading is worthless.

Not Testing Before Production: Write unit tests for your trading logic. Use a testnet or paper trading mode if the exchange provides it. Coinbase offers a sandbox environment where trades are simulated. Test your bot thoroughly before running it on real money.

API Trading Request Cycle

Building Your First Simple API Request

Here is a minimal example in Python (pseudo-code) to fetch your account balance via the Coinbase API:

import requests
import hmac
import hashlib
from datetime import datetime

API_KEY = "your-api-key"
API_SECRET = "your-api-secret"
API_URL = "https://api.exchange.coinbase.com"

def create_signature(timestamp, method, path, body=''):
    message = f"{timestamp}{method}{path}{body}"
    signature = hmac.new(
        API_SECRET.encode(),
        message.encode(),
        hashlib.sha256
    ).hexdigest()
    return signature

def get_accounts():
    timestamp = datetime.utcnow().isoformat() + 'Z'
    method = 'GET'
    path = '/accounts'
    signature = create_signature(timestamp, method, path)
    
    headers = {
        'CB-ACCESS-KEY': API_KEY,
        'CB-ACCESS-SIGN': signature,
        'CB-ACCESS-TIMESTAMP': timestamp,
        'Content-Type': 'application/json'
    }
    
    response = requests.get(f"{API_URL}{path}", headers=headers)
    
    if response.status_code == 200:
        accounts = response.json()
        for account in accounts:
            print(f"{account['currency']}: {account['balance']}")
    else:
        print(f"Error {response.status_code}: {response.text}")

get_accounts()

This code fetches your account balances. It creates a timestamp, constructs an HMAC signature, adds the signature to request headers, sends the GET request, and prints the response. In production, you would handle errors, retry on failures, and secure your API secret properly.

Real-World Example: A Simple Market Buy Bot

Imagine you want a bot that buys 0.01 BTC if the price drops below $40,000. Here is the logic:

Every 60 seconds, fetch the current BTC price via REST API (GET /ticker endpoint).
Compare the price to your threshold ($40,000).
If price < $40,000, place a market buy order for 0.01 BTC (POST /orders with {"product_id": "BTC-USD", "side": "buy", "order_type": "market", "size": 0.01}).
Log the order ID and execution price.
If price >= $40,000, do nothing.

Your code runs in a loop. In production, this bot would:

Run on a server that is always on (a cloud VM, not your laptop).
Handle rate limits (wait between requests).
Log all trades to a database.
Alert you via email or Slack when an order is placed.
Catch exceptions (network errors, API errors) and retry intelligently.

This simple bot demonstrates the core API workflow: fetch data, make a decision, execute an order.

Connecting to Broader Concepts

API trading relates to Trading Bots Warning, which discusses the risks of automated trading. Understanding Leverage Trading Caution is critical if your API integrates margin or derivatives endpoints. Exchange Security Risks cover how to protect API keys and prevent theft. Tax Reporting from Exchanges becomes more complex when API bots generate hundreds of trades—you must track all of them for tax purposes.

Verifying Legitimate Exchanges ensures you connect your bot to a regulated platform, not a scam. Understanding What Is a Crypto Exchange? helps you understand what your API requests are actually doing.

Common Questions

Q: Can I use the same API key for multiple bots?
A: Technically yes, but it is a bad practice. Create a separate API key for each bot so you can revoke a single key without disabling all bots. Each key should have only the permissions needed for that specific bot.

Q: What happens if my bot places an order and the internet disconnects before I receive the response?
A: The order may still be placed on the exchange's servers. Your bot does not know it succeeded. This is why you should query your open orders periodically and reconcile them with your internal state. Always assume an order succeeded unless you verify it did not.

Q: Is API trading taxable?
A: Yes. Every trade executed via API is a taxable event. You must report the fair market value at the time of execution, cost basis, and gain or loss. A bot that trades 1,000 times per day creates 1,000 taxable events.

Q: How do I protect my API key if my bot runs on a cloud server?
A: Store the key in an environment variable, not in code. Use the cloud provider's secrets manager (AWS Secrets Manager, Google Cloud Secret Manager) to encrypt and rotate the key. Grant the bot's process only the permissions it needs to fetch the secret.

Trading Bots Warning covers the risks of automation
Leverage Trading Caution discusses margin API endpoints
Exchange Security Risks protect your API keys
Tax Reporting from Exchanges tracks bot-generated trades
Verifying Legitimate Exchanges ensures your API target is legitimate

Summary

Exchange APIs enable programmatic trading, real-time data access, and automation, but introduce security and complexity challenges. REST APIs handle one request at a time; WebSockets stream real-time data. Authentication via API key and cryptographic signature proves ownership. Rate limits prevent abuse and require your code to respect boundaries. Common mistakes—ignoring status codes, hardcoding secrets, not handling errors—lead to lost funds or silent bot failures. Start small with a test account, implement robust error handling, secure your API keys, and track all trades for tax reporting. API trading is powerful but dangerous if not approached carefully.

Read Leverage Trading in Crypto: High Risk to understand the risks of margin and derivatives trading via APIs.

Quick Definition​

Key Takeaways​

How Exchange APIs Work​

Authentication and API Keys​

Real-World API Authentication Example​

Rate Limits and Throttling​

WebSocket APIs and Real-Time Data​

Rate Limiting and API Complexity​

Common API Mistakes​

API Trading Request Cycle​

Building Your First Simple API Request​

Real-World Example: A Simple Market Buy Bot​

Connecting to Broader Concepts​

Common Questions​

Related Concepts​

Summary​

Next​