Before you can make authenticated requests to the Bullish Trading API, you need an API key. Bullish supports two key types — ECDSA and HMAC — which differ in their cryptographic mechanism and the scope of endpoints they can access.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/bullish-exchange/api-docs/llms.txt
Use this file to discover all available pages before exploring further.
Generate an API Key
A prerequisite to generating API keys is to have a Bullish account. To generate an API key follow these steps:Log in to your Bullish account
Navigate to the Bullish web application and sign in with your credentials.
Select the API Key type
Choose either ECDSA or HMAC depending on your use case. See the sections below for guidance on which type to use.
Enter a key name
Enter a descriptive key name in the Key Name field to help you identify the key later.
Configure IP whitelist (optional)
Adding an IP whitelist is optional. Should an IP whitelist be added, login requests must originate from within the configured IP whitelist range.
ECDSA API Keys
An ECDSA API key is a public/private key pair used for ECDSA-based signing of trading and custody API requests.- The private key is used to sign requests. Always store your private keys in a secure medium.
- From here on, the public key will be referred to as
PUBLIC_KEYand the private key asPRIVATE_KEY. - ECDSA API Keys can be used for both trading and custody endpoints.
Key and Signature Format Details
| Property | Value |
|---|---|
| Curve | ECDSA R1 (prime256v1 / secp256r1 / P-256) |
| Signature encoding | DER |
| Hashing algorithm | SHA-256 |
| Key format | X.509 SubjectPublicKeyInfo, PEM encoded |
Decoding ECDSA Metadata to Extract Your userId
An ECDSA API key has ametadata string associated with it, displayed alongside the key in the Bullish UI. You must base64-decode the metadata to extract your userId. You will need the userId when generating a JWT token.
HMAC API Keys
A HMAC API Key is a shared secret key used for HMAC-based signing of trading API requests.- HMAC API Keys can only be used for trading on Bullish. The JWT generated using an HMAC API Key is valid for trading endpoints only — it cannot be used for custody endpoints.
- You do not need to decode a
metadatastring to extract youruserIdwhen using an HMAC API Key.
Security Best Practices
If you suspect your API key has been compromised, revoke it immediately from the Settings → API Keys page in the Bullish web UI and generate a new one.