Introduction

The Institutional APIs enable you to create and manage multiple subaccounts under one main account. You can use them for different trading strategies per subaccount, to manage trading for your customers, or move assets between your accounts.

info

Trading from your subaccount works the same as the main account. You can use the subaccount API key to make Exchange WebSocket and REST API requests.

Before you start

Before you start integrating, make sure you have:

• Signed up for a Bitvavo corporate account
• Enabled two-factor authentication
• Created an API key and secret with the following permissions:
  • Include all subaccounts
  • Internal Transfer
  • Administrative

info

You can use the Institutional dashboard at https://account.bitvavo.com/company/orders to manually create subaccounts, add or transfer assets, and check balances. You can also use this dashboard to create API credentials for your subaccounts.

Authentication

Learn how to authenticate your requests to Bitvavo Institutional APIs.~

Headers

To authenticate requests, you need to add a signature with the following HTTP headers in every request to Bitvavo REST API:

• Bitvavo-Access-Key (required): an API Key with the required permissions.
• Bitvavo-Access-Timestamp (required): a Unix timestamp in milliseconds of the time you make the request.
• Bitvavo-Access-Signature (required): a HMAC-SHA256 hex-encoded string of the following values:
  • secret: the API secret for your Bitvavo-Access-Key.
  • timestamp: the same Unix timestamp as for Bitvavo-Access-Timestamp.
  • method: the HTTP method of the request. For example, GET or POST.
  • path: the API endpoint to which you make the request. For example, /order.
  • body: for the GET method, an empty string. For every other method, a request body as a string.
• Bitvavo-Access-Window (optional): the execution timeout in milliseconds after Bitvavo-Access-Timestamp. The default value is 10000, and the maximum value is 60000.

Create a signature

To create the HMAC-SHA256 hex-encoded Bitvavo-Access-Signature (example shown for POST /v2/subaccounts):

1. Prepare the header values. For example:
   • timestamp: 1548172481125
   • method: POST
   • path: /v2/subaccounts
   • body: {"name":"MY_SUBACCOUNT"} (empty string for GET)
2. Concatenate the values without a delimiter:
   Concatenated string

   1548172481125POST/v2/subaccounts{"name":"MY_SUBACCOUNT"}

3. Prepare the API secret for your Bitvavo-Access-Key. For example:
   Example API secret

   bitvavo

4. Using your API secret, encode the concatenated string to HMAC-SHA256:
   Signature encoded with the Example API secret

   HQBEGVb0mXdRE4gWbmrP09DnYrO03Ca457gxn0OBZ6hMCFgnRJQoJNtsjPvlACPz7FpG51m2tRTQooKi/h2RNdGJuL18EFA3mMgXiG2FT10XoXd8iUxflXJlZ9EUf9OJkyZGM07Q4L7DlOBUZ131GA==

Rate limits

There are limits to the number of API requests that you can make within one minute. Every request is allocated a number of Rate limit weight points which are specified on the page of the individual request.

The calculation for your weight points is the same as for the other REST APIs.

See also

• Get started
• Rate limits
• Handle errors
• Create subaccount